Bitnami DokuWiki

User Tools

Site Tools

Trace: licenseserversarchive genealogy sans508-6
aoe:sans508-6

Table of Contents

System Forensics, Investigation, and Response Day 4 to end

Day 6

Binary Analysis..2

  • Binary Analysis Outline..3
  • Binary Footprinting..4
  • Analyzing Binaries..5
  • file Analysis..6
  • ldd Analysis..9
  • strings Anaylysis..11
  • Code Analysis tools..13
  • Unix Code Analysis..14
    • gdb - debugger
    • objdump - Information from Object files
    • readelf - ELF format object files
    • strace - system call tracer
    • ald - Assembly language debugger
  • Windows Code Analysis..15
    • IDAPRO - disassembler
    • SoftICE - debugger
    • REGMON - sysinternals tool to monitor registry access
    • FILEMON - sysinternals tool to monitor file access
  • Windows Binary Analysis..16
  • File Analysis - wrap-up..18
  • Obtaining a Rogue Process..19
  • /proc tology..20
  • Obtaining a process..22
  • Solaris /proc-tology..23
  • BSD /proc-tology

Process Wiretapping..25

  • strace..28
  • apptrace..33

Malware Dissection..36

  • Malware Analysis..37

x2 is the program

  • Vulnerable SSHD Servers..38
  • Examine Contents..39
  • First Command file..40
  • strings -a..41
  • gdb debugger..42

gdb x2

  • objdump..43

objdump -x x2

  • readelf..44

readelf -a x2

  • Encrypted ?..47
  • Determining Encryption type..50
  • Executing the Exploit..51
  • Binary Executed..52
  • Usage..53
  • Findings..54
  • System Calls..55
  • Target Analysis:..57
  • strace “read” capture..58
  • Network Analysis..60
  • Scan Phase..61
  • Obtaining Shell..62
  • Snort Signatures..63
  • Decrypting the Binary..65
  • Decrypting the file..66
  • Teso Burneye..67
  • Conclusion..68

The Forensic Challenge Hands-On Case Study..70

  • Accessible - http://project.honeynet.org..72
  • Case Study Background..73
  • The Attack..75
    • Snort Allerts..76
    • Network Packet..77
  • Your Mission…..78
  • The Images and mount points..79
  • Analysis Tolls Available..80
  • Extacting the Images..81
  • Mounting the Images..82
  • Goals..84
  • Methodology..85
  • Forensic Investigation Methodology..86
  • MAC Timelines..87
  • File and Directory Analysis..89
  • Deleted File Analysis..90
  • Binary Analysis..91
  • Unallocated Disk Space..92
  • Ready??? Set??? Go!!!..93

The Analysis..95

Analysis Results..100

File Analysis..105

Unallocated Space Analysis..146

Swap Space Analysis..149

Find something on these

lots of 0x90's in a transmission is buffer overflow attack winalysis least privilage Pen-trap, trap and trace WinHex substantial nexus

another file recovery tool - Rapier

http://www.citadelsystems.net/index.php/forensics-tools/34-data-carver/46-rapier

aoe/sans508-6.txt · Last modified: 2023/12/27 16:45 by 127.0.0.1