Table of Contents

System Forensics, Investigation, and Response Day 4 to end
- Day 6

System Forensics, Investigation, and Response Day 4 to end

Day 6

Binary Analysis..2

Binary Analysis Outline..3
Binary Footprinting..4
Analyzing Binaries..5
file Analysis..6
ldd Analysis..9
strings Anaylysis..11
Code Analysis tools..13
Unix Code Analysis..14
- gdb - debugger
- objdump - Information from Object files
- readelf - ELF format object files
- strace - system call tracer
- ald - Assembly language debugger
Windows Code Analysis..15
- IDAPRO - disassembler
- SoftICE - debugger
- REGMON - sysinternals tool to monitor registry access
- FILEMON - sysinternals tool to monitor file access
Windows Binary Analysis..16
File Analysis - wrap-up..18
Obtaining a Rogue Process..19
/proc tology..20
Obtaining a process..22
Solaris /proc-tology..23
BSD /proc-tology

Process Wiretapping..25

strace..28
apptrace..33

Malware Dissection..36

Malware Analysis..37

x2 is the program

Vulnerable SSHD Servers..38
Examine Contents..39
First Command file..40
strings -a..41
gdb debugger..42

gdb x2

objdump..43

objdump -x x2

readelf..44

readelf -a x2

Encrypted ?..47
Determining Encryption type..50
Executing the Exploit..51
Binary Executed..52
Usage..53
Findings..54
System Calls..55
Target Analysis:..57
strace “read” capture..58
Network Analysis..60
Scan Phase..61
Obtaining Shell..62
Snort Signatures..63
Decrypting the Binary..65
Decrypting the file..66
Teso Burneye..67
Conclusion..68

The Forensic Challenge Hands-On Case Study..70

Accessible - http://project.honeynet.org..72
Case Study Background..73
The Attack..75
- Snort Allerts..76
- Network Packet..77
Your Mission…..78
The Images and mount points..79
Analysis Tolls Available..80
Extacting the Images..81
Mounting the Images..82
Goals..84
Methodology..85
Forensic Investigation Methodology..86
MAC Timelines..87
File and Directory Analysis..89
Deleted File Analysis..90
Binary Analysis..91
Unallocated Disk Space..92
Ready??? Set??? Go!!!..93

The Analysis..95

Analysis Results..100

File Analysis..105

Unallocated Space Analysis..146

Swap Space Analysis..149

Find something on these

lots of 0x90's in a transmission is buffer overflow attack winalysis least privilage Pen-trap, trap and trace WinHex substantial nexus

another file recovery tool - Rapier

http://www.citadelsystems.net/index.php/forensics-tools/34-data-carver/46-rapier