关闭

关闭

关闭

封号提示

内容

首页 First Responders Guide to Computer Forensics.pdf

First Responders Guide to Computer Forensics.pdf

First Responders Guide to Compu…

上传者: mitaney 2012-02-12 评分 0 0 0 0 0 0 暂无简介 简介 举报

简介:本文档为《First Responders Guide to Computer Forensicspdf》,可适用于IT/计算机领域,主题内容包含FirstRespondersGuidetoComputerForensicsRichardNolanColinO’SullivanJakeBran符等。

FirstRespondersGuidetoComputerForensicsRichardNolanColinO’SullivanJakeBransonCalWaitsMarchCERTTrainingandEducationHANDBOOKCMUSEIHBPittsburgh,PAFirstRespondersGuidetoComputerForensicsCMUSEIHBRichardNolanColinO’SullivanJakeBransonCalWaitsMarchCERTTrainingandEducationUnlimiteddistributionsubjecttothecopyrightThisreportwaspreparedfortheSEIJointProgramOfficeESCXPKEglinStreetHanscomAFB,MATheideasandfindingsinthisreportshouldnotbeconstruedasanofficialDoDpositionItispublishedintheinterestofscientificandtechnicalinformationexchangeFORTHECOMMANDERChristosScondrasChiefofPrograms,XPKThisworkissponsoredbytheSEIFFRDCprimarysponsorandtheCommander,UnitedStatesArmyReserve(USAR)InformationOperationsCommandandUSAREIOTheSoftwareEngineeringInstituteisafederallyfundedresearchanddevelopmentcentersponsoredbytheUSDepartmentofDefenseCopyrightCarnegieMellonUniversityNOWARRANTYTHISCARNEGIEMELLONUNIVERSITYANDSOFTWAREENGINEERINGINSTITUTEMATERIALISFURNISHEDONAN"ASIS"BASISCARNEGIEMELLONUNIVERSITYMAKESNOWARRANTIESOFANYKIND,EITHEREXPRESSEDORIMPLIED,ASTOANYMATTERINCLUDING,BUTNOTLIMITEDTO,WARRANTYOFFITNESSFORPURPOSEORMERCHANTABILITY,EXCLUSIVITY,ORRESULTSOBTAINEDFROMUSEOFTHEMATERIALCARNEGIEMELLONUNIVERSITYDOESNOTMAKEANYWARRANTYOFANYKINDWITHRESPECTTOFREEDOMFROMPATENT,TRADEMARK,ORCOPYRIGHTINFRINGEMENTUseofanytrademarksinthisreportisnotintendedinanywaytoinfringeontherightsofthetrademarkholderInternalusePermissiontoreproducethisdocumentandtopreparederivativeworksfromthisdocumentforinternaluseisgranted,providedthecopyrightand"NoWarranty"statementsareincludedwithallreproductionsandderivativeworksExternaluseRequestsforpermissiontoreproducethisdocumentorpreparederivativeworksofthisdocumentforexternalandcommercialuseshouldbeaddressedtotheSEILicensingAgentThisworkwascreatedintheperformanceofFederalGovernmentContractNumberFCwithCarnegieMellonUniversityfortheoperationoftheSoftwareEngineeringInstitute,afederallyfundedresearchanddevelopmentcenterTheGovernmentoftheUnitedStateshasaroyaltyfreegovernmentpurposelicensetouse,duplicate,ordisclosethework,inwholeorinpartandinanymanner,andtohaveorpermitotherstodoso,forgovernmentpurposespursuanttothecopyrightlicenseundertheclauseatForinformationaboutpurchasingpapercopiesofSEIreports,pleasevisitthepublicationsportionofourWebsite(http:wwwseicmuedupublicationspubwebhtml)ContentsPrefacexiAbstractxiiiModule:CyberLawModuleObjectivesForensicsComputerForensicsLawsthatAffectCyberSecurityLegalGovernanceRelatedtoMonitoringandCollectionConstitutionalIssuesThethAmendmentThethAmendmentUSStatutoryLawWiretapActElectronicCommunicationsPrivacyActPenRegistersandTrapandTraceDevicesStoredWiredandElectronicCommunicationsActLegalGovernanceRelatedtoAdmissibility(FederalRulesofEvidence)HearsayExceptionsAuthenticationReliabilityTheBestEvidenceRuleSummaryReviewModule:UnderstandingFileSystemsandBuildingaFirstResponderToolkitIntroductionFileSystemArchitecturePhysicalLookattheHardDriveTypesofHardDriveFormattingImportanceofFileSystemsUnderstandingWindowsFileStructureCMUSEIHBiFAT:FileAllocationTableNTFS:NewTechnologyFileSystemWindowsRegistrySwapFile,Slack,andUnallocatedSpaceSwapFileSlackSpaceUnallocatedSpaceLinuxFileSystemBasicsBootSequenceCommonlyUsedTermsForensicallySoundDuplicationDuplicationToolsWipingStorageDevicesDoDDirectiveMHardDrivesOtherStorageDevicesFirstResponderToolkitStaticallyvsDynamicallyLinkedToolsProblemswithDynamicallyLinkedExecutablesMethodologyforaCreatingFirstResponderToolkitCreateaForensicToolTestbedDocumenttheTestbedDocumentandSetUptheForensicToolsTesttheToolsBenefitsofProperToolTestingNISTMethodologySummaryReviewModule:CollectingVolatileDataIntroductionObjectivesRoleofaFirstResponderWhatisVolatileDataOrderofVolatilityWhyisVolatileDataImportantCommonFirstResponderMistakesVolatileDataCollectionMethodologyStep:IncidentResponsePreparationStep:IncidentDocumentationIncidentProfileiiCMUSEIHBForensicCollectionLogbookFirstResponderToolkitLogbookStep:PolicyVerificationStep:VolatileDataCollectionStrategyStep:VolatileDataCollectionSetupEstablishaTrustedCommandShellEstablishaMethodforTransmittingandStoringtheCollectedInformationEnsuretheIntegrityandAdmissibilityoftheForensicToolOutputStep:VolatileDataCollectionProcessTypesofVolatileInformationVolatileSystemInformationSystemProfileCurrentSystemDateandTimeandCommandHistoryCurrentSystemUptimeRunningProcessesOpenFiles,StartupFiles,andClipboardDataLoggedOnUsersDLLsorSharedLibrariesVolatileNetworkInformationOpenConnectionsandPortsRoutingInformationSummaryReviewModule:CollectingPersistentDataObjectivesIntroductiontoPersistentDataWhatIsPersistentDataWhyisPersistentDataImportantWhatProblemsExistinInvestigatingPersistentDataRespondingtoaSecurityEventConsequencesofResponsesBasicBuildingBlocksofDiskStorageOSandApplicationConsiderationsWindowsFATNTFSLinuxUNIXExtCMUSEIHBiiiOperatingSystemsCollectingForensicEvidenceToShutDownorNottoShutDown…CreatingaDiskImageUsingddPersistentDataTypesSystemFilesWindowsUNIXLinuxTempFilesWebArtifactsWindowsvsLinuxIEDefaultLocationsAlternativeBrowsersCookiesFileRecoveryDeletedDataSlackSpaceSwapFilesUnallocatedSpacePartialFilesWindowsArtifactsHiddenFilesRecoveringaDeletedEmailToolsforAccessingPersistentDataWindowsCommandLineToolsGUIBasedUtilitiesCommercialUNIXLinuxCommandLineToolsGUIBasedUtilitiesFreewareSummaryReviewReferencesivCMUSEIHBListofFiguresFigure:MappingofDoDandOSIModelsFigure:LogicalLayoutoftheFATFileSystemFigure:TypesofCMOSBatteriesFigure:ThelddCommandFigure:UsingFilemontoIdentifyDependenciesFigure:PerformingaCryptographicHashofInstalledDLLsFigure:ARegmonListingFigure:AnMDHashFigure:ThesysteminfoCommandFigure:ThePsInfoCommandFigure:ThecatCommandFigure:TheunameCommandFigure:dateandtimeCommandsUsedwithnetstatFigure:ThePsUptimeCommandFigure:ThenetstatisticsCommandFigure:TheuptimeandwCommandsFigure:Usingnetstat–abtoDetermineProcessExecutableImageFigure:UsingListDLLstoDetermineCommandLineFigure:UsingPsListtoDetermineHowLongaProcessHasBeenRunningCMUSEIHBvFigure:UsingPsListtoDetermineHowMuchVirtualMemoryaProcessIsUsingFigure:UsingListDLLstoDiscovertheCurrentlyLoadedDLLsforaProcessFigure:PulistOutputFigure:tlistexeFigure:PsListFigure:AProcessMemoryDumpFigure:ThetopCommandFigure:ThewComma

职业精品

用户评论

0/200
    暂无评论

精彩专题

上传我的资料

热门资料

资料评价:

/43
禁止下载

意见
反馈

返回
顶部

Q