lab9 - Lab L b9 Computer Forensics Analysis BY Alan S H Lam...

Info iconThis preview shows pages 1–10. Sign up to view the full content.

View Full Document Right Arrow Icon
Lab 9 omputer Forensics Computer Forensics nalysis Analysis Y BY Alan S H Lam IEG7006 (2010) 1
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
ab 9: Computer Forensics Analysis Lab 9: Computer Forensics Analysis asic Techniques Basic Techniques Verify Incident olate the true ones from false alarm Isolate the true ones from false alarm Escalation process IEG7006 (2010) 2
Background image of page 2
ab 9: Computer Forensics Analysis Lab 9: Computer Forensics Analysis asic Techniques Basic Techniques Secure Incident Scene imit the amount of activity on the system to as Limit the amount of activity on the system to as little as possible olation Isolation One person perform action ecord your actions Record your actions Power off VS Keeping it power on nplug the network VS Keeping it on line Unplug the network VS Keeping it on line IEG7006 (2010) 3
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
ab 9: Computer Forensics Analysis Lab 9: Computer Forensics Analysis Basic Techniques Collect evidence Snapshot the scene backup the system to media IEG7006 (2010) 4
Background image of page 4
ab 9: Computer Forensics Analysis Lab 9: Computer Forensics Analysis Basic Techniques ind clues and Analyze the Unknown Find clues and Analyze the Unknown Think as hackers Reconstruct the scene Network, process and file analysis IEG7006 (2010) 5
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
ab 9: Computer Forensics Analysis Lab 9: Computer Forensics Analysis asic Techniques Basic Techniques Equipment Needed Luggable PC and laptop with different boot OS platform (e.g. Window or Unix) forensics tools SCSI and IDE removable drives TAPE drive You may use these PC and laptop as backup media and sniffer, and as a small lab for file and process analysis •f l o ppy and CDROM loaded with forensics tools IEG7006 (2010) 6
Background image of page 6
ab 9: Computer Forensics Analysis Lab 9: Computer Forensics Analysis n ne inspection On-line inspection (or Dynamic Analysis) Clone the disk and copy data Efficiency VS Accuracy Copying the data to a remote host for later investigation Using cp -p to preserve the owner and group id, permissions modes, modification and access time opying the data to a remote host by ttcp or nc Copying the data to a remote host by ttcp or nc Clone to other disk by dd IEG7006 (2010) 7
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
ab 9: Computer Forensics Analysis Lab 9: Computer Forensics Analysis n- ne inspection On line inspection Memory Dump d if= /dev/kmem of=output dd if /dev/kmem of output dd if= /dev/mem of=output Process Investigation /bin/ps auxeww (view process environment) lsof p pid ( view process opening files) ltrace p pid (trace process library call) strace p pid (trace process system call) cat pid > dumpfile (dump process image to a file) pcat pid > dumpfile (dump process image to a file) fuser file|socket ( identify processes using files or sockets) IEG7006 (2010) 8
Background image of page 8
ab 9: Computer Forensics Analysis Lab 9: Computer Forensics Analysis n- ne inspection On line inspection Recovering files from Kernel through /proc irectory directory Each running process has a corresponding irectory in /proc by the name of its pid You can directory in /proc by the name of its pid. You can review various process information in this directory. You can also recover the process binary file even it has been deleted from the hard disk.
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 10
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 69

lab9 - Lab L b9 Computer Forensics Analysis BY Alan S H Lam...

This preview shows document pages 1 - 10. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online