Scribd
Upload
15 views6 pages

Windows 008

Uploaded by

MotivatioNet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views6 pages

Windows 008

Uploaded by

MotivatioNet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Windows Forensics

Dr. Phil Polstra @ppolstra


PhD, CISSP, CEH http://philpolstra.com
Certifications:
http://www.securitytube-training.com

Pentester Academy: http://www.PentesterAcademy.com


©SecurityTube.net
Collecting Volatile Data

©SecurityTube.net
High Level Process

Call Dead Yes Acquire


Placed Incident? Yes Live Analysis
Analysis? Images

No No

Lessons Dead
Learned Write Reports
Analysis

©SecurityTube.net
Data to Collect

Date and Time
– Clock may be skewed
– Might be in different timezone

Network interfaces
– Funny networks
– Promiscuous mode?

Network connections

©SecurityTube.net
Data to Collect (cont.)

Open ports ●
Mounted filesystems

Programs associated with ●
Scheduled jobs
ports

Process memory dumps

Currently logged on users

Clipboard contents

Running processes

Running services

Driver information

Open files ●
Shares

Routing tables ●
Command history

©SecurityTube.net
Collecting Data

©SecurityTube.net

You might also like