关闭

关闭

关闭

封号提示

内容

首页 First Responders Guide to Computer Forensics.pdf

First Responders Guide to Computer Forensics.pdf

First Responders Guide to Compu…

上传者: mitaney 2012-02-12 评分 0 0 0 0 0 0 暂无简介 简介 举报

简介:本文档为《First Responders Guide to Computer Forensicspdf》,可适用于IT/计算机领域,主题内容包含FirstRespondersGuidetoComputerForensicsRichardNolanColinO’SullivanJakeBran符等。

FirstRespondersGuidetoComputerForensicsRichardNolanColinO’SullivanJakeBransonCalWaitsMarchCERTTrainingandEducationHANDBOOKCMUSEIHBPittsburgh,PAFirstRespondersGuidetoComputerForensicsCMUSEIHBRichardNolanColinO’SullivanJakeBransonCalWaitsMarchCERTTrainingandEducationUnlimiteddistributionsubjecttothecopyrightThisreportwaspreparedfortheSEIJointProgramOfficeESCXPKEglinStreetHanscomAFB,MATheideasandfindingsinthisreportshouldnotbeconstruedasanofficialDoDpositionItispublishedintheinterestofscientificandtechnicalinformationexchangeFORTHECOMMANDERChristosScondrasChiefofPrograms,XPKThisworkissponsoredbytheSEIFFRDCprimarysponsorandtheCommander,UnitedStatesArmyReserve(USAR)InformationOperationsCommandandUSAREIOTheSoftwareEngineeringInstituteisafederallyfundedresearchanddevelopmentcentersponsoredbytheUSDepartmentofDefenseCopyrightCarnegieMellonUniversityNOWARRANTYTHISCARNEGIEMELLONUNIVERSITYANDSOFTWAREENGINEERINGINSTITUTEMATERIALISFURNISHEDONAN"ASIS"BASISCARNEGIEMELLONUNIVERSITYMAKESNOWARRANTIESOFANYKIND,EITHEREXPRESSEDORIMPLIED,ASTOANYMATTERINCLUDING,BUTNOTLIMITEDTO,WARRANTYOFFITNESSFORPURPOSEORMERCHANTABILITY,EXCLUSIVITY,ORRESULTSOBTAINEDFROMUSEOFTHEMATERIALCARNEGIEMELLONUNIVERSITYDOESNOTMAKEANYWARRANTYOFANYKINDWITHRESPECTTOFREEDOMFROMPATENT,TRADEMARK,ORCOPYRIGHTINFRINGEMENTUseofanytrademarksinthisreportisnotintendedinanywaytoinfringeontherightsofthetrademarkholderInternalusePermissiontoreproducethisdocumentandtopreparederivativeworksfromthisdocumentforinternaluseisgranted,providedthecopyrightand"NoWarranty"statementsareincludedwithallreproductionsandderivativeworksExternaluseRequestsforpermissiontoreproducethisdocumentorpreparederivativeworksofthisdocumentforexternalandcommercialuseshouldbeaddressedtotheSEILicensingAgentThisworkwascreatedintheperformanceofFederalGovernmentContractNumberFCwithCarnegieMellonUniversityfortheoperationoftheSoftwareEngineeringInstitute,afederallyfundedresearchanddevelopmentcenterTheGovernmentoftheUnitedStateshasaroyaltyfreegovernmentpurposelicensetouse,duplicate,ordisclosethework,inwholeorinpartandinanymanner,andtohaveorpermitotherstodoso,forgovernmentpurposespursuanttothecopyrightlicenseundertheclauseatForinformationaboutpurchasingpapercopiesofSEIreports,pleasevisitthepublicationsportionofourWebsite(http:wwwseicmuedupublicationspubwebhtml)ContentsPrefacexiAbstractxiiiModule:CyberLawModuleObjectivesForensicsComputerForensicsLawsthatAffectCyberSecurityLegalGovernanceRelatedtoMonitoringandCollectionConstitutionalIssuesThethAmendmentThethAmendmentUSStatutoryLawWiretapActElectronicCommunicationsPrivacyActPenRegistersandTrapandTraceDevicesStoredWiredandElectronicCommunicationsActLegalGovernanceRelatedtoAdmissibility(FederalRulesofEvidence)HearsayExceptionsAuthenticationReliabilityTheBestEvidenceRuleSummaryReviewModule:UnderstandingFileSystemsandBuildingaFirstResponderToolkitIntroductionFileSystemArchitecturePhysicalLookattheHardDriveTypesofHardDriveFormattingImportanceofFileSystemsUnderstandingWindowsFileStructureCMUSEIHBiFAT:FileAllocationTableNTFS:NewTechnologyFileSystemWindowsRegistrySwapFile,Slack,andUnallocatedSpaceSwapFileSlackSpaceUnallocatedSpaceLinuxFileSystemBasicsBootSequenceCommonlyUsedTermsForensicallySoundDuplicationDuplicationToolsWipingStorageDevicesDoDDirectiveMHardDrivesOtherStorageDevicesFirstResponderToolkitStaticallyvsDynamicallyLinkedToolsProblemswithDynamicallyLinkedExecutablesMethodologyforaCreatingFirstResponderToolkitCreateaForensicToolTestbedDocumenttheTestbedDocumentandSetUptheForensicToolsTesttheToolsBenefitsofProperToolTestingNISTMethodologySummaryReviewModule:CollectingVolatileDataIntroductionObjectivesRoleofaFirstResponderWhatisVolatileDataOrderofVolatilityWhyisVolatileDataImportantCommonFirstResponderMistakesVolatileDataCollectionMethodologyStep:IncidentResponsePreparationStep:IncidentDocumentationIncidentProfileiiCMUSEIHBForensicCollectionLogbookFirstResponderToolkitLogbookStep:PolicyVerificationStep:VolatileDataCollectionStrategyStep:VolatileDataCollectionSetupEstablishaTrustedCommandShellEstablishaMethodforTransmittingandStoringtheCollectedInformationEnsuretheIntegrityandAdmissibilityoftheForensicToolOutputStep:VolatileDataCollectionProcessTypesofVolatileInformationVolatileSystemInformationSystemProfileCurrentSystemDateandTimeandCommandHistoryCurrentSystemUptimeRunningProcessesOpenFiles,StartupFiles,andClipboardDataLoggedOnUsersDLLsorSharedLibrariesVolatileNetworkInformationOpenConnectionsandPortsRoutingInformationSummaryReviewModule:CollectingPersistentDataObjectivesIntroductiontoPersistentDataWhatIsPersistentDataWhyisPersistentDataImportantWhatProblemsExistinInvestigatingPersistentDataRespondingtoaSecurityEventConsequencesofResponsesBasicBuildingBlocksofDiskStorageOSandApplicationConsiderationsWindowsFATNTFSLinuxUNIXExtCMUSEIHBiiiOperatingSystemsCollectingForensicEvidenceToShutDownorNottoShutDown…CreatingaDiskImageUsingddPersistentDataTypesSystemFilesWindowsUNIXLinuxTempFilesWebArtifactsWindowsvsLinuxIEDefaultLocationsAlternativeBrowsersCookiesFileRecoveryDeletedDataSlackSpaceSwapFilesUnallocatedSpacePartialFilesWindowsArtifactsHiddenFilesRecoveringaDeletedEmailToolsforAccessingPersistentDataWindowsCommandLineToolsGUIBasedUtilitiesCommercialUNIXLinuxCommandLineToolsGUIBasedUtilitiesFreewareSummaryReviewReferencesivCMUSEIHBListofFiguresFigure:MappingofDoDandOSIModelsFigure:LogicalLayoutoftheFATFileSystemFigure:TypesofCMOSBatteriesFigure:ThelddCommandFigure:UsingFilemontoIdentifyDependenciesFigure:PerformingaCryptographicHashofInstalledDLLsFigure:ARegmonListingFigure:AnMDHashFigure:ThesysteminfoCommandFigure:ThePsInfoCommandFigure:ThecatCommandFigure:TheunameCommandFigure:dateandtimeCommandsUsedwithnetstatFigure:ThePsUptimeCommandFigure:ThenetstatisticsCommandFigure:TheuptimeandwCommandsFigure:Usingnetstat–abtoDetermineProcessExecutableImageFigure:UsingListDLLstoDetermineCommandLineFigure:UsingPsListtoDetermineHowLongaProcessHasBeenRunningCMUSEIHBvFigure:UsingPsListtoDetermineHowMuchVirtualMemoryaProcessIsUsingFigure:UsingListDLLstoDiscovertheCurrentlyLoadedDLLsforaProcessFigure:PulistOutputFigure:tlistexeFigure:PsListFigure:AProcessMemoryDumpFigure:ThetopCommandFigure:ThewComma

用户评论(0)

0/200

精彩专题

上传我的资料

每篇奖励 +2积分

资料评价:

/43
仅支持在线阅读

意见
反馈

立即扫码关注

爱问共享资料微信公众号

返回
顶部