Real Digital Forensics by Keith Jones, Richard Bejtlich, and Curtis Rose 1 - Windows Live Response Never save data locally on the hd, as there is a chance you may be overwriting evidence Always use the -b option with md5sum, to perform the hash in binary mode -k option with cryptcat, allows you to set the encryption password Volatile Data * system date and time * current network connections * open tcp and udp ports * which exe's are opening tcp and udp ports * cached netbios name table * users currently logged on * internal routing table * running processes * running services * scheduled jobs * open files * process memory dumps To truly verify a system binary, you must compare hashes with trusted source Common attack involves changing a servers routing table to redirect traffic and bypass firewalls Firedaemon turns any process into a service userdump.exe will capture memory space used by any running process. userdump output cannot be
My random musings about IT Security whenever I have time to think