CyberGuardians

Map of Windows Memory Addresses openRCE

SANS Track 4 Notes, Comments Day 1 – Incident Handling Sample Incident forms are available @ http://www.sans.org/incidentforms/ Giac Practicals are available @ http://www.giac.org/GCIH.php and contain good working examples Protect Evidence – get the user away from the machine ASAP to keep the machine unchanged until you can image the drive. Keep the original stored in a safe place and maintain a chain of evidence. Verify backup integrity to insure you are not restoring a compromised image. Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned Keep up to date on privacy laws, European laws are radically different from US laws IDS, depending on the vendor, maybe able to monitor encrypted VPN traffic Always strive to raise security awareness with management Honeynet – for training purposes it maybe useful to set up a vulnerable system to intentionally let it be compromised to develop the teams investigative skills. Nice Trojan Port list http://www.dark-e.co

Hacking Exposed Notes Footprinting – profiling an organization Internet, Intranet, Remote Access, and Extranet presence to determine security posture and netblocks Website Pilfering – grabbing source code to analyze offline Unix – Wget http://www.gnu.org/software/wget/wget.html Win – Teleport Pro http://www.tenmax.com/teleport/home.htm Search Engines – tools for searching multiple engines, IRC, email, etc at once Win – FerretPRO($) http://www.ferretsoft.com Web – DogPile http://www.dogpile.com Registered Networks – internet whois searches Current Registrars http://www.internic.net/alpha.html Unix – Whois, Xwhois http://c64.org/~nr/xwhois/ Unix - $ whois “acme.”@whois.crsnic.net (list possible domains) Unix - $ whois “HANDLE JS1234”@whois.networksolutions.com (list POC info) Unix - $ whois “@acme.net”@whois.networksolutions.net (list email info) Web – US http://www.arin.net Web – International http://www.allwhois.com Web – US Military http://whois.nic.mil Web – US Gov http://whois.