Documents

Acquiring Host-Based Evidence

Description
Description:
Categories
Published
of 21
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Share
Transcript
  Acquiring Host-Based Evidence ã Host systems are far too often the target of malicious actions. Commonly available systems are routinely manufactured with extensive memory and storage terabytes; there is a great deal of data that could assist incident responders with determining a root cause analysis. ã As a result, incident response analyst should be prepared to investigate these systems for further analysis. ã Preparation: In terms of preparation, incident response analysts should have the necessary tools at their disposal for acquiring host-based evidence. ã The techniques discussed within this chapter do not rely on any highly-specialized technology, but rather on tools that can be acquired forlittle or no cost.  ã When supporting an enterprise environment, it is a good idea that incident response personnel have a solid understanding of the types of systems commonly deployed. For example, in an enterprise that utilizes strictly Microsoft operating systems, the tools available should have the ability to support the wide range of versions of the Microsoft OS. ã One technique is for incident response analysts to be given individual credentials that are enabled only during an incident. This allows the organization to separate out the legitimate use of credentials with possible malicious ones. ã This also allows the incident response team to recreate their actions. It is worth noting that highly technical adversaries will often monitor the network they are attacking during an active compromise to determine whether they are being detected.  Evidence volatility ã Not all evidence on a host system is the same. Volatility is used to describe how data on a host system is maintained after changes such as log-offs or power shutdowns. Data that will be lost if the system is powered down is referred to as volatile data. ã Volatile data can be data in the CPU, routing table, or ARP cache. One of the most critical pieces of volatile evidence is the memory currently running on the system. When investigating such incidents as malware infections, the memory in a live system is of critical importance. ã Malware leaves a number of key pieces of evidence within the memory of a system and, if lost, can leave the incident response analyst with little or no avenue to investigate. ã Non-volatile data includes Master File Table ( MFT ) entries, registry information, and the actual files on the hard drive.  Evidence acquisition ã There are a variety of methods that are used to not only access a potential evidence source but the type of acquisition that can be undertaken. To define these methods better, it is important to have a clear understanding of the manner and type of acquisition that can beutilized: ã Local : Having access to the system under investigation is often a luxury for most enterprises at times. Even so, there are many times where incident response analysts or other personnel have direct physical access to the system.
Search
Tags
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x