====== System Forensics, Investigation, and Response  Day 4 to end ======

===== Day 6 =====
==== Binary Analysis..2 ====
    * Binary Analysis Outline..3
    * Binary Footprinting..4
    * Analyzing Binaries..5
    * **file** Analysis..6
    * **ldd** Analysis..9
    * **strings** Anaylysis..11
    * Code Analysis tools..13
    * Unix Code Analysis..14
      * gdb - debugger
      * objdump - Information from Object files
      * readelf - ELF format object files
      * strace - system call tracer
      * ald - Assembly language debugger
    * Windows Code Analysis..15
      * IDAPRO - disassembler
      * SoftICE - debugger
      * REGMON - sysinternals tool to monitor registry access
      * FILEMON - sysinternals tool to monitor file access
    * Windows Binary Analysis..16
    * File Analysis - wrap-up..18
    * Obtaining a Rogue Process..19
    * /proc tology..20
    * Obtaining a process..22
    * Solaris /proc-tology..23
    * BSD /proc-tology
==== Process Wiretapping..25 ====
    * **strace**..28
    * **apptrace**..33
==== Malware Dissection..36 ====
    * Malware Analysis..37
x2 is the program
    * Vulnerable SSHD Servers..38
    * Examine Contents..39
    * First Command **file**..40
    * **strings -a**..41
    * **gdb** debugger..42
  gdb x2
    * **objdump**..43
  objdump -x x2
    * **readelf**..44
  readelf -a x2
    * Encrypted ?..47
    * Determining Encryption type..50
    * Executing the Exploit..51
    * Binary Executed..52
    * Usage..53
    * Findings..54
    * System Calls..55
    * Target Analysis:..57
    * strace "read" capture..58
    * Network Analysis..60
    * Scan Phase..61
    * Obtaining Shell..62
    * Snort Signatures..63
    * Decrypting the Binary..65
    * Decrypting the file..66
    * Teso Burneye..67
    * Conclusion..68
==== The Forensic Challenge Hands-On Case Study..70 ====
  * Accessible - http://project.honeynet.org..72
  * Case Study Background..73
  * The Attack..75
    * Snort Allerts..76
    * Network Packet..77
  * Your Mission.....78
  * The Images and mount points..79
  * Analysis Tolls Available..80
  * Extacting the Images..81
  * Mounting the Images..82
  * Goals..84
  * Methodology..85
  * Forensic Investigation Methodology..86
  * MAC Timelines..87
  * File and Directory Analysis..89
  * Deleted File Analysis..90
  * Binary Analysis..91
  * Unallocated Disk Space..92
  * Ready??? Set??? Go!!!..93
==== The Analysis..95 ====
====Analysis Results..100====
====File Analysis..105====
====Unallocated Space Analysis..146====
====Swap Space Analysis..149====
==== Find something on these ====
lots of 0x90's in a transmission is buffer overflow attack
winalysis
least privilage
Pen-trap, trap and trace
WinHex
substantial nexus
==== another file recovery tool - Rapier ====
[[http://www.citadelsystems.net/index.php/forensics-tools/34-data-carver/46-rapier]]