• Home

  • Documents

  • Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response,...
43
Digital Forensics, Incident Response, and Cloud Computing Troy Larson Azure | MSRC Microsoft Corp.

Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

  • Upload
    hadiep

  • View
    261

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

DigitalForensics,IncidentResponse,and

CloudComputingTroyLarson

Azure|MSRCMicrosoftCorp.

Page 2: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

•MSRC|Azure• Securityincidentresponseinvestigations.• Forensics@Microsoft.• Compromise|Intrusion|Breach.• Forensicsandincidentresponseinvestigationsforthecloud.

Page 3: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

What is cloud computing?

• Insider’sviewofcloudcomputing:• Technologyoverview.• Policy.• ForensicsandIncidentresponse.• Practices.• Challenges.• Opportunities.

Page 4: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

What is cloud computing?

Page 5: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

What is cloud computing?

•Automated datacenter,wheremachines are-• Deployedbymachine.•Managedbymachine.•Monitoredbymachine.• Forservices.• Fortenants.

Page 6: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Cloud Compute

Page 7: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Vacation Resources

Page 8: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Azure Technical Overview

•Collectionofautomateddatacenters.•Primaryresources:• Compute.• Storage.• Network.

Page 9: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Azure Technical Overview

•Datacenters.•Clusters.• Nodes(blades).

Page 10: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Azure Technical Overview

•Computenode(hostserver).

Page 11: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Azure Technical Overview

•Virtualmachine,fromthehost.

Host

Memory

Media

GPA1 GPA2

VHD1 VHD2

VHD1 VHD2

Page 12: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Azure Technical Overview

•Thepersistent virtualharddrive.

Page 13: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Azure Technical Overview

•Thevirtualharddrive.• Tothehost,afile.• Tothevirtualmachine,aphysicaldisk.• Partitionedandformattedtocreatevolumesandfilesystems.• Canbeorganizedlikephysicalharddrives:• Singledisks.• Dynamicvolumes—volumesspanningvirtualdisks.• RAID.

Page 14: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Azure Technical Overview

•Virtualmachinememory.

PageFileonVHD

Page 15: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Azure Technical Overview

•Virtualmachine,fromwithin.

Memory

C:\ D:\

Page 16: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Azure Technical Overview

•Differentviewpoints.•Onthehostsideofthehypervisor:• Memoryisguestphysicaladdressspace.• Disksarefiles.

•Ontheguestsideofthehypervisor:• Memoryconsistsofvirtualandphysicaladdressspace.• Diskappearasphysicalandlogicalmedia.

Page 17: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Policy

Page 18: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Policy

•Cloudadministratorsandsecurityteams:• ExtremelylimitedvisibilityintowhatishappeningwithtenantVMs.

• Tenantadministratorsandsecurityteams:• CompletevisibilityintowhatishappeningontheirVMs.• NovisibilityintowhatishappeningonothertenantVMsorhostorinfrastructure.

• Securityresponsibilityfollowsownership.

Page 19: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Policy

•Security.• SharedSecurityModel:• Management.• Ownership.

Page 20: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Policy

•Securityincident.

TOR TOR TOR TOR TOR

Network

Page 21: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

EvidenceAcquisitionof

Cloud-BasedMachines

Page 22: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

•Virtualmachines,acquisition.

Page 23: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

Host/VM•Memory• AsGPA.• Assavedstatefile(s).

•Media• Asfiles.• Asblobs.

• Network• Fromvirtualswitch.

Guest/VM•Memory• Live.

•Media• Asphysicalorlogicaldisks.• Asblobs.

• Network• Live.

Page 24: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

Host/VM• Runningorstopped.• Statecanbefrozen.*• Nocollectionartifacts.*• Consistentmemoryanddiskimages.*

Guest/VM• Running.• Stateisdynamic.• Collectionartifacts.• Inconsistentmemoryanddiskimages.

GPAVHD

VHDC:\

D:\

Memory

Page 25: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

Host/VM

•Cloudprovider.

Guest/VM

• Tenant.

Page 26: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

•Tenantevidenceacquisition:• Standardremotecollectionproceduresandtoolsshouldworkforacquiringcloud-basedVMs.*•Blobstorageofvirtualdisksallowsforquickacquisitionorsnapshotsofvirtualdisks.• Equivalentto,orbetterthan,currententerpriseremoteevidencecollectioncapability.*

Page 27: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

•Cloudinfrastructure.• Consistsofhundredsofthousandsofphysicalmachines.• HugeamountsofRAM.*• Hugeamountsofdiskstorage.*• Noveldiskstoragetechnologies.*• Underextremelyheavyload.*

• Canexceedthecapabilityofcurrentforensicstoolsandpractices.

Page 28: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

•Cloudinfrastructure.• Networkisnotastandardcorporatenetwork.• Nodomainauthentication.• Segmented.• Firewalled.

• Standardenterpriseremoteevidencetoolsandproceduresoftenwillnotwork.

Page 29: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

ForensicAnalysisOf

Cloud-BasedMachines

Page 30: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

•Cloudmachines:• Usestandardoperatingsystems.• Common,wellknownfilesystems,filetypes,structures,andstrings.• Amenabletostandardanalyticaltoolsandprocedures.• Subjecttocompromise,breach,andothercommonsport.

Page 31: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

•Securityincidentresponseandstateless virtualmachines.• PAASdesignedtobestateless.• Scalabilityandfaulttolerance.• Persistentdatagoestostorage.• Newinstancestartsclean.

• Remediationbycommandline.•Whatisthepointofdoingforensicsorotherin-depthsecurityincidentinvestigation?

Page 32: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

•Cloud(virtual)machineadvantages.• Fromhost:• Fullyconsistentmemorydumps.• Fullyconsistentdrive(volume)images.• Statefiles.

• Bytenant:• Fullyconsistentdriveimagesfromstorage.*

Page 33: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

• Issuesofscaleandscalability.• Cloudinfrastructureisvast.• Cloudenvironmentismorevast.• Virtualentitiescanbedynamic,andendpointsephemeral.

• Tenantdeploymentscanbevastanddynamic,too.

Page 34: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

•Cloud-readyincidentresponseandforensics:•Mustbeabletoworkatscale.•Mustbescalable—monitoring,triage,loganalysis,forensics.*

•Problem:• DF/IRisdependentonsubjectmatterexpertise.• Subjectmatterexpertsdonotscalewell.*

Page 35: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

Researchtopics.

Page 36: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

•Whatisnormal?*

Theanalyticalopportunitiesofscale.

*JesseKornblumhttps://digital-forensics.sans.org/summit-archives/2010/eu-digital-forensics-incident-response-summit-jesse-kornblum-computer-forensic-tool-panel.pdf

Page 37: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

•Cloudmachines|“Roles”|n identicalinstances.• Role instances:• xyz-service-01_of_200• xyz-service-02_of_200• xyz-service-03_of_200• ...• xyz-service-56_of_200

Page 38: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

•RoleInstances:• SameOSVHD.• Samehardwareanddrivers.• Sameconfigurationsettings.• Sameapplicationsandservices.• Sameprocessesandcommandlines.• Sameevents.

Page 39: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

•Processescreationevent(SecEventID4688):• Newprocessnameandpath.• Parentprocess.• Commandline.• Accountthatlaunchestheprocess.

•Whatprocessesruninexactlythesameway,onallroleinstances?

Page 40: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

•Role-specific,eventbaselines:• Identical4688events,acrossallinstances(perrole),showwhatruns,how,bywhataccount.• Whatisnormalforanyinstanceofthatrole.• Usage:Compareindividualtotheherd.• Detectionandmonitoring.• Liveanalysisandtriage(e.g.,Kansa).• Memoryforensics.• Diskforensics.

Page 41: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

•Role-specific,eventbaselines:• Signaltonoise:non-identical4688events.• Uniqueforaroleinstance.• Anomalous,mayindicatesecurityissue.• Usage:Whatstandsoutagainsttheherd.• Detectionandmonitoring.• Hunting.

Page 42: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

•Whatotherherdbehaviorcanindicatenormalorhighlightanomalies?• Taskschedulerandserviceevents.• Objectaccessevents?• Logon,sourceIPaddress?• Errorandfailureevents?• IPFIX?• Prefetch?• Amache.hve?

Page 43: Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer

Forensics, Response, Cloud Computing

Questions?


Adapting Incident Response to Meet the Threat Jeff Schilling Director, Global Incident Response and Digital Forensics SecureWorks

Adapting Incident Response to Meet the Threat Jeff Schilling Director, Global Incident Response and Digital Forensics SecureWorks

Documents
Memory Forensics During Incident Response

Memory Forensics During Incident Response

Documents
Incident Response: Network Forensics

Incident Response: Network Forensics

Education
Trends in Digital Forensics & Incident Response · Several Incident Response or Incident Handling frameworks One popular approach has 6 steps Steps 1 & 2 are Preparation and Identification

Trends in Digital Forensics & Incident Response · Several Incident Response or Incident Handling frameworks One popular approach has 6 steps Steps 1 & 2 are Preparation and Identification

Documents
Security Incident Response and Forensics on AWS

Security Incident Response and Forensics on AWS

Technology
Digital Forensics and Incident Response · Digital Forensics and Incident Response Christian August Holm Hansen @UIO 6.3.17 /> whoami Christian August Holm Hansen: • M.Sc. NTNU/Eurécom

Digital Forensics and Incident Response · Digital Forensics and Incident Response Christian August Holm Hansen @UIO 6.3.17 /> whoami Christian August Holm Hansen: • M.Sc. NTNU/Eurécom

Documents
PACB One-Day Cybersecurity Workshop · PACB One-Day Cybersecurity Workshop INCIDENT RESPONSE AND ... No standard incident response form Missing Forensics Support ... Computer Forensics

PACB One-Day Cybersecurity Workshop · PACB One-Day Cybersecurity Workshop INCIDENT RESPONSE AND ... No standard incident response form Missing Forensics Support ... Computer Forensics

Documents
ARMOR INCIDENT RESPONSE AND FORENSICS (IRF) · ADDITIONAL INCIDENT RESPONSE & FORENSICS SERVICES In the event your organization does not use all its purchased IRF time blocks within

ARMOR INCIDENT RESPONSE AND FORENSICS (IRF) · ADDITIONAL INCIDENT RESPONSE & FORENSICS SERVICES In the event your organization does not use all its purchased IRF time blocks within

Documents
The SANS Survey of Digital Forensics and Incident Response

The SANS Survey of Digital Forensics and Incident Response

Documents
Incident Response Preparedness: Best Practices - lba.org Crocker - Incident Response - Are... · Sr. Incident Response Consultant, Incident Response & Digital Forensics . SecureWorks

Incident Response Preparedness: Best Practices - lba.org Crocker - Incident Response - Are... · Sr. Incident Response Consultant, Incident Response & Digital Forensics . SecureWorks

Documents
Incident Response & Computer Forensics / Prosise ...media.techtarget.com/searchNetworking/Downloads/IncidentResponse... · 218 Incident Response & Computer Forensics ... The current

Incident Response & Computer Forensics / Prosise ...media.techtarget.com/searchNetworking/Downloads/IncidentResponse... · 218 Incident Response & Computer Forensics ... The current

Documents
Distributed forensics and incident response in the …research.google.com/pubs/archive/37237.pdf · Distributed forensics and incident response in the enterprise M.I. Cohen*, D. Bilby,

Distributed forensics and incident response in the …research.google.com/pubs/archive/37237.pdf · Distributed forensics and incident response in the enterprise M.I. Cohen*, D. Bilby,

Documents
CLOUD FORENSICS WITH F-RESPONSE · PROVIDING CLOUD FORENSICS VIA F-RESPONSE Page 3 8/19/2013 CHALLENGE When it comes to performing Incident Response or Computer Forensics Services

CLOUD FORENSICS WITH F-RESPONSE · PROVIDING CLOUD FORENSICS VIA F-RESPONSE Page 3 8/19/2013 CHALLENGE When it comes to performing Incident Response or Computer Forensics Services

Documents
The SANS Survey of Digital Forensics and Incident Response · PDF fileThe SANS Survey of Digital Forensics and Incident Response ... lack of specialized tools, ... Program 1 The SANS

The SANS Survey of Digital Forensics and Incident Response · PDF fileThe SANS Survey of Digital Forensics and Incident Response ... lack of specialized tools, ... Program 1 The SANS

Documents
Chapter 1 Computer Forensics and Incident Response Essentials · PDF fileChapter 1 Computer Forensics and Incident Response Essentials In This Chapter Catching the criminal: the basics

Chapter 1 Computer Forensics and Incident Response Essentials · PDF fileChapter 1 Computer Forensics and Incident Response Essentials In This Chapter Catching the criminal: the basics

Documents
Incident Response & Computer Forensics

Incident Response & Computer Forensics

Documents
Distributed forensics and incident response in the enterprise · 2017-01-27 · Distributed forensics and incident response in the enterprise M.I. Cohen*, D. Bilby, G. Caronni Google

Distributed forensics and incident response in the enterprise · 2017-01-27 · Distributed forensics and incident response in the enterprise M.I. Cohen*, D. Bilby, G. Caronni Google

Documents
Incident response and forensics - Flexential · Incident response and forensics To learn more about Flexential services, contact us at 877.448.9378 or sales@flexential.com • 24/7

Incident response and forensics - Flexential · Incident response and forensics To learn more about Flexential services, contact us at 877.448.9378 or [email protected] • 24/7

Documents
ANALYSIS AND DESIGN OF DIGITAL FORENSICS AND INCIDENT ...oa.upm.es/55623/1/TFM_JAVIER_MARTINEZ_LLAMAS.pdf · Digital Forensics and Incident Response (DFIR) framework. As to understand,

ANALYSIS AND DESIGN OF DIGITAL FORENSICS AND INCIDENT ...oa.upm.es/55623/1/TFM_JAVIER_MARTINEZ_LLAMAS.pdf · Digital Forensics and Incident Response (DFIR) framework. As to understand,

Documents
Establishing an Incident Response Plan...Computer Forensics. AGENDA • Incident Response Landscape • Incident Response Considerations • NIST Framework • Elements of an IR Plan

Establishing an Incident Response Plan...Computer Forensics. AGENDA • Incident Response Landscape • Incident Response Considerations • NIST Framework • Elements of an IR Plan

Documents
proactive n reactive forensics - RedIRIS · QWhat is Digital Forensics? – Incident response – Computer Forensic Investigations ... Forensics Response ... proactive_n_reactive_forensics.ppt

proactive n reactive forensics - RedIRIS · QWhat is Digital Forensics? – Incident response – Computer Forensic Investigations ... Forensics Response ... proactive_n_reactive_forensics.ppt

Documents
ANTI-INCIDENT RESPONSE - Digital Forensics Training · •DoD Computer Forensic Lab, (1998-2002, 2004) •Mandiant (2006-2012) ... Anti-Incident Response Practices •Obscure the

ANTI-INCIDENT RESPONSE - Digital Forensics Training · •DoD Computer Forensic Lab, (1998-2002, 2004) •Mandiant (2006-2012) ... Anti-Incident Response Practices •Obscure the

Documents
Memory Forensics During Incident Response. Jack Crook Incident Handler Works for GE Founded RaDFIRe Handlerdiaries.com

Memory Forensics During Incident Response. Jack Crook Incident Handler Works for GE Founded RaDFIRe Handlerdiaries.com

Documents
Chapter 1 Computer Forensics and Incident Response …Chapter 1 Computer Forensics and Incident Response Essentials In This Chapter Catching the criminal: the basics of computer forensics

Chapter 1 Computer Forensics and Incident Response …Chapter 1 Computer Forensics and Incident Response Essentials In This Chapter Catching the criminal: the basics of computer forensics

Documents
Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Chapter … · 2003-10-04 · Chapter 10: Computer System Storage Fundamentals 219 Hacking / Incident Response

Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Chapter … · 2003-10-04 · Chapter 10: Computer System Storage Fundamentals 219 Hacking / Incident Response

Documents
Cyber Incident Response & Digital Forensics Lecture

Cyber Incident Response & Digital Forensics Lecture

Technology
Digital Forensics and Incident Response

Digital Forensics and Incident Response

Education
Incident Response and Digital Forensics – Denver Chapter of ISACA

Incident Response and Digital Forensics – Denver Chapter of ISACA

Documents
Incident Response Incident Response Process Forensics

Incident Response Incident Response Process Forensics

Documents
Hurry-Up Offense: Keeping Pace with Information Security ... · • Incident response plan • Incident response team (IRT), including third parties (counsel and forensics) • Regular

Hurry-Up Offense: Keeping Pace with Information Security ... · • Incident response plan • Incident response team (IRT), including third parties (counsel and forensics) • Regular

Documents