Skip to main content


Showing posts from April, 2008

Real Digital Forensics

Real Digital Forensics

by Keith Jones, Richard Bejtlich, and Curtis Rose

1 - Windows Live Response

Never save data locally on the hd, as there is a chance you may be overwriting evidence

Always use the -b option with md5sum, to perform the hash in binary mode

-k option with cryptcat, allows you to set the encryption password

Volatile Data

* system date and time
* current network connections
* open tcp and udp ports
* which exe's are opening tcp and udp ports
* cached netbios name table
* users currently logged on
* internal routing table
* running processes
* running services
* scheduled jobs
* open files
* process memory dumps

To truly verify a system binary, you must compare hashes with trusted source

Common attack involves changing a servers routing table to redirect traffic and bypass firewalls

Firedaemon turns any process into a service

userdump.exe will capture memory space used by any running process. userdump output cannot be sent via netcat, so y…