1 / 31

Windows Forensics for Incident Response

Windows Forensics for Incident Response. Christian Kopacsi CISSP CISM CEH CHFI Security+. What is Incident Response. An organized approach to addressing and managing the aftermath of a security breach or attack. Steps to Success. Purpose of Incident Response. Preparation User Awareness

anana
Download Presentation

Windows Forensics for Incident Response

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Windows Forensics for Incident Response Christian KopacsiCISSP CISM CEH CHFI Security+

  2. What is Incident Response • An organized approach to addressing and managing the aftermath of a security breach or attack.

  3. Steps to Success

  4. Purpose of Incident Response • Preparation • User Awareness • Detection & Analysis • Did an incident occur • Containment • Prevent further damage • Eradication • Root cause analysis • Recovery • Reimage the affected workstation • Post Incident Activity • Lessons Learned

  5. Preparation • User Awareness & Training

  6. Social Engineering

  7. Detection & Analysis • You can’t Respond if you can’t Detect • Logs – Hopefully a SIEM • Workstation \ Server • Firewall • IDS \ IPS • Internet Proxy \ Filter • MSSP \ 3rd Party • End Users \ Customers • You!

  8. Containment • Prevent Further Damage • NAC • ACL • Firewall • Switch • Software • Application Whitelisting • AV

  9. Eradication • Root Cause Analysis • Make Sure ProblemDoes Not Come Back!

  10. Recovery • Known Good Configuration • Reimage Device • Restore from Backup

  11. Post incident activity • Lessons Learned • What Worked • What Didn’t Work • New Policy \ Procedures • Change to existing Controls • Implement New Controls

  12. Windows Based Forensic Toolkit

  13. Tableau Write Blocker • SATA\IDE

  14. Digital Camera • Document state of evidence • Inventory items seized

  15. Chain of Custody Form • Log all transfer of evidence

  16. Evidence Bags

  17. MISC.

  18. Accessdata FTk Imager • Physical\Logical Hard Drive Acquisition

  19. Accessdata FTk Imager • Live Memory Acquisition • Encryption Keys, Passwords, Running Processes

  20. ImDisk Virtual Disk Driver • Mount evidence files as Read Only Hard Drive

  21. Regripper • Registry Analysis • SAM • Security • Software • System • NTUser

  22. Helix • Free Version still available • Best of Both Worlds • Run applications from within Windows • Boot from Linux Live CD

  23. Malwarebytes Anti-Malware

  24. Exiftool - Photos

  25. Exiftool – Office Documents

  26. ProcMon

  27. Internet Evidence Finder

  28. Forensic Software Suite

  29. Forensics and the State of Michigan • PROFESSIONAL INVESTIGATOR LICENSURE ACT • As of May 28, 2008, all computer forensic firms must have a Private Investigators license to practice in Michigan. • Any person engaged in the collection of electronic evidence and/or engaged for the presentation electronic evidence in a Michigan court must have a valid Private Investigators License

  30. References & Thanks • NIST 800-61 • NIST 800-86 • http://www.cert.org/csirts/Creating-A-CSIRT.html • http://www.ussecurityawareness.org/highres/incident-response.html • http://windowsir.blogspot.com • http://www.ericjhuber.com • Chris Pogue – TrustwaveSpiderLabs • http://blog.spiderlabs.com(Sniper Forensics)

  31. Next Time

More Related