Real Digital Forensics
by Keith Jones, Richard Bejtlich, and Curtis Rose
1 - Windows Live Response
Never save data locally on the hd, as there is a chance you may be overwriting evidence
Always use the -b option with md5sum, to perform the hash in binary mode
-k option with cryptcat, allows you to set the encryption password
Volatile Data
* system date and time
* current network connections
* open tcp and udp ports
* which exe's are opening tcp and udp ports
* cached netbios name table
* users currently logged on
* internal routing table
* running processes
* running services
* scheduled jobs
* open files
* process memory dumps
To truly verify a system binary, you must compare hashes with trusted source
Common attack involves changing a servers routing table to redirect traffic and bypass firewalls
Firedaemon turns any process into a service
userdump.exe will capture memory space used by any running process. userdump output cannot be sent via netcat, so y…
by Keith Jones, Richard Bejtlich, and Curtis Rose
1 - Windows Live Response
Never save data locally on the hd, as there is a chance you may be overwriting evidence
Always use the -b option with md5sum, to perform the hash in binary mode
-k option with cryptcat, allows you to set the encryption password
Volatile Data
* system date and time
* current network connections
* open tcp and udp ports
* which exe's are opening tcp and udp ports
* cached netbios name table
* users currently logged on
* internal routing table
* running processes
* running services
* scheduled jobs
* open files
* process memory dumps
To truly verify a system binary, you must compare hashes with trusted source
Common attack involves changing a servers routing table to redirect traffic and bypass firewalls
Firedaemon turns any process into a service
userdump.exe will capture memory space used by any running process. userdump output cannot be sent via netcat, so y…