Windows Forensics: Dr. Phil Polstra @ppolstra PHD, Cissp, Ceh

Uploaded by

karla

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Download as pdf or txt

Windows Forensics: Dr. Phil Polstra @ppolstra PHD, Cissp, Ceh

Uploaded by

karla

0% found this document useful (0 votes)

186 views15 pages

Original Title

001-windows001

Copyright

Available Formats

PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Download as pdf or txt

0% found this document useful (0 votes)

186 views15 pages

Windows Forensics: Dr. Phil Polstra @ppolstra PHD, Cissp, Ceh

Uploaded by

karla

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Download as pdf or txt

You are on page 1/ 15

Windows Forensics

Dr. Phil Polstra @ppolstra

PhD, CISSP, CEH http://philpolstra.com
Certifications:
http://www.securitytube-training.com

Pentester Academy: http://www.PentesterAcademy.com

©SecurityTube.net
About Me
●
Frequent conference speaker
●
Repeat performances at DEFCON, BlackHat, GrrCON, 44CON, B-sides,
ForenSecure, ...
●
BruCON, SecTOR, ShakaCON, ...
●
Author
●
Hacking and Penetration Testing with Low Power Devices
●
Linux Forensics
●
USB Forensics
●
Associate Professor of Digital Forensics, Bloomsburg University of
Pennsylvania
●
Programming from age 8 (in Assembly at 10)
●
Hacking hardware from age 12
●
Aviator and plane builder with a dozen ratings

©SecurityTube.net
Course Contents
Live Response
●
Human interactions
●
Creating a live response kit
●
Transporting data across a network
●
Collecting volatile data
●
Determining if dead analysis is justified
●
Dumping RAM
©SecurityTube.net
Course Contents (cont.)
Acquiring filesystem images
●
Using dd
●
Using dcfldd & dc3dd
●
Write blocking
●
Software blockers
●
Udev rules
●
Forensic Linux distros
●
Hardware blockers

©SecurityTube.net
Course Contents (cont.)
Analyzing filesystems
●
Mounting image files
●
Finding the strange
●
Searching tools
●
Authentication related files
●
Recovering deleted files
●
Finding hidden information
©SecurityTube.net
Course Contents (cont.)
The Sleuth Kit (TSK) and Autopsy
●
Volume information
●
Filesystem information
●
FAT 12/16/32
●
NTFS
●
Directory entries
●
Constructing timelines
©SecurityTube.net
Course Contents (cont.)
Timeline Analysis
●
When was system installed, upgraded,
booted, etc.
●
Newly created files (malware)
●
Changed files (trojans)
●
Files in the wrong place (exfiltration)

©SecurityTube.net
Course Contents (cont.)
Digging deeper into Windows filesystems
●
Disk editors
●
Active@ Disk Editor
●
Autopsy
●
FAT 12/16/32
●
NTFS
●
Searching unallocated space
©SecurityTube.net
Course Contents (cont.)
Network forensics
●
Using snort on packet captures
●
Using tcpstat
●
Seperating conversations with tcpflow
●
Tracing backdoors with tcpflow

©SecurityTube.net
Course Contents (cont.)
File forensics Unknown files
●
Using file signatures
●
Comparing hashes to
●
Searching through know values
swap space ●
File and strings
●
Web browsing commands
reconstruction ●
Log files
●
Cookies ●
Recycle bin
●
Search history ●
Prefetch files
●
Browser caches ●
Alternate data streams
©SecurityTube.net
Course Contents (cont.)
Registry forensics ●
Past & present
●
RegRipper mounted devices
●
Python ●
User activity
●
System information ●
System restore
●
Autostart programs points
●
USB Devices
●
User info
©SecurityTube.net
Course Contents (cont.)
Memory Forensics
●
Retrieving process information
●
Windows objects
●
Looking for malware
●
Event logs
●
Registry in memory
●
Reconstructing network artifacts
●
Windows services
●
Windows GUI
●
Filesystems in memory
●
Detecting kernel rootkits
●
Creating timelines
©SecurityTube.net
Course Contents (cont.)
Reversing Windows ●
Command line analysis
Malware tools
●
Windows executables
●
strings
●
Headers ●
Running malware
●
Imports (carefully)
●
Exports
●
Virtual machine setup
●
Capturing network
●
Resources
traffic
●
Obfuscation ●
Leveraging debuggers
●
Dynamic linking
©SecurityTube.net
Course Contents (cont.)
Writing the reports
●
Autopsy
●
Dradis
●
OpenOffice

©SecurityTube.net
Overall Goals
●
Leverage open source (or at least free)
software
●
Hands on practical exercises and demos
throughout
●
Provide the most comprehensive
Windows forensics course available

TeamMate Configuration Guide
No ratings yet
TeamMate Configuration Guide
45 pages
Python Programming: Guru Nanak Dev Engg College
No ratings yet
Python Programming: Guru Nanak Dev Engg College
54 pages
NT Logon
No ratings yet
NT Logon
38 pages
Remnux Tools Sheet
No ratings yet
Remnux Tools Sheet
20 pages
IM Jhtp7 Ch21
No ratings yet
IM Jhtp7 Ch21
19 pages
NTFS CHEETSHEET - Swastik
No ratings yet
NTFS CHEETSHEET - Swastik
57 pages
Notepad Internals: Extern Labs Pvt. Ltd. 22/2/2022
No ratings yet
Notepad Internals: Extern Labs Pvt. Ltd. 22/2/2022
7 pages
USB Flash Drive Forensics: Philip A. Polstra, Sr. University of Dubuque
No ratings yet
USB Flash Drive Forensics: Philip A. Polstra, Sr. University of Dubuque
38 pages
Direct Kernel Object Manipulation
No ratings yet
Direct Kernel Object Manipulation
45 pages
oalabs malware
No ratings yet
oalabs malware
3 pages
Advanced C Programming
No ratings yet
Advanced C Programming
7 pages
Windows Kernel Internals Advance Virtual Memory PDF
No ratings yet
Windows Kernel Internals Advance Virtual Memory PDF
21 pages
CH02 - Starting Out With Python
No ratings yet
CH02 - Starting Out With Python
87 pages
Memory Allocations in C PDF
No ratings yet
Memory Allocations in C PDF
2 pages
x64 Cheatsheet
No ratings yet
x64 Cheatsheet
9 pages
Important MCQS - IT Training
100% (1)
Important MCQS - IT Training
33 pages
Writing A Kernel Driver in An Hour
No ratings yet
Writing A Kernel Driver in An Hour
33 pages
Master Theorem - (Decreasing and Dividing Functions)
No ratings yet
Master Theorem - (Decreasing and Dividing Functions)
53 pages
Designing FPGAs Using The Vivado Design Suite 1
No ratings yet
Designing FPGAs Using The Vivado Design Suite 1
7 pages
Python by DK PDF
No ratings yet
Python by DK PDF
396 pages
Java Class Library
No ratings yet
Java Class Library
27 pages
Windows NT Operating System
No ratings yet
Windows NT Operating System
19 pages
IT Essentials (ITE v6.0) A+ Cert Practice Exam 2 Answers 2016
0% (1)
IT Essentials (ITE v6.0) A+ Cert Practice Exam 2 Answers 2016
11 pages
Ugc Net Exam Daa PDF
No ratings yet
Ugc Net Exam Daa PDF
94 pages
Department of Computer Science: COMSATS University Islamabad, Abbottabad Campus
100% (1)
Department of Computer Science: COMSATS University Islamabad, Abbottabad Campus
6 pages
(P1) Topical Past Papers of (1.4.4 Assembly Language & Processor)
No ratings yet
(P1) Topical Past Papers of (1.4.4 Assembly Language & Processor)
16 pages
(Slides) Authenticated Encryption GCM - CCM
100% (1)
(Slides) Authenticated Encryption GCM - CCM
48 pages
Chapter 1 Exam PDF
No ratings yet
Chapter 1 Exam PDF
7 pages
Database Processing-11 Edition: David M. Kroenke and David J. Auer
No ratings yet
Database Processing-11 Edition: David M. Kroenke and David J. Auer
37 pages
CO Unit 2-1
No ratings yet
CO Unit 2-1
15 pages
Get Started With Java JVM Memory (Heap, Stack, - Xss - Xms - XMX - Xmn... ) - Avri Blog
No ratings yet
Get Started With Java JVM Memory (Heap, Stack, - Xss - Xms - XMX - Xmn... ) - Avri Blog
2 pages
Assignment 2
No ratings yet
Assignment 2
7 pages
Topic: Course Name: Ethical Hacking
No ratings yet
Topic: Course Name: Ethical Hacking
39 pages
TDD With Django
No ratings yet
TDD With Django
27 pages
Java Interface
No ratings yet
Java Interface
14 pages
Inside Windows NT High Resolution Timers
No ratings yet
Inside Windows NT High Resolution Timers
4 pages
Applied Cryptography Syllabus
No ratings yet
Applied Cryptography Syllabus
3 pages
Csa Unit-7
No ratings yet
Csa Unit-7
418 pages
GCC Profile Guided Optimization
No ratings yet
GCC Profile Guided Optimization
47 pages
Unit 1 - Chapter - 1
No ratings yet
Unit 1 - Chapter - 1
23 pages
All About Linux Signals - Linux Programming Blog
No ratings yet
All About Linux Signals - Linux Programming Blog
20 pages
E
100% (1)
E
327 pages
Lab01 - Classical Cryptography
No ratings yet
Lab01 - Classical Cryptography
13 pages
29 - 30 - Introducing Swing
No ratings yet
29 - 30 - Introducing Swing
70 pages
Memprof: A Memory Profiler For Ruby
100% (5)
Memprof: A Memory Profiler For Ruby
142 pages
Exam Preparation Python - Jupyter Notebook
No ratings yet
Exam Preparation Python - Jupyter Notebook
17 pages
Lecture 12
100% (1)
Lecture 12
63 pages
Windows Scripting Host
No ratings yet
Windows Scripting Host
19 pages
Assembly Programming Tutorial: What Is Assembly Language?
100% (1)
Assembly Programming Tutorial: What Is Assembly Language?
75 pages
Import Users in IBM Security Access Manager Using IBM Security Directory Integrator
No ratings yet
Import Users in IBM Security Access Manager Using IBM Security Directory Integrator
9 pages
Office Automation
No ratings yet
Office Automation
14 pages
Dyanmic Disks
No ratings yet
Dyanmic Disks
3 pages
Institute - Uie Department-Academic Unit-2
No ratings yet
Institute - Uie Department-Academic Unit-2
27 pages
University of Management and Technology Lahore: (SPRING 2021)
No ratings yet
University of Management and Technology Lahore: (SPRING 2021)
4 pages
Memory Map in
No ratings yet
Memory Map in
22 pages
SQL Tutorials
100% (1)
SQL Tutorials
22 pages
Setup Instructions
No ratings yet
Setup Instructions
3 pages
Problem Solving Using Computers: Introduction To Software Engineering and Computing
No ratings yet
Problem Solving Using Computers: Introduction To Software Engineering and Computing
31 pages
Advanced GitLab CI/CD Pipelines: An In-Depth Guide for Continuous Integration and Deployment
From Everand
Advanced GitLab CI/CD Pipelines: An In-Depth Guide for Continuous Integration and Deployment
Adam Jones
No ratings yet
Windows 008
No ratings yet
Windows 008
6 pages
Identification and Detection
No ratings yet
Identification and Detection
22 pages
The Road To Containers
No ratings yet
The Road To Containers
18 pages
2 Dynamika
No ratings yet
2 Dynamika
785 pages
user-manual-CANON-CFX-L3500 IF-E
No ratings yet
user-manual-CANON-CFX-L3500 IF-E
17 pages
Bootex
No ratings yet
Bootex
8 pages
An A-Z Index of The Command Line: Windows CMD
No ratings yet
An A-Z Index of The Command Line: Windows CMD
6 pages
DFIR - Week 2 - Part 1
No ratings yet
DFIR - Week 2 - Part 1
31 pages
SIMATIC STEP 7 Lite V3.0 Incl. SP4
No ratings yet
SIMATIC STEP 7 Lite V3.0 Incl. SP4
20 pages
Vault 7 - CIA Hacking Tools Directory Wikileaks-Org
No ratings yet
Vault 7 - CIA Hacking Tools Directory Wikileaks-Org
35 pages
Write Cache (Modes - Types) Destination For Standard Vdisk Images - Know Citrix
No ratings yet
Write Cache (Modes - Types) Destination For Standard Vdisk Images - Know Citrix
8 pages
Syngistix For AA Release Notes
No ratings yet
Syngistix For AA Release Notes
5 pages
Web Client - Quick Start 7.20
No ratings yet
Web Client - Quick Start 7.20
56 pages
Index 508
No ratings yet
Index 508
8 pages
Deploying The Tivoli Storage Manager Client in A Windows 2000 Environment Sg246141
No ratings yet
Deploying The Tivoli Storage Manager Client in A Windows 2000 Environment Sg246141
190 pages
PC1046
No ratings yet
PC1046
15 pages
DX Diag
No ratings yet
DX Diag
27 pages
70-740 2020 Formative Assessment-Memo
No ratings yet
70-740 2020 Formative Assessment-Memo
7 pages
2015 Winter Model Answer Paper PDF
100% (1)
2015 Winter Model Answer Paper PDF
40 pages
ACIT 1420 Comprehensive Study Guideline
No ratings yet
ACIT 1420 Comprehensive Study Guideline
9 pages
DMS CRN 20110124 0006 - v3.0 - Public
No ratings yet
DMS CRN 20110124 0006 - v3.0 - Public
78 pages
Saleem Hardware Notes 5
91% (11)
Saleem Hardware Notes 5
40 pages
Splunk Use Cases
No ratings yet
Splunk Use Cases
17 pages
Windows 11 Inside Out - PAG 9 A 29
No ratings yet
Windows 11 Inside Out - PAG 9 A 29
22 pages
TVL Ict CSS 12 Coc1 Q1 M1 Lo2 W3&4
100% (1)
TVL Ict CSS 12 Coc1 Q1 M1 Lo2 W3&4
16 pages
CH 06 I C
No ratings yet
CH 06 I C
105 pages
CCMCS402 - Information and Communication Technology (Ict)
No ratings yet
CCMCS402 - Information and Communication Technology (Ict)
11 pages
The 'File Is Too Large For Destination File System' On USB OR External Hard Drive
No ratings yet
The 'File Is Too Large For Destination File System' On USB OR External Hard Drive
9 pages
Best Practices For The Encrypting File System
No ratings yet
Best Practices For The Encrypting File System
20 pages
Razer Game Booster Diagnostics Report
No ratings yet
Razer Game Booster Diagnostics Report
14 pages
Tarun Tyagi Vs Central Bureau of Investigation
No ratings yet
Tarun Tyagi Vs Central Bureau of Investigation
6 pages