Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Baselining Windows and Comparative Analysis: Quick and Easy Kevin Fuller May 2012.

Published byOlivia Riley Modified over 9 years ago

Similar presentations

Presentation on theme: "1 SANS Technology Institute - Candidate for Master of Science Degree 1 Baselining Windows and Comparative Analysis: Quick and Easy Kevin Fuller May 2012."— Presentation transcript:

1 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Baselining Windows and Comparative Analysis: Quick and Easy Kevin Fuller May 2012 GIAC GSEC, GCIA, GCIH Gold, GAWN, GSNA Gold, GPEN, GWAPT

2 SANS Technology Institute - Candidate for Master of Science Degree 2 System Baselining Measurement of System Information Point in Time Well Defined Supports other activities System performance measurements Troubleshooting Forensics Incident Response

3 SANS Technology Institute - Candidate for Master of Science Degree 3 The Benefit of System Baselining Troubleshooting –Configuration Management Audit –Baseline against audit technical standards –Re-measure against baseline for compliance Incident Handling/Forensics –Differences in known state - compromise

4 SANS Technology Institute - Candidate for Master of Science Degree 4 The Challenge Time consuming process –Manual processes –Different tools –Different output formats The result –Not done –Focus on certain measurements –Familiarity with the system

5 SANS Technology Institute - Candidate for Master of Science Degree 5 A Solution Commercial Product? –Expensive –What is under the hood Free and open source A combination of tools –Windows Forensics Toolkit –KDiff3

6 SANS Technology Institute - Candidate for Master of Science Degree 6 Windows Forensics Toolchest (WFT) Created by Monty McDougal Forensics information collection tool Automated batch processing script –Windows tools –Third party tools Organizes output into folder structure –HTML and text

7 SANS Technology Institute - Candidate for Master of Science Degree 7 KDiff3 Created by Joachim Eibl Comparative analysis tool –Two and three way comparative analysis –Line by line –Character by character It can also do a comparative analysis of folders as well as files

8 SANS Technology Institute - Candidate for Master of Science Degree 8 WFT Setup wft –fetchtools Copies Windows tools by version Helix Internet download wft –fixcfg Tools inventory Hash check Save output to second.cfg file Overwrite wft.cfg with second.cfg

9 SANS Technology Institute - Candidate for Master of Science Degree 9 Using WFT Default start = Interactive mode Series of questions Defaults good enough Volume C on multi-volume systems Output Organized by System Name, date/time HTML output Text output

10 WFT SANS Technology Institute - Candidate for Master of Science Degree 10

11 SANS Technology Institute - Candidate for Master of Science Degree 11 WFT HTML Report

12 SANS Technology Institute - Candidate for Master of Science Degree 12 Running KDiff3 Must be installed on a Windows system Load original baseline and latest run –Select the output directory –Use text versions Lines up the files(s) content –Differences noted –Details color coded

13 KDiff3 SANS Technology Institute - Candidate for Master of Science Degree 13

14 Gotchas Some tools missing after setup Helix version Windows 7 –UAC –Some tools will not work False Positives You must still analyze the output! SANS Technology Institute - Candidate for Master of Science Degree 14

15 SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Budget constraints, increased threats System baselining is more important than ever Tools such as WFT and KDiff3 can increase efficiencies through automation The output still must be analyzed For more information see “ Quick and Effective Windows System Baselining and Comparative Analysis for Troubleshooting and Incident Response” in the SANS Reading Room ( http://bit.ly/AkBHJd ) http://bit.ly/AkBHJd

Download ppt "1 SANS Technology Institute - Candidate for Master of Science Degree 1 Baselining Windows and Comparative Analysis: Quick and Easy Kevin Fuller May 2012."

Similar presentations

Easily retrieve data from the Baan database

Easily retrieve data from the Baan database
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Steganography Then and Now John Hally May 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Steganography Then and Now John Hally May 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN,
ENOVIA SmarTeam Data Loading Strategies

ENOVIA SmarTeam Data Loading Strategies
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Scoping Security Assessments: A Project Management Approach Lack of planning is.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Scoping Security Assessments: A Project Management Approach Lack of planning is.
Getting Started: Ansoft HFSS 8.0

Getting Started: Ansoft HFSS 8.0
This presentation is intended as a detailed WebEx, to bring potential customers to an understanding of Dream Report capabilities. This presentation focuses.

This presentation is intended as a detailed WebEx, to bring potential customers to an understanding of Dream Report capabilities. This presentation focuses.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Winmail.dat what it is and what to do with it This guide tells you all about winmail.dat files and the WMDecode decoder Instructions for installing WMDecode.

Winmail.dat what it is and what to do with it This guide tells you all about winmail.dat files and the WMDecode decoder Instructions for installing WMDecode.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 The Afterglow Effect and Peer 2 Peer Networks Jay Radcliffe June 2010 GIAC: GSEC.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 The Afterglow Effect and Peer 2 Peer Networks Jay Radcliffe June 2010 GIAC: GSEC.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
MCITP: Microsoft Windows Vista Desktop Support - Enterprise Section 1: Prepare to Deploy.

MCITP: Microsoft Windows Vista Desktop Support - Enterprise Section 1: Prepare to Deploy.
GNE: Global NEWS Modeling Environment What it is / what it’s not How it works Components, samples Installation NEWS 2 Implementation Emilio MayorgaMay.

GNE: Global NEWS Modeling Environment What it is / what it’s not How it works Components, samples Installation NEWS 2 Implementation Emilio MayorgaMay.
EValid Getting Started. Agenda Introduction to eValid First experience of using eValid Recording and Site Analysis in eValid.

EValid Getting Started. Agenda Introduction to eValid First experience of using eValid Recording and Site Analysis in eValid.
Introduction to eValid Presentation Outline What is eValid? About eValid, Inc. eValid Features System Architecture eValid Functional Design Script Log.

Introduction to eValid Presentation Outline What is eValid? About eValid, Inc. eValid Features System Architecture eValid Functional Design Script Log.
The easy way to a nice looking website design By a total non-designer (Me!)

The easy way to a nice looking website design By a total non-designer (Me!)
Simple Web SQLite Manager/Form/Report

Simple Web SQLite Manager/Form/Report
Online Surveys A Look at Cardiff-TeleForm Denise H. Wells Planning and Research Central Piedmont Community College.

Online Surveys A Look at Cardiff-TeleForm Denise H. Wells Planning and Research Central Piedmont Community College.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

Similar presentations

Ads by Google