forensic analysis : using tsk and volatility
DESCRIPTION
Forensic Analysis : using TSK and Volatility. A bit about Me. Mark Bennett Work for Check Point Software. Incident Response/Forensics for Health Care Firewalls Malware analysis Intrusion Prevention HR/Legal Watching over the enterprise SANS Instructor http://www.sans.org - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/1.jpg)
Forensic Analysis :using TSK and Volatility
![Page 2: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/2.jpg)
A bit about Me• Mark Bennett
• Work for Check Point Software.
• Incident Response/Forensics for Health Care– Firewalls– Malware analysis– Intrusion Prevention– HR/Legal– Watching over the enterprise
• SANS Instructor– http://www.sans.org– http://www.darknet-consulting.com– http://www.pauldotcom.com
![Page 3: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/3.jpg)
Agenda• Metasploit
– How to use it– What can you do with it
• Making Forensic copies– Copying memory– Copy Hard drive
• Timeline analysis– How to create– How to read
• Memory analysis– Strings– Volatility
• See it live• Wrap up
![Page 4: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/4.jpg)
![Page 5: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/5.jpg)
Metasploit
![Page 6: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/6.jpg)
Metasploit – cont.
![Page 7: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/7.jpg)
Mandiant Memoryze
![Page 8: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/8.jpg)
Using dd for bit-by-bit copies
![Page 9: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/9.jpg)
fls - bodyfile
![Page 10: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/10.jpg)
mactime - timeline
![Page 11: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/11.jpg)
Timeline Analysis
![Page 12: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/12.jpg)
Memory Analysis
![Page 13: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/13.jpg)
Volatility – memory analysis
![Page 14: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/14.jpg)
Live Demo
Let’s Do it for Real!!!
![Page 15: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/15.jpg)
Questions/Comments
??????????????????????????????????
![Page 16: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/16.jpg)
Wrap UP
• Mark Bennett– http://www.sans.org/mentor
• 508 Advanced Forensic Analysis• 408 Windows Forensics• 504 Incident Response
– http://www.darknet-consulting.com– http://www.pauldotcom.com– Hack Labs – Metasploit
• Be good, be safe, if you are going to hack, hack legally and responsibly – I’m Out!
![Page 17: Forensic Analysis : using TSK and Volatility](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816329550346895dd3a474/html5/thumbnails/17.jpg)
THANK YOU FOR ATTENDING