关闭

关闭

关闭

封号提示

内容

首页 First Responders Guide to Computer Forensics - …

First Responders Guide to Computer Forensics - Advanced Topics.pdf

First Responders Guide to Compu…

mitaney 2012-02-12 评分 0 浏览量 0 0 0 0 暂无简介 简介 举报

简介:本文档为《First Responders Guide to Computer Forensics - Advanced Topicspdf》,可适用于IT/计算机领域,主题内容包含FirstRespondersGuidetoComputerForensics:AdvancedTopicsRichardNolanMarieBak符等。

FirstRespondersGuidetoComputerForensics:AdvancedTopicsRichardNolanMarieBakerJakeBransonJoshHammersteinKrisRushCalWaitsElizabethSchweinsbergSeptemberHANDBOOKCMUSEIHBPittsburgh,PAFirstRespondersGuidetoComputerForensics:AdvancedTopicsCMUSEIHBRichardNolanMarieBakerJakeBransonJoshHammersteinKrisRushCalWaitsElizabethSchweinsbergSeptemberCERTTrainingandEducationUnlimiteddistributionsubjecttothecopyrightThisreportwaspreparedfortheSEIAdministrativeAgentESCXPKEglinStreetHanscomAFB,MATheideasandfindingsinthisreportshouldnotbeconstruedasanofficialDoDpositionItispublishedintheinterestofscientificandtechnicalinformationexchangeFORTHECOMMANDERChristosScondrasChiefofPrograms,XPKThisworkissponsoredbytheSEIFFRDCprimarysponsorandtheDepartmentofHomelandSecurityTheSoftwareEngineeringInstituteisafederallyfundedresearchanddevelopmentcentersponsoredbytheUSDepartmentofDefenseCopyrightCarnegieMellonUniversityNOWARRANTYTHISCARNEGIEMELLONUNIVERSITYANDSOFTWAREENGINEERINGINSTITUTEMATERIALISFURNISHEDONAN"ASIS"BASISCARNEGIEMELLONUNIVERSITYMAKESNOWARRANTIESOFANYKIND,EITHEREXPRESSEDORIMPLIED,ASTOANYMATTERINCLUDING,BUTNOTLIMITEDTO,WARRANTYOFFITNESSFORPURPOSEORMERCHANTABILITY,EXCLUSIVITY,ORRESULTSOBTAINEDFROMUSEOFTHEMATERIALCARNEGIEMELLONUNIVERSITYDOESNOTMAKEANYWARRANTYOFANYKINDWITHRESPECTTOFREEDOMFROMPATENT,TRADEMARK,ORCOPYRIGHTINFRINGEMENTUseofanytrademarksinthisreportisnotintendedinanywaytoinfringeontherightsofthetrademarkholderInternalusePermissiontoreproducethisdocumentandtopreparederivativeworksfromthisdocumentforinternaluseisgranted,providedthecopyrightand"NoWarranty"statementsareincludedwithallreproductionsandderivativeworksExternaluseRequestsforpermissiontoreproducethisdocumentorpreparederivativeworksofthisdocumentforexternalandcommercialuseshouldbeaddressedtotheSEILicensingAgentThisworkwascreatedintheperformanceofFederalGovernmentContractNumberFACwithCarnegieMellonUniversityfortheoperationoftheSoftwareEngineeringInstitute,afederallyfundedresearchanddevelopmentcenterTheGovernmentoftheUnitedStateshasaroyaltyfreegovernmentpurposelicensetouse,duplicate,ordisclosethework,inwholeorinpartandinanymanner,andtohaveorpermitotherstodoso,forgovernmentpurposespursuanttothecopyrightlicenseundertheclauseatForinformationaboutpurchasingpapercopiesofSEIreports,pleasevisitthepublicationsportionofourWebsite(http:wwwseicmuedupublicationspubwebhtml)TableofContentsExecutiveSummaryxiAbstractxiiiModule:LogFileAnalysisSwatchSwatchLogMonitorSwatchInstallationInstallingPerlModulesInstallingSwatchSwatchConfigurationTheConfigurationFileLocationAddingRulestotheConfigurationFileSwatchExecutionSummaryMicrosoftLogParserMicrosoftLogParserFeaturesLogParserInstallationLogParserInputandOutputInputFormatsOutputFormatsLogParserQueriesQueryExamplesLogParserCOMObjectsCreatingCustomInputFormatsUsingtheLogParserCOMAPILogParserExecutionSummaryModule:ProcessCharacterizationUnderstandingaRunningProcessObjectivesPrograms,Processes,andThreadsThreadsDisplayingThreadsforaRunningProcessCMUSEIHBiSysinternalsProcessExplorerProcessTreeStructurepstree(Linux)Linuxps–AProcessDescriptionsProcessHashes(NationalSoftwareReferenceLibrary)ProcessAnalysisChecklistCommonProcessCharacteristicsProcessFilenamesOpenPortsOpenFilesBasePriorityProcessTimesandTerminatedProcessesLocationofProcessImageSurvivableProcessesProcessForensicTasksAutomatedProcessCollectionObjectivesFirstResponderUtility(FRU)FirstResponderUtility(FRUC)SetupForensicServerProject(FSP)FSPSetupTestingFRUCOutputofFRUCModule:ImageManagementSliceandDicewithddModule:CapturingaRunningProcessHedonsandDolorsCapturingaProcessonaWindowsSystemModule:UnderstandingSpoofedEmailObjectivesIdentifyingSpoofedEmailDefinitionoftheProblemUnderstandingtheProcessofSendingandReceivingEmailTheLifeCycleofanEmailOverviewoftheSimpleMailTransferProtocolUnderstandingEmailHeadersInterpretingEmailHeadersHowSpoofedEmailIsSentiiCMUSEIHBOpenMailRelayCompromisedMachinesSelfOwnedMailServersTemporaryAccountsHijackedAccountsHowtoIdentifySpoofedEmailCarefullyExaminethe“Received”HeadersLookOutforSpoofedHeadersComparingTimestampsTracingtheOriginsofaSpoofedEmailnslookupwhoisIPBlockIdentificationWHOISInformationforaDomainNameTracerouteSamSpadeSummaryReferencesCMUSEIHBiiiivCMUSEIHBListofFiguresFigure:ExampleRunoftheSwatchConfigurationFileFigure:ExampleRunofPsListFigure:SysinternalsProcessExplorerUtilityFigure:VerifyingaProcessImageinProcessExplorerFigure:TheStringsTabinProcessExplorerFigure:DisplayingaProcessTreeUsingPsListFigure:DisplayingaProcessTreeUsingpstreeFigure:DisplayingPIDAssignmentsUsingpsFigure:WinTasksProcessDescriptionFigure:ListingProcessFilenamesUsingpulistFigure:DisplayingOpenPortsUsingfportFigure:DisplayingOpenPortsUsingnetstatFigure:ViewingHandlesUsinghandleFigure:DisplayingWhichProcessHasPortOpenFigure:DisplayingWhoHastheBashShellOpenFigure:DisplayingAlltheCurrentlyOpenFilesbytheUserRootFigure:ListingPriorityLevelsUsingpslistFigure:ListingPriorityLevelsUsingtopFigure:DisplayingthePriorityLevelforaSpecificProcessCMUSEIHBvFigure:CheckingUptimeUsingpsuptimeFigure:CheckingElapsedTimeforaProcessUsingpslistFigure:WindowsEventLogFigure:psloglistCommandFigure:LocatingaProcessImageUsingListDLLsFigure:LocatingaProcessImageUsingpsFigure:LocatingaProcessImagebyPIDFigure:autorunscexeCommandFigure:ThechkconfiglistCommandFigure:ACronLogFigure:TheCrontabCommandFigure:ThesvchostexeProcessFigure:listdllsexeOutputforsvchostexeFigure:MDdeepUtilityFigure:PerformingaStringSearchUsinggrepFigure:ThemsheartsexeProcessFigure:listdllsexeOutputforthemsheartsProcessFigure:MDdeepexeCommandLineArgumentsFigure:stringsCommandFigure:stringsCommandOutputFigure:HashofJohntheRipperFigure:FirstPartofthefruciniFileFigure:SecondPartofthefruciniFileviCMUSEIHBFigure:FinalPartoffruciniFileFigure:FSPSetupFigure:FRUCUtilityCommandFigure:FSPCommandOutputFigure:FRUCOutputFileFigure:FRUCAuditFileFigure:ResultofUsingmdtoCalculateaHashValueFigure:ConfirmingtheResultofSplittingImagesFigure:ResultofUsingcatandmdsumtoChecktheIntegrityofSplitImagesFigure:ResultofUsingmdsumtoChecktheIntegrityofaNewImageFigure:FindingajpgTaginaCapturedImageFigure:DecimalFormoftheBeginningofthejpgFileFigure:SearchingfortheEndofthejpgFileFigure:TagDelineatingtheEndofajpgFileFigure:DecimalAddressfortheEndofthejpgFileFigure:CalculatingtheSizeofthejpgFileFigure:FileCarvedOutUsingddFigure:ViewingCarvedjpgFileFigure:RunningaTrustedCommandFigure:CommandShellSpawnedfromaTrustedCDFigure:netcatCommandtoListenonPortFigure:UsingTrustedpslistandnetcattoSpecifyIPAddressandListeningPortCMUSEIHBviiFigure:LookingforSuspiciousProcessesUsingcatFigure:SuspiciousProcessFoundFigure:netcatCommandtoListenonPortFigure:SpecifyingnetcatListenerMachineandPortFigure:ViewingPathtoaSuspiciousProcessFigure:SettingUpaListeningSessiononaSuspiciousProcessFigure:CollectingtheExecutableofaSuspiciousProcessFigure:CalculatingaHashofaCapturedProcessFigure:TheLifeCycleofanEmailFigure:MailDeliveryforValidUsersFigure:SpoofedEmailviaanOpenRelayFigure:nslookupofValidFullyQualifiedDomainNameFigure:nslookupofFalsifiedHostInformation

用户评论(0)

0/200

精彩专题

上传我的资料

每篇奖励 +1积分

资料评分:

/33
仅支持在线阅读

意见
反馈

立即扫码关注

爱问共享资料微信公众号

返回
顶部

举报
资料