Preparation

Identification

and Analysis

Containment

Eradication

Recovery

Lessons

learnt

Elevated cmd and WMIC

tasklist /v /fo csv

tasklist /svc /fo csv

netstat -ab

dir /a/s /tc c:\

wmic startup list full /format:csv

wmic process list full /format:csv

Memory image

Hibernation file

Page file

Registry Hives

Event Logs

$MFT

Contents of Prefetch folder

File listing with MD5 hashes

Download SANS SIFT Workstation 2.14 from http://computer-forensics.sans.org/community/downloads

(SANS SIFT Workstation 3 to be released soon)

VMware Appliance

Cross compatibility between Linux and Windows

A portable lab workstation you can use for your investigations

Forensic tools preconfigured

Option to install stand-alone via (.iso) or use via VMware Player/Workstation

You have to learn it like you do any tool

Powerful command line capability

It is a tool to accomplish deep forensic analysis

Memory Analysis

File System Analysis

Timeline Analysis

And many more…..

Login "sansforensics"

Password "forensics"

$ sudo su

Use to elevate privileges to root while mounting disk images.

File System Support

• Windows (MSDOS, FAT, VFAT, NTFS)

• MAC (HFS)

• Solaris (UFS)

• Linux (EXT2/3)

Evidence Image Support

• Expert Witness (E01)

• RAW (dd)

• Advanced Forensic Format (AFF)

• Source files for Autopsy, The Sleuth kit

and other tools /usr/local/src

• Location of the forensic pre-compiled

binaries /usr/local/bin

• Location of the images that were seized

from your compromised system /cases

• Location of the mount points for the file

system images /mnt

•Automated Registry Analysis RegRipper

•Registry Analyzer YARU

•Recover deleted registry keys deleted.pl

•Parser for metadata exiftool

• .pst mail examination tool Libpff

Elevate your privileges

Change directories to /cases/<case directory>

Mount .E01 image files in the /mnt/ewf directory

$ Mount_ewf.py <****.E01> /mnt/ewf/

Mount the raw image found in the /mnt/ewf directory on the mnt/windows_mount/ directory

$ Mount –o ro,loop,show_sys_files,streams_interface=windows <image evidence directory> /mnt/windows_mount

1. Identify Rouge processes

2. Analyze process DLLs and handles

3. Review Network Artifacts

4. Look for evidence of code injection

5. Check for signs of rootkit

6. Dump suspicious processes and drivers

Vol.py –f <image> <plugin> --profile=<profile>

Export VOLATILITY_LOCATION=file://<filepath>

Export VOLATILITY_PROFILE=<profile>

Vol.py –f <image format 1> imagecopy –o <imageformat1.img>

cmdscan, consoles, connections, connscan, netscan,

https://code.google.com/p/volatility/wiki/

https://http://computer-forensics.sans.org/community

SANS live classes and webcasts

File System Forensic Analysis by Brian Carrier