A
Acceptable Use Policy (AUP), 48
access control
live response collection, 143–144
access control lists (ACLs), , 571
Access Data FTK. See FTK
AccessData FTK Imager Lite, 152–154, 178–179
accounts. See user accounts
ACH (automated clearing house) scenario, 127–130, 530–532
ACLs (access control lists), , 531, 571
administrators
ADS (alternate data streams), 280–282
Advanced Forensic Framework format (AFF), 171–172
Advanced Packaging Tool (apt), 425
AFF (Advanced Forensic Framework format), 171–172
AIM (AOL Instant Messenger), 461–463
alerts
alternate data streams (ADS), 280–282
Altiris Client Management Suite, 228–230
America Online Instant Messenger. See AIM
analysis methodology, 253–270
categories of evidence, 258–259
defining objectives, 254–256
manual inspection of data, 265–266
statistical analysis, 266–267
types of analysis methods, 265–269
analysis reports, 505, 506–508
analyzing data. See data analysis
ancillary teams, 27. See also IR team
anomaly-based indicators, 98
Antivirus Quarantine, 231
antivirus software, 230–238
antivirus (AV) solutions, 67
AOL Instant Messenger (AIM), 461–463
Apache HTTP server, 240–242
Apple Examiner website, 158
Apple Mac OS. See Mac OS–based systems
Apple System Log (ASL), 406–413
application accounts, 535
application data, 422–425
application engineering role, 555
application metering logs, 228–230
browsers. See web browsers
enterprise management, 225–230
investigation methods, 425–429
messaging. See IM clients
monitor execution of, 427
performing hands-on survey, 64
retiring legacy application, 567
support/message boards, 426
web. See web applications
apt (Advanced Packaging Tool), 425
artifacts
Mac. See Mac artifacts
Windows. See Windows artifacts
ASL (Apple System Log), 406–413
assets
Attack Lifecycle, 19–22, 544–546
attacks. See incidents
AUP (Acceptable Use Policy), 48
authentication
administrator accounts, 569
AutoComplete for Internet Explorer, 436
automated clearing house (ACH) scenario, 127–130, 530–532
automation
dynamic analysis, 489–490
automounting devices, 177
AV. See antivirus
B
backdoor malware
BackTrack project, 59, 176
backups
eradication events and, 536
BASH (Bourne-again Shell), 156
Berkeley Internet Name Domain (BIND), 220, 221
BHOs (Browser Helper Objects), 332
binaries, malicious, 100–107
BIND (Berkeley Internet Name Domain), 220, 221
Bourne-again Shell (BASH), 156
“brand” damage,
brick and mortar merchants, 11
Browser Helper Objects (BHOs), 332
BrowsingHistoryViewer, 430
BSD-based kernels, 160–161
.bup (BUP) extension, 235
BUP (.bup) extension, 235
business operations role, 555
C
cache
Internet Explorer, 432, 435–436
card present transaction, 11
cardholder data theft, , –15
Carnegie Mellon Software Engineering Institute, 54
case studies
cardholder data theft, , –15
theft of sensitive data, , 15–19
catalog node ID (CNID), 387
CFTT (Computer Forensic Tool Testing), 59, 167
checklists, investigation, 83–89
checksums, cryptographic, 171–172
CIA (Confidentiality, Integrity, and Availability),
CLF (Common Log Format), 241–242
client connection logs, 244
CNID (catalog node ID), 387
command-and-control (C2) data, 10
Common Log Format (CLF), 241–242
communications
with external parties, 52–53
pre-incident preparations, 51–53
Communications Security (ComSec) issues, 51–52
computer crimes,
Computer Forensic Tool Testing (CFTT), 59, 167
Computer Forensics Tools Verification project, 167
Computer Fraud and Abuse Act, 471
computer intrusions,
Computer Security Incident Handling Guide,
computer security incidents. See incidents
Computer Security Resource Center (CSRC),
computers
laptop. See laptop computers
computing devices. See devices
computing resources, 24–25
ComSec (Communications Security) issues, 51–52
confidential information, 47
Confidentiality, Integrity, and Availability (CIA),
configuration
containment, temporary, 566
Cookie Viewer for Internet Explorer, 436
cookies
Coordinated Universal Time (UTC), 83
CreateFile operations, 493
credential compromise, 73
cryptographic checksums, 171–172
cryptographic hashes, 474
CSRC (Computer Security Resource Center),
customer data loss scenario, 122–127
cybercrime,
cyber-espionage,
Cygwin environment, 476–478
D
data
analyzing. See data analysis
application. See application data
cardholder, , –15
collection. See data collection
duplication of. See forensic duplication
list of accessed data, 41
manual inspection of, 265–266
personally identifiable, 47
representation of, 261–262
analyzing evidence, 38–39
data theft scenario, 197–204
defining objectives, 254–256
live response analysis, 38
methodology. See analysis methodology
outlining approach to, 263–264
selecting analysis method, 265–269
webshell reconnaissance scenario, 205–211
data collection
enterprise services. See enterprise services
forensic duplication, 165–182
live. See live data collection
data loss scenario, 122–127
data protection hardware, 54–55
Data Security Standard (DSS), 13, 28, 66
data theft
cardholder data, , –15
RAR/FTP scenario, 197–204
sensitive projects, , 15–19
database servers, 244–249
databases
enhancing security of, 571
DC3 (Defense Cyber Crime Center), 176
DCFL (Department of Defense Computer Forensics Laboratory), 176
DCOs (Drive Configuration Overlays), 168, 170
Debian-based distributions, 425
Defense Cyber Crime Center (DC3), 176
Defense Industrial Base Cyber Security/Information Assurance (DIB-CS/IA), 115
Defense Information Systems Agency (DISA), 62
demilitarized zone. See DMZ
Department of Defense Computer Forensics Laboratory (DCFL), 176
detection, incident, 85–86
devices. See also assets; hardware
performing hands-on survey, 64
as potential targets,
DHCP (Dynamic Host Configuration Protocol), 216–220
DIB-CS/IA (Defense Industrial Base Cyber Security/Information Assurance), 115
Digital Detective NetAnalysis, 430
Directory Services, 398–401
DISA (Defense Information Systems Agency), 62
disaster recovery plans, 258, 470
discovery, subpoenas for performing, 114
disk images. See forensic images; images
diskarbitrationd daemon, 177
disks, hard. See hard drives
DLL load-order hijacking, 373–375
DLL search-order hijacking, 10
DMZ (demilitarized zone), , 205
DMZ firewalls,
DNS (Domain Name System), 220–225
DNS blackholes, 76–77, 565
documentation
evidence. See evidence
internal knowledge repository, 60–61
malware analysis, 468–469
Domain Name System. See DNS
dpkg package manager, 425
Drive Configuration Overlays (DCOs), 168, 170
DSS (Data Security Standard), 13, 28, 66
dynamic analysis, 489–496
Dynamic Host Configuration Protocol. See DHCP
E
E2EE (end-to-end encryption), 13
education, 49–50, 54. See also training
EIDs (event IDs), 218, 295–296
e-mail
encryption
endpoint traffic filtering, 73–74
end-to-end encryption (E2EE), 13
enterprise assets, 181–182
enterprise management applications, 225–230
enterprise resources planning (ERP) configuration, 71
enterprise services, 215–250
Altiris Client Management Suite, 228–230
antivirus software, 230–238
application support, 225–230
database servers, 244–249
LANDesk Management suite, 225–228
eradication actions, 532–537, 564–568
eradication event
communications during, 541
initial infection vector and, 567
mitigating attacker access, 533–534
strategic recommendations, 541–542
verifying remedial activities, 540–541
eradication plans
ERP (enterprise resources planning) configuration, 71
ESE (Extensible Storage Engine) format, 14–15, 432, 434–435
event IDs (EIDs), 218, 295–296
event logs, 65–66, 75, 527. See also log files
event-based alerts, 185–187
events
described,
vs. incidents,
evidence
determining course of action, 122
forensic disk images. See forensic images
list of evidence collected, 41
live response. See LRs
logs. See log files
network. See network evidence
provided by web servers, 239–240
evidence collection guidelines, 60
EVT files. See Windows event logs
EWF (Expert Witness format), 171, 172
Expert Witness format (EWF), 171, 172
Extensible Markup Language (XML), 455
Extensible Storage Engine (ESE) format, 14–15, 432, 434–435
extents overflow file, 387
external communications, 52–53
F
FDE (full disk encryption) products, 54
FHS (Filesystem Hierarchy Standard), 424
file system redirector, 288–289
file system services (Mac), 389–392
file systems
Mac. See HFS+
Windows. See NTFS
file transfer proxies, 71
files
Windows. See Windows files
Filesystem Hierarchy Standard (FHS), 424
Financial Services Information Sharing and Analysis Center (FS-ISAC), 115
firewalls
DMZ,9
forensic duplication, 165–182
“complete disk image,” 168–170
vs. simple duplication, 166
virtual machines, 181–182
forensic examination suites, 59
forensic images, 38, 39. See also images
“complete disk image,” 168–170
duplicating enterprise assets, 181–182
forensic duplication, 166
image creation tools, 175–179
live system duplication, 179–180
traditional duplication, 173–179
“forensically sound” software, 58
forensics hardware, 54–57
for network monitoring, 192–193
network monitoring platforms, 56–57
performing hands-on survey, 64
for use at the office, 56
Forensics Prefetch-Parser, 293
forensics software, 57–60
forensic examination suites, 59
live response capture/analysis, 59
FreeBSD operating system, 192–193
FS-ISAC (Financial Services Information Sharing and Analysis Center), 115
FTK Imager Lite, 152–154, 178–179
FTP/RAR data theft scenario, 197–204
full disk encryption (FDE) products, 54
full packet logging, 187–188
full-content capture systems, 75
G
gdb (GNU debugger), 162–163
GH0ST RAT backdoor, 15–19
GINA (Graphical Identification and Authentication) service, 333
global infrastructure issues, 49
GNU debugger (gdb), 162–163
Google Chrome web browser. See Chrome
Graphical Identification and Authentication (GINA) service, 333
Guidance Software EnCase, 178
H
forensic duplication and, 167
hardware, 54–57. See also devices
for network monitoring, 192–193
network monitoring platforms, 56–57
performing hands-on survey, 64
for use at the office, 56
Hardware Write Blockers, 173–175
hashes
Hexacorn forensics blog, 291
HFS+ (Hierarchical File System) file system, 382–392
file system services, 389–392
Hierarchical File System. See HFS+
HIPS (host intrusion prevention system) solutions, 67
History and Cookie Viewer for Internet Explorer, 436
History Viewer for Internet Explorer, 436
Hopkins University Information Security Institute, 54
host intrusion prevention system (HIPS) solutions, 67
host-based indicators, 98, 100–106
host-based IOCs, 41, 100–106
host-based security, 49–50
HTML (Hypertext Markup Language), 429, 455, –463
HTTP (Hypertext Transfer Protocol), 238–240, 570
Hypertext Markup Language. See HTML
Hypertext Transfer Protocol. See HTTP
I
ICS (Industrial Control System), 523
IDSs (intrusion detection systems), 75
IEF (Internet Evidence Finder), 430, 447, 460–461
IIS (Internet Information Services), 242–244, 569
image creation tools, 175–179
images. See also forensic images
image creation tools, 175–179
Incident Detection Checklist, 85–86
incident reports, 505–506
incident response. See IR
incident response lifecycle, 32, 33
Incident Summary Checklist, 84–85
incidents
attack lifecycle, 19–22, 544–546
containing. See containment plans
different tiers of,
vs. events,
Incident Summary Checklist, 84–85
initial infection vector, 567
intrusions, seven stages of, 19–22
number of,
preparing for. See pre-incident preparation
real-world, –22
remediation. See remediation
reporting to law enforcement, 114–115
scope of. See scope
indicators. See also leads
data common to environment, 112
data relevant to, 111–112
generation of, 59, 98–112
network-based, 98, 106–111
Sethc IS Debugger, 105–106
indicators of compromise. See IOCs
Industrial Control System (ICS), 523
information. See data
infrastructure, 49, 61–77
initial infection vector, 567
instant message. See IM
instrumentation, 75–76, 427
instrumentation data, 427
instrumentation mechanisms, 65–67
internal communications, 51–52
internal knowledge repository, 60–61
Internet
disconnecting environment from, 564–565
Internet Evidence Finder (IEF), 430, 447, 460–461
Internet Examiner Toolkit, 447
Internet Explorer (IE), 332, 431–437
Internet Information Services (IIS), 242–244, 569
Internet Systems Consortium (ISC) DHCP servers, 219–220
Internet Usage Policy, 48
intrusion detection systems. See IDSs
intrusion prevention systems, 67
investigation team role, 555
investigations
collecting initial facts, 82–89, 118, 119
developing/following leads, 65–68
evidence. See evidence
identifying systems of interest, 36–37
leads. See leads
Mac. See Mac OS–based systems
management expectations, 92
multinational organizations, 49
“situational awareness,” 40–42
Windows. See Windows systems
investigative objectives, 254–256
investigative reports. See reports/reporting
IOCs (indicators of compromise)
IP addresses
recording information about, 87
IR (incident response)
activities, –6
current state of, –7
evolution of,
geographical location,
importance of,
individuals involved with, 26–31
overview, –6
preparing for. See pre-incident preparation
IR investigations. See investigations
IR management handbook, 23–43
investigation. See investigations
remediation. See remediation
tracking of significant information, 40–42
IR team
authority to conduct searches, 27
considerations, 27–28, 50
hardware solutions for, 54–57
preparing for incident response, 50–61
software solutions for, 57–60
IR team members
list of ongoing/requested tasks for, 41
ISC (Internet Systems Consortium) DHCP servers, 217, 219–220
IT functions, outsourced, 48
J
JavaScript Object Notation. See JSON
JSON (JavaScript Object Notation) format, 441–442, 460
Kerberos authentication events, 300
Kernel Patch Protection (KPP), 369
knowledge repository, 60–61
KnownDLLs registry key, 373–375
KPP (Kernel Patch Protection), 369
L
LANDesk Management suite, 225–228
laptop computers
law enforcement
reporting incidents to, 114–115
soliciting assistance of, 32, 43, 115
leads, 95–116. See also indicators
characteristics of good leads, 34, 96–97
resolving external leads, 113–115
resolving internal leads, 113
turning into indicators, 98
legal liability,
legal representative, 524
lessons learned document, 542–543
LiME (Linux Memory Extractor), 158–160
Linux Memory Extractor (LiME), 158–160
Linux-based systems
application data, 424–425
disabling root account, 566
live data collection on, 155–163
pre-built distributions, 193–194
live data collection, 135–163. See also LRs
on Linux-based systems, 155–163
live response toolkits, 145–150
performing live responses, 136–137
tools for live responses, 137–139
on UNIX-based systems, 155–163
on Windows systems, 144–154
live responses. See LRs
LKMs (loadable kernel modules), 158
loadable kernel modules (LKMs), 158
load-order hijacking, 373–375
Local Security Authority (LSA), 331–332
Local Service account, 325
Local System account, 324–325
log files
application metering logs, 228–230
client connection logs, 244
event. see event logs
Mac. See Mac log files
McAfee VirusScan, 234–235
posturing actions, 526–527
Trend Micro OfficeScan, 236–238
Windows. See Windows event logs
logging
of allowed connections, 562
full packet logging, 187–188
LR tools
UNIX-based systems, 155–158
LRs (live responses)
access restructions, 143–144
collecting data. See live data collection
vs. forensic analysis,
tools for. See LR tools
LSA (Local Security Authority), 331–332
M
Mac artifacts
Apple System Log, 406–413
Mac Memory Reader tool, 162
Mac OS–based systems, 381–419
application installers, 415–416
common scenarios, 416–418
data classification, 392–398
directories/subdirectories, 392–397
Directory Services, 398–401
file system, 392. See HFS+
file system services, 389–392
investigative questions, 416–418
memory collection from, 161–163
scheduled tasks/services, 413–415
system auditing/databases, 402–405
system/application logging, 405–413
user/service configuration, 398–401
Malcode analyst pack, 480
malicious binaries, 100–107
malicious code,
malicious libraries, 109–110
malicious software. See malware
malware
accessing malicious sites, 470–471
analyzing. See malware analysis
antiforensic techniques,
destroying evidence of, 67
distribution of, 469–470
download/shell capabilities, 482
OS-specific,
preventing mishaps, 466–471
runtime monitoring, 491–496
safely executing, 109 (also ch 16)
scheduled tasks and, 305–313
malware analysis
examining strings, 479–482
Malware Details Checklist, 89
analyzing. See malware analysis
configuration/process changes, 467–468
physical environment, 471
preventive measures, 466–471
triage environment, 471–473
virtual environment, 467, 471–473
malware-handling protocol, 466–471
Mandiant Memoryze for the Mac tool, 161–162
Mandiant Memoryze tool, 151–152, 154
Mandiant Redline tool. See Redline tool
Master File Table. See MFT
McAfee VirusScan Enterprise, 233–236
mean time to remediate (MTTR), 520
media
memory
memory collection
from BSD-based kernels, 160–161
considerations, 37–38, 141
from Linux kernels, 158–160
UNIX-based systems, 158–163
memory forensics (Windows), 356–371
analyzing memory, 361–371
common in-memory attacks, 367–369
complete memory dump, 360
console command history, 366
memory analysis tools, 282, 370–371
pagefile analysis, 366–367
pagefile overview, 358–359
process injection, 367–368
sources of evidence, 357–360
Memoryze for the Mac tool, 161–162
Message-Digest Algorithm 5. See MD5
methodology-based indicators, 98
MFT (Master File Table), 273–282
alternate data streams, 280–282
record structure, 274–275
Microsoft Developer Network (MSDN), 476, 481
Microsoft DHCP service, 217–219
Microsoft DNS servers, 222–224
Microsoft Outlook, 448–452
Microsoft Outlook for Mac, 453–454
Microsoft Process Monitor, 490, 491–493
Microsoft SQL (MSSQL), 246–247
Microsoft SQL Express, 245, 246
Microsoft userdump tool, 154
Microsoft Windows systems. See Windows systems
MIME (Multipurpose Internet Mail Extensions) format, 445–446
monitoring
networks. See network monitoring
Software License Monitoring, 225–228
Moonsols Windows Memory Toolkit, 151
most recently used. See MRU
Mozilla Firefox. See Firefox
MPLS (Multiprotocol Label Switching), 195
MRU (most recently used) items, 343
MRU registry keys, 343–344
MSDN (Microsoft Developer Network), 476, 481
MSSQL (Microsoft SQL), 246–247
MTTR (mean time to remediate), 520
MUICache registry key, 341–342
Multiprotocol Label Switching (MPLS), 195
Multipurpose Internet Mail Extensions (MIME) format, 445–446
N
National Institute of Standards and Technology. See NIST
National Software Reference Library (NSRL), 474, 475
NetWitness Investigator, 211–212
network data
data theft scenario, 197–204
webshell reconnaissance scenario, 205–211
network data analysis, 196–212
Network Details Checklist, 88–89
network engineering role, 555
network events, 185–187, 213–214
network evidence, 183–214. See also network monitoring
network infrastructure services, 216–225
network instrumentation, 259
network monitoring. See also network evidence
data theft scenario, 197–204
event-based alerts, 185–187
full packet logging, 187–188
network events, 185–187, 213–214
pre-built distributions, 193–194
statistical modeling, 188–191
webshell reconnaissance scenario, 205–211
webshell scenario, 205–211
network monitoring platforms, 56–57
Network Security Toolkit, 57
Network Service account, 325
network services, 76–77, 259
network-based indicators, 98
networking gear accounts, 535
network-level DNS logging, 224–225
networks
disconnecting compromised systems, 565
full-content capture systems, 75
intrusion detection systems, 75
monitoring. See network monitoring
performing hands-on survey, 64
traffic restrictions, 570
Nirsoft Registry Analysis Tools, 349
NIST (National Institute of Standards and Technology), , 474
NIST Computer Forensic Tool Testing (CFTT), 59, 167
NIST Computer Security Resource Center, 69
NIST Information Technology Laboratory, 167
notes. See case notes
NSRL (National Software Reference Library), 474, 475
NT File System. See NTFS
NTFS (NT File System), 273–289
file system redirector, 288–289
Master File Table. See MFT
volume shadow copies, 286–288
Ntsecurity.nu pmdump tool, 154
O
obfuscation techniques, 486
Offline Storage Table. See OST
OllyDbg debugger, 486–488
Open Source Basic Security Module. See OpenBSM
Open System for Communication in Real-time (OSCAR), 461
OpenBSM (Open Source Basic Security Module), 402
OpenBSM process audit log, 408
operating systems. See also specific systems
forensics software and, 59
live system duplication, 179–180
OS-specific malware,
organizations
preparing for incident response, 46–50
OSCAR (Open System for Communication in Real-time), 461
OST (Offline Storage Table), 449
Outlook Web Access (OWA), 16, 17
OWA (Outlook Web Access), 16, 17
P
passwords
Payment Card Industry. See PCI
pccnt35.log file, 236–238
PCI (Payment Card Industry), 28
PCI Data Security Standard (DSS), 13, 28, 66
PE (portable executable) files, 476, 477, 483–488
Personal Folder File (PFF), 30, 449, 450
Personal Storage Table. See PST
personally identifiable information (PII), 47
PFF (Personal Folder File), 30, 449, 450
physical environment, 471
PII (personally identifiable information), 47
point-of-sale. See POS
policies, IR-related, 47–48
portable executable (PE) files, 476, 477, 483–488
ports
POS (point-of-sale) software, 13
pre-built distributions, 193–194
pre-incident preparation, 45–77
communication procedures, 51–53
global infrastructure issues, 49
host-based security, 49–50
IR-related policies, 47–48
performing hands-on survey, 64
process dumps
Process Explorer, 491–495
process injection, 367–368
process tracking, 301–302
proof, elements of, 90–91
property-based indicators, 98
protocol bridges, 173–174
PST (Personal Storage Table), 449
public relations role, 555
Purdue University College of Technology, 54
Q
qualified forensic images, 172
R
RAR/FTP data theft scenario, 197–204
RAT (remote access trojan), 15–19
RDP (Remote Desktop Protocol), 10
real-world incidents, –22
RecentDocs registry key, 344–345
reconnaissance, internal, 20, 21
Red Hat Enterprise Linux (RHEL), 425
Red Hat Package Manager. See RPM
Redline tool
collecting/parsing INDX records, 284–285
displaying browsing history, 430
registry. See Windows registry
registry keys. See Windows registry keys
Attack Lifecycle, 544–546
comprehensive plans for, 514, 544–550
determining timing of, 524–525
documenting lessons learned, 542–543
eradication activities. See eradication entries
high-level steps, 515–517
setting strategic direction, 568–571
strategic recommendations, 541–542
timing considerations, 556
remediation actions
alerting attacker, 528–529
remediation effort
critical factors, 517–519
success or failure of, 571–572
remediation owner, 521–523, 541
Remediation Planning Matrix, 544–550
remediation process flowchart, 515, 516
remediation steps, 88, 89
remediation team
assigning remediation owner, 521–523
setting strategic direction, 568–571
remote access trojan (RAT), 15–19
Remote Desktop Connection utility, 346
Remote Desktop MRU registry key, 346
Remote Desktop Protocol. See RDP
remote procedure call (RPC) protocols, 71
reports/reporting, 499–509
analysis reports, 505, 506–508
content/organization, 505–508
improving writing skills, 502, 508–509
incident reports, 505–506
reproducible results, 501
tips for writing, 502–505
Request For Comments (RFC), 107–108
resources
RFC (Request For Comments), 107–108
RHEL (Red Hat Enterprise Linux), 425
RPC (remote procedure call) protocols, 71
RPM (RPM Package Manager), 425
RPM Package Manager. See RPM
RPM-based distributions, 425
RSA NetWitness Investigator, 211–212
S
SchedLgU.txt log, 310–311
SCM (Service Control Manager), 302–303, 327–328
scope/scoping process, 117–131
ACH fraud scenario, 127–130
customer data loss scenario, 122–127
determining course of action, 121
examining initial data, 119
questions to ask during, 121
reviewing preliminary evidence, 120–121
SDLC (software development lifecycle), 569
search-order hijacking, 373–375
Secure Sockets Layer (SSL), 205–209, 239
security
security administrators, 569
security breaches,
security incidents. See incidents
Security Information and Event Management (SIEM) utility, 17
Security Onion (SO), 57, 193–194
security policies. See policies
Security Technical Implementation Guides (STIGs), 62
SED (Self-Encrypting Drive), 54
Self-Encrypting Drive (SED), 54
SEP (Symantec Endpoint Protection), 231–233
servers
retiring legacy server, 567
user-installed software, 50
web. See web servers
Service Control Manager (SCM), 302–303, 327–328
service level agreements (SLAs), 48
services, 63. See also Windows Services
Sethc IS Debugger indicator, 105–106
shared libraries, 473–474
sharepoints node, 400–401
shell extensions, 332–333
shellbag registry keys, 338–340
SIEM (Security Information and Event Management) utility, 17
Simple Object Access Protocol (SOAP), 455
single-factor authentication, 12
“situational awareness,” 40–42
SLAs (service level agreements), 48
SLM (Software License Monitoring), 225–228
SMEs (subject matter experts), , 523
SO (Security Onion) distribution, 57, 193–194
SOAP (Simple Object Access Protocol), 455
software
performing hands-on survey, 64
security solutions, 57–60
software development lifecycle (SDLC), 569
Software License Monitoring. See SLM
solid state drives (SSDs), 167
SQL (Structured Query Language),
SQL Server Forensic Analysis, 246
SQL Server Management Studio (SSMS), 246
SQLite Database Browser, 440, 441–445
SQLite Manager extension, 440, 441–445
SSDs (solid state drives), 167
SSL (Secure Sockets Layer), 205–209, 239
SSMS (SQL Server Management Studio), 246
statements, documenting, 113
statistical analysis, 266–267
statistical modeling, 188–191
STIGs (Security Technical Implementation Guides), 62
strategic recommendations, 541–542
strategic remediation activities, 40
Structured Query Language. See SQL
subject matter experts (SMEs), , 523
Symantec Endpoint Protection (SEP), 231–233
SysInternals streams, 281
SysInternals strings, 480
system administrators. See administrators
System Details Checklist, 87–88
system memory, 141. See also memory
systems
assets. See assets
critical information on, 88
disconnecting from network, 565
identifying systems of interest, 36–37
instrumentation mechanisms, 65–67
list of affected systems, 41
live system duplication, 179–180
physical location, 63, 87
systems engineering role, 555
T
Tableau Forensic Products, 174
tactical remediation activities, 40
Task Scheduler service logs, 308
teams. See IR team; remediation team
theft of sensitive data, , 15–19
TNS (Transparent Network Substrate) listener, 249
tools, tactics, and procedures (TTPs), 537
training, 49–50, 54. See also education
Transparent Network Substrate (TNS)listener, 249
Trend Micro OfficeScan, 236–238
TTPs (tools, tactics, and procedures), 537
TypedURLs registry key, 345–346
Tyson, Neil deGrasse, 254
U
UAC (User Access Control), 143
Ubuntu distributions, 425
Uniform Resource Locators (URLs), 345–346, 430
Unix-based logging services, 219–220
Unix-based systems
categories of data, 156–157
live data collection on, 155–163
memory collection, 158–163
Update Sequence Number (USN) journal, 285
URLs (Uniform Resource Locators), 345–346, 430
U.S. Department of Defense Computer Forensics Laboratory (DCFL), 176
User Access Control (UAC), 143
user accounts
administrator accounts, 535
application accounts, 535
eradication event and, 535–536
networking gear accounts, 535
passwords. See passwords
user hive registry keys, 338–346
UserAssist registry key, 340–341
users
host-based security and, 49–50
requiring new accounts for, 562
USN (Update Sequence Number) journal, 285
UTC (Coordinated Universal Time), 83
V
VAD (Virtual Address Descriptor) tree, 364
verification
Virtual Address Descriptor (VAD) tree, 364
virtual private networks. See VPNs
VirusScan Enterprise, 233–236
VMware Workstation, 472–473
Voice over IP (VoIP) clients, 456
voicemail artifacts, 457–459
VoIP (Voice over IP) clients, 456
Volatility Framework tool, 328, 370–371
Volume Shadow Copy (VSC) service, 286–288
VPNs (virtual private networks), 16, 18
VSC (Volume Shadow Copy) service, 286–288
VSEncode.exe utility, 238
W
W3C Extended Log File Format, 243–244
web applications, 429–463
browsers. See web browsers
instant messaging. See IM clients
Internet Explorer, 431–437
web mail services, 446–448
web servers
enterprise services, 238–244
evidence provided by, 239–240
webshell reconnaissance scenario, 205–211
WER (Windows Error Reporting), 360
WFP (Windows File Protection), 373
WiebeTech Forensic UltraDock, 174–175
Windows administrator accounts, 566
Windows artifacts
interactive sessions, 349–356
memory-related. See Memory Forensics
MFT. See MFT
Windows Cache Manager, 289
Windows Credential Editor, 303
Windows directories, 282–285
Windows Error Reporting (WER), 360
Windows event logs, 294–305
account/security settings changes, 300
investigating lateral movement, 298–300
log analysis tips, 303–304
log analysis tools, 304–305
process tracking, 301–302
SchedLgU.txt log, 310–311
scheduled tasks in, 312–313
Windows services, 302–303
Windows Event Viewer, 305
Windows File Protection (WFP), 373
identifying deleted files, 275
Windows Memory Toolkit, 151
Windows Recycle Bin directory, 227
Windows registry, 313–349
analyzing evidence, 319–346
general investigation, 428, 429
reflection/redirection, 318–319
sources of evidence, 314–319
system configuration registry keys, 319–322
uninstall information, 423
Windows Registry Decoder, 347
Windows registry keys
Browser Helper Objects, 332
identifying malicious auto-runs, 334–338
Most Recently Used keys, 343–344
Run/RunOnce keys, 328–329
shell extensions, 332–333
Winlogon Notification, 333
Windows Resource Protection (WRP), 373
Windows Service Control Manager (SCM), 327–328
Windows Services
privileged domain accounts for, 324–325
runtime analysis of, 327–328
32-bit applications, 288–289, 318–319
64-bit applications, 288–289, 318–319
account/security settings changes, 300
common scenarios, 376–379
deleted files/directories, 275
event logs. See Windows event logs
file system. See NTFS
forensics overview, 272–273
investigating lateral movement, 298–300
investigative questions, 376–379
live data collection on, 144–154
load-order hijacking, 373–375
memory collection, 150–154
memory forensics. See Memory Forensics
persistence mechanisms, 371–375
process tracking, 301–302
registry. See Windows registry
system binary modification, 372–373
Windows Task Scheduler, 305–313
Windows WoW64 subsystem, 318–319
WinPrefetchView tool, 293
WinPrefetchView utility, 292
data theft scenario, 196, 198–204
webshell reconnaissance scenario, 205–211
workstation communications, 73–74
write blocker hardware, 173–175
WRP (Windows Resource Protection), 373
X
XFF (X-Forwarded-For) header, 240
X-Forwarded-For (XFF) header, 240
XML (Extensible Markup Language), 35, 455
Y
Z
Zero Configuration Networking, 414