| Javascript Feeds RSS Feed Security Dashboard | SearchSecurity.com |
|
Macintosh Forensic Analysis Using OS X The purpose of this paper is to describe sound forensic techniques as they pertain to the Macintosh. In order to accomplish this task, I must first describe basic forensic techniques that apply to all computer systems. Then I will provide a brief history of the various Macintosh models and operating systems, as each one can provide some intriguing problems. Finally, I will follow this up with a specific outline of how to perform the proper analysis of a Macintosh computer system using an OS X based system as the analysis machine. The result of this paper will be a useful reference to those people who may be required to perform a computer forensic analysis on a Macintosh.
04/15/2004
|
|
Adventures in Computer Forensics What exactly do forensic analysts do? How can this type of work help law enforcement or corporate security managers? If you want to solve a puzzle isn’t it often best to have all the pieces? Computer forensics is one piece to the investigative puzzle. There must be some need to conduct this type of investigation. Security managers and law enforcement alike must have proper authorization before conducting this type of analysis on a computer. Security managers should get this in writing as part of their security policy. Check with your lawyers and be aware of privacy laws and how they apply even in the corporate setting. The privacy laws may go beyond a consent to search and consent to monitoring.
04/14/2004
|
|
Forensic Analysis of a Live Linux System, Part Two Last month in the first part of this article series, we discussed some of the preparation and steps that must be taking when analyzing a live Linux system that has been compromised. Now we'll continue our analysis by looking for malicious code on the running system, and then discuss some of the searches that can be done with the data once it has been transferred to our remote host. Note: Some readers, after reading the first part of this article, pointed out that before transferring any digital data from the compromised machine, the trusted shell should be run. I think that it's good idea, so we should compile statically for instance the bash shell and then copy them to our removable media.
04/13/2004
|
|
Windows Forensics - A Case Study: Part Two This article is the second in a two-part series that will offer a case study of forensics in a Windows environment. In Part One, we discussed host-based forensics techniques that first responders can use to detect attacks in relatively unprotected environments, and how to begin collecting information to determine the appropriate response. Part One dealt with understanding what an attacker was doing on an individual host. This article deals with determining the scope of the compromise, and understanding what the attacker is trying to accomplish at the network level. Along the way, we'll be discussing some tools and techniques that are useful in this type of detective work.
04/05/2004
|
|
Windows Forensics: A Case Study, Part One It's a security person's worst nightmare. You've just inherited a large, diverse enterprise with relatively few security controls when something happens. We all try to detect malicious activity at the perimeter of the network by monitoring our intrusion detection systems, and watching attackers bang futilely on our firewall. Even those attackers tricky enough to slip through the firewall bounce harmlessly off our highly secured servers, and trip alarms off throughout the network as they attempt to compromise it. Reality is usually somewhat different: most of us simply don't have the tools, or at least we don't have expensive, dedicated tools. But we do have ways to stop the pain.
04/05/2004
|
|
Reverse Engineering Hostile Code Computer criminals are always ready and waiting to compromise a weakness in a system. When they do, they usually leave programs on the system to maintain their control. We refer to these programs as "Trojans" after the story of the ancient Greek Trojan horse. Often these programs are custom compiled and not widely distributed. Because of this, anti-virus software will not often detect their presence. It also means information about what any particular custom Trojan does is also not generally available, so a custom analysis of the code is necessary to determine the extent of the threat and to pinpoint the origin of the attack if possible.
04/05/2004
|
|
Maintaining System Integrity During Forensics Deciding how to maintain the integrity of a system for use in a forensic examination can be a little like deciding which club to use to get out of the rough on the last hole of a golf tournament, i.e. the stakes are high and you never know if you've made the right choice until it's too late to change your mind (note: this analogy only works if you play golf as badly as I do. If you're a good golfer, or if you don't play golf at all, you'll have to come up with one of your own). While the use of good judgement may be more art than science, if we keep in mind certain basic principles and remember to think before we act we should give ourselves the best possible chance of a successful forensic outcome. These basic principles are the bedrock upon which any notions of a "best practice" must be constructed and will be the basis of this article.
04/05/2004
|
|
Incident Response Tools For Unix, Part Two: File-System Tools This is the second article in a three part series on tools that are useful during incident response and investigation after a compromise has occurred on a Linux, OpenBSD, or Solaris system. The first article focused on system tools, this one focuses on file system tools, and the next article will discuss network and other tools. The information used in these articles is based on OpenBSD 3.2, Debian GNU/Linux 3.0 (woody), RedHat 8.0 (psyche), and Solaris 9 (aka Solaris 2.9 or SunOS 5.9). The tools focused on are generally tools that are available with the operating system, although there are some that may not be native to a given system that are discussed as well. If a tool that is discussed isn't available on the operating system you're using, the information on acquiring tools in the references section[1] might help you out.
04/05/2004
|
|
Freeware Forensics Tools for Unix You are a security specialist brought in to investigate the suspected security compromise of a Unix machine. You are expected to gather as much information as possible without altering or contaminating the evidence. The data you collect must be good enough to determine whether a compromise has actually occurred on the system. During the analysis of data, you will need to create a detailed time-based reconstruction of the attack and compromise. You must also answer questions such as: when and where did the compromise occur, how did the compromise occur, how many systems were affected, and what files were affected. This information is critical in determining who attacked your system, how they gained access, and whether prosecution is justified.
04/05/2004
|
|
Forensics on the Windows Platform, Part Two This is the second of a two-part series of articles discussing the use of computer forensics in the examination of Windows-based computers. In Part One we discussed the wider legal issues raised by computer forensics and the benefits of pre-investigation preparation. In this article we will concentrate on the areas of a Windows file system that are likely to be of most interest to forensic investigators and the software tools that can be used to carry out an investigation.
04/05/2004
|
|
Page: 1 2345 |
