Forensic Analysis :using TSK and Volatility

A bit about Me• Mark Bennett

• Work for Check Point Software.

• Incident Response/Forensics for Health Care– Firewalls– Malware analysis– Intrusion Prevention– HR/Legal– Watching over the enterprise

• SANS Instructor– http://www.sans.org– http://www.darknet-consulting.com– http://www.pauldotcom.com

Agenda• Metasploit

– How to use it– What can you do with it

• Making Forensic copies– Copying memory– Copy Hard drive

• Timeline analysis– How to create– How to read

• Memory analysis– Strings– Volatility

• See it live• Wrap up

Metasploit

Metasploit – cont.

Mandiant Memoryze

Using dd for bit-by-bit copies

fls - bodyfile

mactime - timeline

Timeline Analysis

Memory Analysis

Volatility – memory analysis

Live Demo

Let’s Do it for Real!!!

Questions/Comments

??????????????????????????????????

Wrap UP

• Mark Bennett– http://www.sans.org/mentor

• 508 Advanced Forensic Analysis• 408 Windows Forensics• 504 Incident Response

– http://www.darknet-consulting.com– http://www.pauldotcom.com– Hack Labs – Metasploit

• Be good, be safe, if you are going to hack, hack legally and responsibly – I’m Out!

THANK YOU FOR ATTENDING