A
Acceptable Use Policy (AUP), 48
access control
applications, 563
live response collection, 143–144
methods for, 557–558
networks, 69–74
servers, 563
Access Data FTK. See FTK
access logs, 65–66
accounts. See user accounts
ad-hoc monitoring, 56–57
administrators
authentication, 569
disabling, 566
identifying, 87
passwords, 536
security, 569
ADS (alternate data streams), 280–282
Advanced Forensic Framework format (AFF), 171–172
Advanced Packaging Tool (apt), 425
AFF (Advanced Forensic Framework format), 171–172
Aid4Mail, 454
AIM (AOL Instant Messenger), 461–463
alerts
automated, 562
event-based, 185–187
posturing actions, 562
response to, 205
allocation file, 387
alternate data streams (ADS), 280–282
Altiris Client Management Suite, 228–230
America Online Instant Messenger. See AIM
analysis methodology, 253–270
accessing data, 259–262
analyzing data, 263–269
categories of evidence, 258–259
data minimization, 266
data overview, 256–259
data storage, 257–258
defining objectives, 254–256
dynamic, 489–496
evaluating results, 269
external resources, 265
file carving, 268–269
general process for, 254
keyword searching, 268
manual inspection of data, 265–266
specialized tools, 266
statistical analysis, 266–267
types of analysis methods, 265–269
analyzeMFT tool, 282
analyzing data. See data analysis
ancillary teams, 27. See also IR team
anomaly-based indicators, 98
antivirus logs, 230
Antivirus Quarantine, 231
antivirus software, 230–238
antivirus (AV) solutions, 67
AOL Instant Messenger (AIM), 461–463
Apache HTTP server, 240–242
Apple Examiner website, 158
Apple hardware, 180
Apple Mac OS. See Mac OS–based systems
Apple Mail, 452–453
Apple System Log (ASL), 406–413
application accounts, 535
application data, 422–425
considerations, 423
Linux, 424–425
location of, 423–425
Mac, 424
Windows, 423
application engineering role, 555
application metering logs, 228–230
applications, 421–464
browsers. See web browsers
e-mail clients, 445–454
enterprise management, 225–230
evidence, 258
executing, 427
installation of, 427
instrumentation, 427
investigation methods, 425–429
logging, 66
messaging. See IM clients
monitor execution of, 427
obtaining, 427
passwords, 64
performing hands-on survey, 64
posturing actions, 563
retiring legacy application, 567
support/message boards, 426
versions, 428
web. See web applications
apt (Advanced Packaging Tool), 425
artifacts
AIM, 461–463
apps, 428
data theft, 263–264
e-mail clients, 445–454
Facebook Chat, 459–461
file system, 265
files, 120
Firefox, 441–445
Mac. See Mac artifacts
network, 120
OS, 120
registry keys, 120
system, 120
voicemail, 457–459
Windows. See Windows artifacts
ASCII strings, 479
ASCII text, 478
ASL (Apple System Log), 406–413
asset tag number, 87
assets
critical, 47
enterprise, 181–182
managing, 62–63
at command, 305–307
attack timeline, 90–91
attacker activity, 41
attacks. See incidents
attributes file, 387–388
Audit Explorer, 403
AUP (Acceptable Use Policy), 48
authentication
administrator accounts, 569
described, 60
GINA, 333
Kerberos, 300
posturing actions, 562
single-factor, 12
SSH, 566
AutoComplete for Internet Explorer, 436
automation
alerts, 562
data collection, 144
dynamic analysis, 489–490
automounting devices, 177
AutoRuns tool, 347–348
AV. See antivirus
B
backdoor malware
remote access, 15–19
backups
considerations, 88
data storage on, 258
described, 258
eradication events and, 536
Ballenthin, Willi, 284
BASH (Bourne-again Shell), 156
BHOs (Browser Helper Objects), 332
binaries, malicious, 100–107
BIND servers, 221
BKDNS malware, 10
blackholes, 89
Bonjour, 414
boot blocks, 383
Bourne-again Shell (BASH), 156
“brand” damage, 7
brick and mortar merchants, 11
Browser Helper Objects (BHOs), 332
BrowsingHistoryViewer, 430
BSD-based kernels, 160–161
budget issues, 518–519
.bup (BUP) extension, 235
BUP (.bup) extension, 235
BUP files, 235
business operations role, 555
business units, 63
C
cache
Chrome, 438–439
MUICache, 341–342
web browsers, 430
Cache Viewer, 436
CAINE project, 59
card present transaction, 11
Carnegie Mellon Software Engineering Institute, 54
case notes, 90–91
case numbers, 52
case studies
remediation, 553–572
catalog file, 387
catalog node ID (CNID), 387
CentOS, 425
CFF Explorer, 484–486
chat proxies, 71
checklists, investigation, 83–89
checksums, cryptographic, 171–172
Chrome web browser, 437–441
ChromeCacheView, 441
ChromeForensics, 441
ChromeHistoryView, 441
CIA (Confidentiality, Integrity, and Availability), 7
Class ID (CLSID), 332
classified system, 523
CLF (Common Log Format), 241–242
client connection logs, 244
cloned cards, 10
cloud services, 258
CLSID (Class ID), 332
CNID (catalog node ID), 387
command-and-control (C2) data, 10
Common Log Format (CLF), 241–242
communications
conference calls, 52
considerations, 51
with external parties, 52–53
internal, 51–52
labeling, 51
pre-incident preparations, 51–53
procedures for, 51–53
workstation, 73–74
Communications Security (ComSec) issues, 51–52
compression methods, 10
compromised systems, 565
computer crimes, 5
Computer Forensics Tools Verification project, 167
Computer Fraud and Abuse Act, 471
computer intrusions, 6
Computer Security Incident Handling Guide, 4
computer security incidents. See incidents
Computer Security Resource Center (CSRC), 4
computers
data storage on, 257
desktop, 257
hiding tracks, 169
laptop. See laptop computers
resources, 24–25
virtual, 257
computing devices. See devices
computing resources, 24–25
ComSec (Communications Security) issues, 51–52
conference calls, 52
confidential information, 47
Confidentiality, Integrity, and Availability (CIA), 7
configuration
computing devices, 61–68
Conflicker worm, 372
connection logs, 244
contact information, 63
containment, temporary, 566
Cookie Viewer for Internet Explorer, 436
cookies
Chrome, 439
described, 430
Firefox, 444
Coordinated Universal Time (UTC), 83
copyrights, 92
corporate reputation, 47
crash dumps, 359–360
CreateFile operations, 493
credential compromise, 73
critical assets, 47
cryptographic checksums, 171–172
cryptographic hashes, 474
CSRC (Computer Security Resource Center), 4
customer data loss scenario, 122–127
cyber attacks, 22
cyber intrusions, 8
cybercrime, 4
cyber-espionage, 8
Cygwin environment, 476–478
D
DAT file, 458
data
analyzing. See data analysis
application. See application data
C2, 10
collection. See data collection
confidential, 47
crash dump, 359–360
duplication of. See forensic duplication
instrumentation, 427
keeping organized, 40–42
list of accessed data, 41
live response, 38
location of, 257–258
manual inspection of, 265–266
NetFlow, 188
network, 196–212
network services, 259
OS-specific, 258
overview, 256–259
payment account, 47
personally identifiable, 47
representation of, 261–262
SLM, 225–228
sorting/filtering, 266
source, 86
stolen, 41
storage of, 257–258
tracking, 40–42
user, 259
data analysis, 205–211
analyzing evidence, 38–39
data overview, 256–259
data theft scenario, 197–204
defining objectives, 254–256
described, 38
evaluating results, 269
evidence, 38–39
general process for, 254
live response analysis, 38
log files, 60
malware analysis, 38
methodology. See analysis methodology
network data, 196–212
outlining approach to, 263–264
selecting analysis method, 265–269
webshell reconnaissance scenario, 205–211
data collection
automated, 144
enterprise services. See enterprise services
forensic duplication, 165–182
live. See live data collection
data flows, 76
data loss scenario, 122–127
data minimization, 266
data protection hardware, 54–55
data theft
artifacts of, 263–264
RAR/FTP scenario, 197–204
database accounts, 535
database servers, 244–249
database storage, 245
databases
enhancing security of, 571
file, 474–475
MSSQL, 246–247
MySQL, 247–248
Oracle, 248–249
overview, 244–246
DC3 (Defense Cyber Crime Center), 176
DCFL (Department of Defense Computer Forensics Laboratory), 176
dd command, 175–176
Debian-based distributions, 425
debuggers, 486
Defense Cyber Crime Center (DC3), 176
Defense Industrial Base Cyber Security/Information Assurance (DIB-CS/IA), 115
Defense Information Systems Agency (DISA), 62
deliverables, 53
demilitarized zone. See DMZ
DENY ALL rule, 558–559
Department of Defense Computer Forensics Laboratory (DCFL), 176
Dependency Walker, 486
detection, incident, 85–86
detection, malware, 88
devices. See also assets; hardware
automounting, 177
configuration, 61–68
data storage on, 257
NAS, 170–171
network, 257
performing hands-on survey, 64
as potential targets, 5
SAN, 170–171
DHCP (Dynamic Host Configuration Protocol), 216–220
DHCP lease, 217
DIB-CS/IA (Defense Industrial Base Cyber Security/Information Assurance), 115
DigestIT2004 tool, 474
Digital Detective NetAnalysis, 430
digital signatures, 336
Directory Services, 398–401
DISA (Defense Information Systems Agency), 62
discovery, subpoenas for performing, 114
disk image formats, 260
disk images. See forensic images; images
disk imaging tools, 59
diskarbitrationd daemon, 177
disks, boot, 59
disks, hard. See hard drives
DLL load-order hijacking, 373–375
DLL search-order hijacking, 10
dmesg command, 176–177
DMZ firewalls, 9
DNS (Domain Name System), 220–225
DNS logs, 223–225
DNS servers, 220
DNS systems, 76
DNSCAP, 224–225
documentation
defined, 60
evidence. See evidence
evidence handling, 60
internal knowledge repository, 60–61
within IR team, 60–61
labeling documents, 51
malware analysis, 468–469
networks, 74–75
Domain Name System. See DNS
dpkg package manager, 425
dump files, 359–360
DumpIt tool, 370
dynamic analysis, 489–496
automated, 489–490
manual, 490–496
Dynamic Host Configuration Protocol. See DHCP
E
E2EE (end-to-end encryption), 13
Easy-IDS, 57
egress filtering, 70
elements of proof, 91–92
e-mail
encrypted, 51
spear phishing, 15
e-mail clients, 445–454
Apple Mail, 452–453
Mozilla Thunderbird, 453
Outlook, 448–452
Outlook for Mac, 453–454
web-based, 446–448
Emailchemy, 454
encryption
considerations, 260
E2EE, 13
e-mail, 51
FDE, 54
hard drives, 55
storage media, 55
endpoint traffic filtering, 73–74
end-to-end encryption (E2EE), 13
enterprise assets, 181–182
enterprise management applications, 225–230
enterprise resources planning (ERP) configuration, 71
enterprise services, 215–250
Altiris Client Management Suite, 228–230
antivirus software, 230–238
application support, 225–230
database servers, 244–249
DHCP, 216–220
DNS, 220–225
LANDesk Management suite, 225–228
web servers, 238–244
eradication event
activities, 539–541
backups and, 536
communications during, 541
contingencies, 536
duration of, 533
execution of, 539–541
failure of, 539
goals of, 532
initial infection vector and, 567
mitigating attacker access, 533–534
planning for, 534–536
strategic recommendations, 541–542
strike zone, 538
user accounts, 535–536
verifying remedial activities, 540–541
eradication plans
developing, 532–537
executing, 539–541
ERP (enterprise resources planning) configuration, 71
error rates, 86
ERRORLOG entries, 246
eSATA drives, 174
Ethernet headers, 188
event-based alerts, 185–187
events
attack timeline, 90–91
described, 4
vs. incidents, 4
suspicious, 25
evidence
absence of, 121
admissibility of, 58
analyzing data, 38–39
applications, 258
categories of, 258–259
considerations, 37
determining course of action, 122
examples of, 37
forensic disk images. See forensic images
gathering, 120–121
handling, 60
independent sources, 120
list of evidence collected, 41
live response. See LRs
logs. See log files
memory collection, 37–38
network. See network evidence
network services, 259
operating systems, 258
preliminary, 120–121
preserving, 37–38
provided by web servers, 239–240
reviewing, 120–121
user data, 259
web content, 240
evidence collection guidelines, 60
EVT files. See Windows event logs
Extensible Markup Language (XML), 455
extents overflow file, 387
external communications, 52–53
F
Facebook Chat, 459–461
FDE (full disk encryption) products, 54
Fedora, 425
fgdump tool, 65
FHS (Filesystem Hierarchy Standard), 424
file carving, 268–269
file databases, 474–475
file headers, 475–479
file slack, 268
file system redirector, 288–289
file system services (Mac), 389–392
file systems
artifacts, 265
considerations, 258
Mac. See HFS+
Windows. See NTFS
file transfer proxies, 71
FileInsight editor, 476
files
allocation, 387
analyzing, 473–488
artifacts, 120
attributes, 387–388
BUP, 235
catalog, 387
crash dump, 359–360
encoded, 483
examining strings in, 479–482
executable, 473
extents overflow, 387
headers, 475–479
hibernation, 360
.job, 307–310
LDF, 247
link, 349–351
list of, 41
magic, 476
MDF, 247
minidump, 360
obfuscation, 486
packed, 486–488
PDF, 15
PE, 483–488
prefetch, 289–293
startup, 389
Windows. See Windows files
Filesystem Hierarchy Standard (FHS), 424
Financial Services Information Sharing and Analysis Center (FS-ISAC), 115
Firefox, 441–445
firewalls
DMZ,9
host-based, 570
implementing, 570
logging events, 75
posturing actions, 562
Firewire drives, 174
Foremost tool, 268
forensic duplication, 165–182
Apple hardware and, 180
“complete disk image,” 168–170
image formats, 167–172
overview, 166–167
vs. simple duplication, 166
tools for, 166–167
virtual machines, 181–182
forensic examination suites, 59
Forensic Focus, 426
access to, 259–261
boot disks, 176
“complete disk image,” 168–170
considerations, 172
duplicating enterprise assets, 181–182
forensic duplication, 166
formats, 167–172
image creation tools, 175–179
integrity image, 171–172
live system duplication, 179–180
logical images, 170–171
output format, 172
partition images, 170
qualified, 172
software tools, 175–179
traditional duplication, 173–179
types of, 172
“forensically sound” software, 58
forensics hardware, 54–57
Apple, 180
data protection, 54–55
for network monitoring, 192–193
network monitoring platforms, 56–57
at the office, 56
overview, 54
performing hands-on survey, 64
portable, 55
shared equipment, 56
for use at the office, 56
for use in the field, 55
write blocker, 173–175
Forensics Prefetch-Parser, 293
forensics software, 57–60
considerations, 57
disk imaging tools, 59
forensic examination suites, 59
“forensically sound,” 58
indicator creation, 59
live response capture/analysis, 59
log analysis tools, 60
options, 57
OS considerations, 59
search utilities, 59
types of, 59–60
Forensics Wiki, 426
FreeBSD kernel, 193
FreeBSD operating system, 192–193
Frye test, 58
FS-ISAC (Financial Services Information Sharing and Analysis Center), 115
FTK suite, 426
FTP connections, 10
FTP sessions, 198–202
ftp.exe program, 108–204
FTP/RAR data theft scenario, 197–204
full disk encryption (FDE) products, 54
full packet logging, 187–188
full-content capture systems, 75
G
Gcore script, 162–163
gdb (GNU debugger), 162–163
GFI Sandbox, 489
GH0ST RAT backdoor, 15–19
GINA (Graphical Identification and Authentication) service, 333
global infrastructure issues, 49
GNU debugger (gdb), 162–163
Google Chrome web browser. See Chrome
Graphical Identification and Authentication (GINA) service, 333
“ground truth,” 40–41
GUID values, 329–330
Guidance Software EnCase, 178
H
Hamm, Jeff, 284
handles, 362–363
hard drives, 54–55
bad sectors, 171
encrypted, 55
eSATA, 174
external, 55
Firewire, 174
forensic duplication and, 167
internal, 54
layout example, 168
offline, 171
PATA, 174
SATA, 174
static, 175
USB, 174
hardware, 54–57. See also devices
Apple, 180
data protection, 54–55
for network monitoring, 192–193
network monitoring platforms, 56–57
at the office, 56
overview, 54
performing hands-on survey, 64
portable, 55
shared equipment, 56
for use at the office, 56
for use in the field, 55
write blocker, 173–175
Hardware Write Blockers, 173–175
hash algorithms, 474
hash collisions, 474
hash values, 171
hashes
image integrity and, 171
integrity, 172
MD5, 100–101
NTLM, 65
SHA, 474
header captures, 188
Helix project, 59
Hexacorn forensics blog, 291
HFS+ (Hierarchical File System) file system, 382–392
file system services, 389–392
overview, 382–383
volume layout, 383–389
hibernation files, 360
Hierarchical File System. See HFS+
Hindsight tool, 441
HIPS (host intrusion prevention system) solutions, 67
History and Cookie Viewer for Internet Explorer, 436
History Viewer for Internet Explorer, 436
“hits,” 36
honeypots, 74
hooking, 368–369
Hopkins University Information Security Institute, 54
host hardening, 62
host intrusion prevention system (HIPS) solutions, 67
host name, 87
host-based security, 49–50
host-based sensors, 213
HTML pages, 482
HTTP server, 240–242
Hypertext Markup Language. See HTML
Hypertext Transfer Protocol. See HTTP
I
ICS (Industrial Control System), 523
IDS sensors, 213
IDSs (intrusion detection systems), 75
IM clients, 454–463
AIM, 461–463
Facebook Chat, 459–461
Skype, 456–459
image creation tools, 175–179
images. See also forensic images
image creation tools, 175–179
integrity, 171–172
live, 179–180
logical, 170–171
partition, 170
RAID, 181
Incident Detection Checklist, 85–86
incident owner, 520
incident reports, 505–506
incident response. See IR
Incident Summary Checklist, 84–85
incidents
characteristics, 24–25
common questions, 46
containing. See containment plans
detection of, 85–86
different tiers of, 5
vs. events, 4
examples of, 25
formal response to, 520
impact of, 25
Incident Summary Checklist, 84–85
initial infection vector, 567
intrusions, seven stages of, 19–22
nature of, 85
number of, 6
preparing for. See pre-incident preparation
real-world, 3–22
reporting to law enforcement, 114–115
scope of. See scope
severity of, 517–518
indicators. See also leads
anomaly-based, 98
data common to environment, 112
data relevant to, 111–112
lifecycle, 98–112
methodology-based, 98
property-based, 98
Sethc IS Debugger, 105–106
turning leads into, 98
verification, 111–112
indicators of compromise. See IOCs
Industrial Control System (ICS), 523
INDX attributes, 282–285
INDXParse utility, 284
information. See data
Infraguard, 115
ingress filtering, 70
initial infection vector, 567
instant message. See IM
instrumentation data, 427
instrumentation mechanisms, 65–67
integrity, 60
integrity hashes, 172
intelligence feeds, 570
internal communications, 51–52
internal knowledge repository, 60–61
internal media, 55
Internet
disconnecting environment from, 564–565
restrictions, 557
usage policy, 48
Internet Examiner Toolkit, 447
Internet Systems Consortium (ISC) DHCP servers, 219–220
Internet Usage Policy, 48
interviews, 113
intrusion analysis, 39
intrusion detection systems. See IDSs
intrusion prevention systems, 67
investigation team role, 555
investigations
attack timeline, 90–91
case numbers, 52
checklists for, 83–89
developing/following leads, 65–68
elements of proof, 91–92
evidence. See evidence
goal of, 32
identifying systems of interest, 36–37
IOC creation, 34
IOC deployment, 35–36
leads. See leads
Mac. See Mac OS–based systems
management expectations, 92
multinational organizations, 49
priorities, 91–93
project names, 52
“situational awareness,” 40–42
starting, 81–94
staying organized, 40–42
steps in, 32–39
tasks, 25
time factor, 32
tracking data, 40–42
Windows. See Windows systems
investigative objectives, 254–256
investigative reports. See reports/reporting
investigative tools, 67
IOC Editor, 35
IOC formats, 34–36
IOCs (indicators of compromise)
considerations, 34
deployment, 35–36
network-based, 41
IP addresses
blocking, 565
investigating, 217
recording information about, 87
IP headers, 188
IR (incident response)
activities, 5–6
current state of, 6–7
evolution of, 4
geographical location, 7
importance of, 8
individuals involved with, 26–31
overview, 5–6
policies for, 47–48
preparing for. See pre-incident preparation
IR activities, 25
IR investigations. See investigations
IR management handbook, 23–43
IR process, 31–42
initial response, 31–32
investigation. See investigations
remediation. See remediation
tracking of significant information, 40–42
IR team
ancillary teams, 27
authority to conduct searches, 27
communications, 51–53
coordination, 49
defining mission, 50–51
deliverables, 53
documentation, 60–61
finding IR talent, 29–31
global issues, 49
hardware solutions for, 54–57
overview, 26–31
policies, 47–48
preparing for incident response, 50–61
recruiting members, 29
resources for, 54–61
scope and, 28
shared equipment, 56
software solutions for, 57–60
team coordination, 49
training, 54
types of, 51
IR team members
characteristics, 30
hiring, 29–31
list of ongoing/requested tasks for, 41
qualifications, 29–30
ISO 27001 Security, 69
IT functions, outsourced, 48
J
JavaScript Object Notation. See JSON
.job files, 307–310
Journal Parser tool, 286
Jump Lists, 351–353
jump servers, 10
Kerberos authentication events, 300
Kernel Patch Protection (KPP), 369
keyloggers, 144
keyword searching, 268
Knoppix, 425
knowledge repository, 60–61
KnownDLLs registry key, 373–375
KPP (Kernel Patch Protection), 369
Kyrus, 475
L
labor regulations, 49
LADS utilities, 281
LANDesk Management suite, 225–228
landesk.pl plugin, 227
laptop computers
Apple, 180
considerations, 55
data storage on, 257
hiding tracks, 169
using in the field, 55
law enforcement
reporting incidents to, 114–115
lawsuits, 524
LDF files, 247
leads, 95–116. See also indicators
acting on, 97–115
actionable leads, 34
analyzing, 96–97
“brittle,” 97
context of, 97
described, 96
detailed leads, 34
evaluating, 34
generating, 96
good vs. bad, 96
importance of, 33
initial, 33–34
relevant leads, 34
resolving external leads, 113–115
resolving internal leads, 113
turning into indicators, 98
type of, 97
legal liability, 7
legal representative, 524
legal role, 556
lessons learned document, 542–543
Libpff Project, 449–450
libvshadow tool, 287
LiME (Linux Memory Extractor), 158–160
LinEN tool, 178
link files, 349–351
LINReS toolkit, 155
Linux Memory Extractor (LiME), 158–160
Linux-based systems
application data, 424–425
disabling root account, 566
live data collection on, 155–163
logging system, 66
package managers, 425
pre-built distributions, 193–194
live data collection, 135–163. See also LRs
automated, 144
best practices, 141–144
on Linux-based systems, 155–163
live response toolkits, 145–150
overview, 136
performing live responses, 136–137
precautions, 140
preparing for, 141
tools for live responses, 137–139
on UNIX-based systems, 155–163
what to collect, 139–141
on Windows systems, 144–154
“live” media, 59
live responses. See LRs
LKMs (loadable kernel modules), 158
load balancers, 240
loadable kernel modules (LKMs), 158
load-order hijacking, 373–375
Local Security Authority (LSA), 331–332
Local Service account, 325
Local System account, 324–325
log analysis tools, 60
log files
access logs, 65–66
analyzing, 60
antivirus logs, 230
Apache servers, 241–242
application metering logs, 228–230
applications, 66
client connection logs, 244
common, 66
DHCP servers, 213
DNS logs, 223–225
event. see event logs
firewalls, 213
IDS sensor logs, 213
IIS, 243–244
Mac. See Mac log files
McAfee VirusScan, 234–235
monitoring, 566–567
MySQL, 247–248
network events, 213–214
operating system, 66
Oracle database, 248–249
posturing actions, 526–527
proxy logs, 76
query logs, 245
retention of, 65–66
router logs, 213
SEP, 231–232
server logs, 213
system logs, 213
Trend Micro OfficeScan, 236–238
Unix-based, 219–220
web servers, 239–240
Windows. See Windows event logs
$LogFile log, 285–286
LogFileParser tool, 286
logging
of allowed connections, 562
applications, 66
full packet logging, 187–188
networks, 75–76
operating systems, 66
what to log, 66
logging regulations, 66
logging solutions, 65–66
logging systems, 65–66
logical images, 170–171
Logstash tool, 408
LR data, 38
LR tools
manual, 144
UNIX-based systems, 155–158
Windows systems, 145–150
LRs (live responses)
access restructions, 143–144
capture/analysis, 59
capturing, 59
collecting data. See live data collection
considerations, 136–137
vs. forensic analysis, 7
overview, 37
tools for. See LR tools
when to perform, 136–137
LSA (Local Security Authority), 331–332
M
MAC addresses, 217
Mac artifacts
listed, 416–418
log files, 405–413
Mac log files, 405–413
Apple System Log, 406–413
hidden, 406
OpenBSM logs, 408
syslog, 406–413
Mac Memory Reader tool, 162
Mac OS–based systems, 381–419
Apple Mail, 452–453
application data, 424
application installers, 415–416
Bonjour, 414
common scenarios, 416–418
core OS data, 392–416
data classification, 392–398
deleted files, 401–402
Developer site, 393
directories/subdirectories, 392–397
Directory Services, 398–401
file system, 392. See HFS+
file system services, 389–392
investigative questions, 416–418
LaunchAgents, 413–414
LaunchDaemons, 413–415
managed storage, 389–392
memory collection from, 161–163
network domain, 393
Outlook for Mac, 453–454
overview, 382
scheduled tasks/services, 413–415
sharepoints, 400–401
Spotlight, 389
system auditing/databases, 402–405
system/application logging, 405–413
Target Disk Mode, 180
trash, 401–402
user accounts, 399–400
user/service configuration, 398–401
MacBook Air, 180
magic files, 476
magic numbers, 475–479
Malcode analyst pack, 480
malicious binaries, 100–107
malicious code, 6
malicious libraries, 109–110
malicious software. See malware
malware
accessing malicious sites, 470–471
analyzing. See malware analysis
antiforensic techniques, 6
BKDNS, 10
destroying evidence of, 67
details about, 89
distribution of, 469–470
download/shell capabilities, 482
executing, 490–491
file extensions, 468
hard-coded, 482
intelligence feeds, 570
OS-specific, 6
preventing mishaps, 466–471
“proxy aware,” 74
runtime monitoring, 491–496
safely executing, 109 (also ch 16)
scheduled tasks and, 305–313
searching for, 264
sending to AV vendor, 67
storing, 468
Windows Services, 482
malware analysis
analyzing files, 473–488
described, 38
documentation, 468–469
dynamic, 489–496
examining strings, 479–482
file databases, 474–475
file headers, 475–479
static, 473–489
Malware Details Checklist, 89
malware detection, 88
malware triage, 465–497
analyzing. See malware analysis
configuration/process changes, 467–468
considerations, 426
documentation, 468–469
file databases, 474–475
goals of, 426
overview, 466
physical environment, 471
preventive measures, 466–471
risks, 466
safety steps, 467–468
triage environment, 471–473
malware-handling protocol, 466–471
Mandiant Memoryze for the Mac tool, 161–162
Mandiant Redline tool. See Redline tool
Mantech MDD tool, 151
Master File Table. See MFT
McAfee VirusScan Enterprise, 233–236
MD5 checksums, 171–172
md5deep tool, 474
MDD tool, 151
MDF files, 247
mean time to remediate (MTTR), 520
media
data storage on, 257
internal, 55
“live,” 59
multimedia, 429
removable, 177
memory
capture/analysis, 59
considerations, 37–38
physical, 357–358
system, 141
memory collection
from Apple OS X, 161–163
from BSD-based kernels, 160–161
from Linux kernels, 158–160
UNIX-based systems, 158–163
Windows systems, 150–154
memory dumps, 151–154
memory forensics (Windows), 356–371
analyzing memory, 361–371
common in-memory attacks, 367–369
complete memory dump, 360
console command history, 366
crash dumps, 359–360
credentials, 366
handles, 362–363
hibernation files, 360
hooking, 368–369
kernel memory dump, 359
loaded drivers, 365
memory sections, 364–365
network connections, 365
overview, 356–357
pagefile analysis, 366–367
pagefile overview, 358–359
physical memory, 357–358
process injection, 367–368
processes, 361–362
small memory dump, 360
sources of evidence, 357–360
strings in memory, 366
Memoryze for the Mac tool, 161–162
Message-Digest Algorithm 5. See MD5
metadata reporting, 505
methodology-based indicators, 98
MFT (Master File Table), 273–282
alternate data streams, 280–282
analyzing, 275–282
deleted files and, 275
file timestamps, 276–279
record structure, 274–275
resident data, 279–280
MFT entries, 274
mft2csv tool, 282
Microsoft DHCP logs, 219
Microsoft DHCP service, 217–219
Microsoft DNS servers, 222–224
Microsoft Outlook, 448–452
Microsoft Outlook for Mac, 453–454
Microsoft SQL (MSSQL), 246–247
Microsoft userdump tool, 154
Microsoft website, 245
Microsoft Windows systems. See Windows systems
MIME (Multipurpose Internet Mail Extensions) format, 445–446
minidumps, 360
mission, defining, 50–51
mklink tool, 287
monitoring
ad-hoc, 56–57
log files, 566–567
networks. See network monitoring
Software License Monitoring, 225–228
Moonsols Windows Memory Toolkit, 151
most recently used. See MRU
Mozilla Firefox. See Firefox
Mozilla Thunderbird, 453
MPLS (Multiprotocol Label Switching), 195
MRU (most recently used) items, 343
MRU registry keys, 343–344
MSSQL (Microsoft SQL), 246–247
MTTR (mean time to remediate), 520
MUICache registry key, 341–342
multimedia, 429
Multiprotocol Label Switching (MPLS), 195
Multipurpose Internet Mail Extensions (MIME) format, 445–446
MySQL database, 247–248
N
named forks, 387–388
NAS devices, 170–171
National Institute of Standards and Technology. See NIST
NetAnalysis, 447
netcat command, 159–160
NetFlow data, 188
NetFlow emitters, 76
NetFlow probes, 188
NetWitness Investigator, 211–212
network artifacts, 120
network data
data theft scenario, 197–204
webshell reconnaissance scenario, 205–211
network data analysis, 196–212
Network Details Checklist, 88–89
network devices, 257
network engineering role, 555
network evidence, 183–214. See also network monitoring
analysis tools, 211–212
data analysis, 196–213
event logs, 213–214
log files, 213–214
overview, 184
scenarios, 196–211
network infrastructure services, 216–225
network instrumentation, 259
network monitoring. See also network evidence
considerations, 184
data theft scenario, 197–204
evaluation of, 196
event-based alerts, 185–187
full packet logging, 187–188
hardware for, 192–193
header captures, 188
investigating, 88–89
overview, 56–57
platforms, 56–57
pre-built distributions, 193–194
reasons for, 184
setting up, 191–196
statistical modeling, 188–191
“traditional,” 184
types of, 185–191
webshell reconnaissance scenario, 205–211
webshell scenario, 205–211
network monitoring platforms, 56–57
Network Security Toolkit, 57
Network Service account, 325
network-based indicators, 98
network-based IOCs, 41
networking gear accounts, 535
network-level DNS logging, 224–225
networks
access control, 69–74
anomalies, 263
considerations, 69
details about, 88–89
disconnecting compromised systems, 565
documentation, 74–75
filtering traffic, 69–71
full-content capture systems, 75
instrumentation, 75–76
intrusion detection systems, 75
logging on, 75–76
monitoring. See network monitoring
netflow emitters, 76
performing hands-on survey, 64
segmentation, 69–74
traffic restrictions, 570
VLANs, 195
Nirsoft Registry Analysis Tools, 349
NIST Computer Security Resource Center, 69
NIST Information Technology Laboratory, 167
notes. See case notes
Nsrlquery tool, 475
NT File System. See NTFS
NTFS (NT File System), 273–289
change logs, 285–286
file system redirector, 288–289
INDX attributes, 282–285
Master File Table. See MFT
volume shadow copies, 286–288
NTLM hashes, 65
Ntsecurity.nu pmdump tool, 154
O
obfuscation techniques, 486
Offline Storage Table. See OST
OllyDbg debugger, 486–488
OllyDump plugin, 486–488
Open Source Basic Security Module. See OpenBSM
Open System for Communication in Real-time (OSCAR), 461
OpenBSM (Open Source Basic Security Module), 402
OpenBSM process audit log, 408
OpenIOC language, 106
OpenSUSE, 425
operating systems. See also specific systems
artifacts, 120
evidence, 258
forensics software and, 59
live system duplication, 179–180
logging, 66
OS-specific data, 258
OS-specific malware, 6
type/version, 87
Oracle database, 248–249
Oracle website, 245
organizations
multinational, 49
preparing for incident response, 46–50
OSCAR (Open System for Communication in Real-time), 461
OST (Offline Storage Table), 449
OST files, 449–452
Outlook, 448–452
Outlook for Mac, 453–454
outsourced IT, 48
P
packed files, 486–488
packers, 486
packet logging, 187–188
pagefile, 358–359
parser-usnjrnl tool, 286
partition images, 170
passwords
administrators, 536
application-specific, 64
considerations, 64–65
credentials, 64–65
resetting, 64
suspected malware, 468
PATA drives, 174
patching program, 570
payment account data, 47
Payment Card Industry. See PCI
pccnt35.log file, 236–238
PCI (Payment Card Industry), 28
PDF files, 15
PEiD program, 483–484
Personal Storage Table. See PST
personally identifiable information (PII), 47
PeView tool, 484–486
PHP code, 483
physical environment, 471
physical memory, 357–358
PII (personally identifiable information), 47
plaso tool, 282
pmdump tool, 154
point-of-sale. See POS
policies, IR-related, 47–48
ports
access to, 73
Windows, 71
POS (point-of-sale) software, 13
POS terminals, 13
positive control, 60
PowerBooks, 180
PowerGREP tool, 453
pre-built distributions, 193–194
prefetch files, 289–293
Prefetch Parser, 293
pre-incident preparation, 45–77
communication procedures, 51–53
defining mission, 50–51
deliverables, 53
global infrastructure issues, 49
host-based security, 49–50
identifying risk, 47
infrastructure, 61–77
IR team, 50–61
IR-related policies, 47–48
organization, 46–50
outsourced IT and, 48
performing hands-on survey, 64
resources for, 54–61
priorities, 91–93
privacy regulations, 49
privilege escalation, 20
process dumps
UNIX systems, 162–163
Windows systems, 154
Process Explorer, 491–495
process injection, 367–368
process tracking, 301–302
project names, 52
proof, elements of, 90–91
property-based indicators, 98
protocol bridges, 173–174
proxies, 71
proxy logs, 76
PST (Personal Storage Table), 449
PST files, 449–452
public relations role, 555
Purdue University College of Technology, 54
PuTTY tool, 428–429
Q
QExtract, 233
qualified forensic images, 172
query logs, 245
R
RAID controllers, 181
RAID images, 181
rainbow tables, 65
RAR/FTP data theft scenario, 197–204
RAT (remote access trojan), 15–19
rcracki_mt tool, 65
RDP (Remote Desktop Protocol), 10
RDP trafic, 14
real-world incidents, 3–22
RecentDocs registry key, 344–345
Recycle Bin, 353–356
Red Hat Enterprise Linux (RHEL), 425
Red Hat Package Manager. See RPM
Redline tool
analyzing memory, 370
collecting/parsing INDX records, 284–285
displaying browsing history, 430
overview, 145–148
Registry module, 348
registry. See Windows registry
Registry Decoder, 347
registry keys. See Windows registry keys
regulations, 49
remediation, 513–552
approaches to, 524–525
Attack Lifecycle, 544–546
basic concepts, 514–519
case study, 553–572
common mistakes, 550–551
considerations, 554
determining timing of, 524–525
documenting lessons learned, 542–543
eradication activities. See eradication entries
goals of, 554
high-level steps, 515–517
importance of, 514
management support, 519
overview, 39–40
pre-checks, 520
public scrutiny, 519
setting strategic direction, 568–571
strategic, 40
strategic recommendations, 541–542
tactical, 40
tasks, 25
technology issues, 518
timing considerations, 556
remediation actions
alerting attacker, 528–529
combined action, 525
immediate action, 524
timing of, 518
verifying, 566
remediation effort
budget issues, 518–519
considerations, 545
critical factors, 517–519
leader of, 521–523
lessons learned, 543
success or failure of, 571–572
Remediation Planning Matrix, 544–550
remediation plans, 39–40
case study, 553–572
considerations, 514
described, 514
level of detail, 515
revisions, 514
remediation team
assigning remediation owner, 521–523
authority, 27
considerations, 518
formation of, 520–524
leader, 27
lesson learned, 568–569
roles, 555
selection process, 555
setting strategic direction, 568–571
when to create, 520
Remote Access Policy, 48
remote access trojan (RAT), 15–19
Remote Desktop Connection utility, 346
Remote Desktop MRU registry key, 346
Remote Desktop Protocol. See RDP
remote procedure call (RPC) protocols, 71
removable media, 177
reports/reporting, 499–509
acronyms in, 503
clarity, 501
considerations, 42
content/organization, 505–508
date/time info, 505
examples of, 53
eye witness, 93
factual, 501
high-level goals, 501
incident reports, 505–506
jargon in, 503
metadata reporting, 505
objectives of, 501
opinions in, 504
overview, 42
QA process, 508
reasons for, 500–501
reproducible results, 501
standards for, 501–508
style, 502–504
templates, 505
timely, 501
tips for writing, 502–505
types of, 53
reputation, 47
Request For Comments (RFC), 107–108
resources
computer, 24–25
IR team, 54–61
restore points, 286–288
RFC (Request For Comments), 107–108
RHEL (Red Hat Enterprise Linux), 425
roles, 63
router logs, 213
RPC (remote procedure call) protocols, 71
RPM (RPM Package Manager), 425
RPM Package Manager. See RPM
RPM packages, 425
RPM-based distributions, 425
RSA NetWitness Investigator, 211–212
S
SAN devices, 170–171
sandboxes, 489–490
sanity checking, 269
SANS hash lookup, 475
SANS Institute, 54
SATA drives, 174
Sawmill tool, 408
sbag tool, 348
SchedLgU.txt log, 310–311
schtasks command, 307
scope/scoping process, 117–131
ACH fraud scenario, 127–130
considerations, 28
customer data loss scenario, 122–127
determining course of action, 121
examining initial data, 119
overview, 118
questions to ask during, 121
reviewing preliminary evidence, 120–121
SDLC (software development lifecycle), 569
search engines, 475
search utilities, 59
search-order hijacking, 373–375
security
educating users, 49–50
host-based, 49–50
improving, 68
security administrators, 569
security breaches, 8
security incidents. See incidents
Security Information and Event Management (SIEM) utility, 17
security policies. See policies
Security Technical Implementation Guides (STIGs), 62
SED (Self-Encrypting Drive), 54
segmentation, 69–74
Self-Encrypting Drive (SED), 54
SEP (Symantec Endpoint Protection), 231–233
server logs, 213
servers
Apache, 240–242
BIND, 221
critical, 563
data storage on, 257
database, 244–249
DNS, 220
jump, 10
Microsoft DNS, 222–224
posturing actions, 563
retiring legacy server, 567
user-installed software, 50
web. See web servers
Windows Server 2008, 218
Windows Server 2012, 218
service accounts, 535
service level agreements (SLAs), 48
services, 63. See also Windows Services
Sethc IS Debugger indicator, 105–106
SetRegTime tool, 318
SHA hashes, 474
SHA1 checksums, 171–172
shadow copies, 286–288
Shadow Explorer, 287
shared libraries, 473–474
sharepoints node, 400–401
shell extensions, 332–333
shellbag registry keys, 338–340
shellbags.py script, 348
ShimCacheParser, 348
SIEM (Security Information and Event Management) utility, 17
Simple Object Access Protocol (SOAP), 455
single-factor authentication, 12
sinkholes, 565
“situational awareness,” 40–42
Skype, 456–459
SLAs (service level agreements), 48
Sleuth Kit, 282
SLM (Software License Monitoring), 225–228
SLM data, 225–228
S/MIME certificates, 52
Snare for Windows, 66
Snort resources, 111
SOAP (Simple Object Access Protocol), 455
software
antivirus, 230–238
performing hands-on survey, 64
security solutions, 57–60
user-installed, 50
software development lifecycle (SDLC), 569
Software License Monitoring. See SLM
solid state drives (SSDs), 167
source data, 86
Sourcefire package, 185
Splunk tool, 408
Spotlight indexer, 389
SQL (Structured Query Language), 9
SQL Server Forensic Analysis, 246
SQL Server Management Studio (SSMS), 246
SQLite format, 455
SQLiteSpy, 457
sqlmap tool, 208
SSDs (solid state drives), 167
SSH authentication, 566
SSMS (SQL Server Management Studio), 246
stakeholders, 63
standard accounts, 535
startup file, 389
startup folders, 371–372
statements, documenting, 113
static analysis, 473–489
static drives, 175
statistical analysis, 266–267
statistical modeling, 188–191
Sticky Keys attack, 373
STIGs (Security Technical Implementation Guides), 62
strategic recommendations, 541–542
strategic remediation activities, 40
strike zone, 538
Structured Query Language. See SQL
Suricata tool, 185
survey, performing, 64
suspicious events, 25
Symantec Endpoint Protection (SEP), 231–233
SysInternals streams, 281
SysInternals strings, 480
syslog, 406–413
system administrators. See administrators
system artifacts, 120
System Details Checklist, 87–88
system logs, 213
system memory, 141. See also memory
systems
access to, 63
assets. See assets
business unit, 63
categorization, 36
compromised, 565
contact information, 63
critical information on, 88
date provisioned, 63
details about, 87–88
disconnecting from network, 565
hands-on survey, 64
host name/domain, 87
identifying systems of interest, 36–37
improving security, 68
information about, 63
instrumentation mechanisms, 65–67
list of affected systems, 41
live system duplication, 179–180
make/model, 87
ownership of, 63
patching program, 570
primary function of, 87
prioritization, 36–37
rebuilding, 562
roles, 63
services, 63
validation, 36
systems engineering role, 555
T
Tableau Forensic Products, 174
tables, rainbow, 65
tactical remediation activities, 40
Target Disk Mode, 180
Task Scheduler service logs, 308
TCP headers, 188
TCP port 80, 570
tcpdump tool, 187–188
TCP/IP connections, 220
team coordination, 49
teams. See IR team; remediation team
technology issues, 518
ticketing system, 84
time zones, 83
timelines, attack, 90–91
TNS (Transparent Network Substrate) listener, 249
tools, tactics, and procedures (TTPs), 537
traffic filtering, 69–74
Transparent Network Substrate (TNS)listener, 249
Trash (Mac), 401–402
Trend Micro OfficeScan, 236–238
TTPs (tools, tactics, and procedures), 537
TypedURLs registry key, 345–346
Tyson, Neil deGrasse, 254
U
UAC (User Access Control), 143
Ubuntu distributions, 425
UDP headers, 188
Ultimate Boot CD, 176
Unicode strings, 479
Unix-based logging services, 219–220
Unix-based systems
categories of data, 156–157
considerations, 192–193
live data collection on, 155–163
logging system, 66
memory collection, 158–163
process dumps, 162–163
versions, 158
Update Sequence Number (USN) journal, 285
U.S. Department of Defense Computer Forensics Laboratory (DCFL), 176
USB drives, 174
User Access Control (UAC), 143
user accounts
administrator accounts, 535
application accounts, 535
compromised, 41
database accounts, 535
eradication event and, 535–536
networking gear accounts, 535
passwords. See passwords
service accounts, 535
standard, 535
types of, 535–536
user data, 259
user hive registry keys, 338–346
user-agent strings, 208
UserAssist registry key, 340–341
UserAssist tool, 348
userdump tool, 154
users
considerations, 49–50
educating, 49–50
host-based security and, 49–50
posturing actions, 562
requiring new accounts for, 562
USN (Update Sequence Number) journal, 285
$UsnJrnl log, 286
UTC (Coordinated Universal Time), 83
V
VAD (Virtual Address Descriptor) tree, 364
validation, 60
verification
described, 60
indicators, 111–112
Virtual Address Descriptor (VAD) tree, 364
virtual desktops, 257
virtual private networks. See VPNs
VirtualBox, 472
VirusScan Enterprise, 233–236
VLAN traffic, 195
VMware Workstation, 472–473
Voice over IP (VoIP) clients, 456
voicemail artifacts, 457–459
VoIP (Voice over IP) clients, 456
Volume Shadow Copy (VSC) service, 286–288
VPN logs, 16
VSC (Volume Shadow Copy) service, 286–288
VSC Toolset, 287
VSEncode.exe utility, 238
vssadmin tool, 287
W
W3C Extended Log File Format, 243–244
web applications, 429–463
browsers. See web browsers
e-mail clients, 445–454
instant messaging. See IM clients
web browsers, 429–445
artifacts, 430
cache, 430
Chrome, 437–441
cookies, 430
Firefox, 441–445
history, 430
Internet Explorer, 431–437
web content, 240
web mail services, 446–448
web pages, 429
web proxies, 71
web servers
enterprise services, 238–244
evidence provided by, 239–240
load balancers, 240
log files, 239–240
overview, 238–240
webshell reconnaissance scenario, 205–211
WER (Windows Error Reporting), 360
wevtutil utility, 308
WFP (Windows File Protection), 373
WiebeTech Forensic UltraDock, 174–175
Windows 8 systems, 273
Windows administrator accounts, 566
Windows artifacts
INDX attributes, 282–285
interactive sessions, 349–356
Jump Lists, 351–353
link files, 349–351
listed, 376–379
memory-related. See Memory Forensics
MFT. See MFT
NTFS, 273–289
prefetch files, 289–293
Recycle Bin, 353–356
scheduled tasks, 305–313
Windows Cache Manager, 289
Windows Credential Editor, 303
Windows directories, 282–285
Windows Error Reporting (WER), 360
Windows event logs, 294–305
account/security settings changes, 300
analysis, 295–305
application log, 294
event IDs, 295–296
evidence, 294–295
investigating lateral movement, 298–300
log analysis tips, 303–304
log analysis tools, 304–305
logon events, 296–298
process tracking, 301–302
SchedLgU.txt log, 310–311
scheduled tasks in, 312–313
SCM logs, 302–303
security log, 294
system log, 294
task scheduler logs, 308
timestamps, 305
Windows services, 302–303
Windows Event Viewer, 305
Windows File Protection (WFP), 373
identifying deleted files, 275
resident data, 279–280
restore points, 286–288
shadow copies, 286–288
snapshots, 286–288
timestamps, 276–279
Windows Memory Toolkit, 151
Windows ports, 71
Windows Recycle Bin directory, 227
Windows registry, 313–349
analysis tools, 347–349
analyzing evidence, 319–346
auto-run keys, 324–338
configuration data, 423
considerations, 313
introduction to, 314
mappings, 316–317
purpose of, 313
reflection/redirection, 318–319
Registry Decoder, 347
RegRipper tool, 347
root registry keys, 316
Shim Cache, 322–324
sources of evidence, 314–319
system configuration registry keys, 319–322
timestamps, 317–318
uninstall information, 423
Windows Registry Decoder, 347
Windows registry keys
Active Setup, 329–330
application data in, 423
artifacts, 120
auto-run, 324–338
Browser Helper Objects, 332
identifying malicious auto-runs, 334–338
KnownDLLs, 373–375
LSA packages, 331–332
Most Recently Used keys, 343–344
MUICache, 341–342
RecentDocs, 344–345
Run/RunOnce keys, 328–329
shell extensions, 332–333
shellbag, 338–346
timelining, 336–338
TypedURLs, 345–346
user hive, 338–346
UserAssist, 340–341
Winlogon GINA, 333
Winlogon Notification, 333
Winlogon Shell, 334
Winlogon Userinit, 334
WS, 324–327
Windows Resource Protection (WRP), 373
Windows Server 2008, 218
Windows Server 2012, 218
Windows Service Control Manager (SCM), 327–328
Windows Services
analyzing, 302–303
logon accounts, 324–325
malware, 482
privileged domain accounts for, 324–325
registry key, 324–327
runtime analysis of, 327–328
Windows systems, 271–380
account/security settings changes, 300
application data, 423
common scenarios, 376–379
deleted files/directories, 275
event logs. See Windows event logs
file system. See NTFS
forensics overview, 272–273
investigating lateral movement, 298–300
investigative questions, 376–379
Jump Lists, 351–353
link files, 349–351
live data collection on, 144–154
load-order hijacking, 373–375
logging system, 66
memory collection, 150–154
memory forensics. See Memory Forensics
persistence mechanisms, 371–375
prefetch files, 289–293
process dumps, 154
process tracking, 301–302
recurring tasks, 372
Recycle Bin, 353–356
registry. See Windows registry
scheduled tasks, 305–313
startup folders, 371–372
Sticky Keys attack, 373
system binary modification, 372–373
uninstallation, 423
Windows Task Scheduler, 305–313
Windows WoW64 subsystem, 318–319
WinMD5 tool, 474
WinPrefetchView tool, 293
WinPrefetchView utility, 292
Wireshark tool, 495–496
resources, 211
webshell reconnaissance scenario, 205–211
workstation communications, 73–74
write blocker hardware, 173–175
WRP (Windows Resource Protection), 373
X
XFF (X-Forwarded-For) header, 240
X-Forwarded-For (XFF) header, 240
Y
Z
Zero Configuration Networking, 414
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.