Win2K First Responder's Guide
When it comes to handling computer security incidents, proper first response handling of computer security incidents is second in importance only to incident prevention. Improper handling or collection of available information can do irreparable harm to an investigation. Investigators need to have a thorough understanding of what information they intend to collect, as well as the tools they can use and the effects those tools have on the system itself.
Read the Article
|
Alien Autopsy: Reverse Engineering Win32 Trojans on Linux
In my last article, Reverse Engineering Hostile Code, I described the tools and processes involved in basic reverse engineering of a simple trojan. This article will offer a more detailed examination of the reversing process, using a trojan found in the wild. At the same time, this article will discuss some techniques for reversing Windows-native code entirely under Linux. As an added bonus, all the tools used in this article are either freeware or free software.
Read the Article
|
Discovery, Eradication and Analysis of an attack on an open system: Welcome to the Jungle
This is not necessarily a technical paper analyzing rootkit operation. There have been many excellent papers written that perform this function, some of which are referenced later. This paper is rather intended to help others who find themselves in a similar situation to deal with an attack of this nature. It should also serve as an illustration that defense in depth can be extremely effective in reducing the possibility of a major break-in, but cannot guarantee that break-ins can be entirely prevented. The most important theme of this paper is that no matter how much protection is in place, there must be documented policies and procedures that can be followed when an incident occurs.
Read the Article
|
Reporting Incidents to an ISP with BlackICE ClearICE Report Utility and the Importance of Submitting Firewall Logs to the Dshield.org Project
This practical has two objectives: guide users of BlackICE to report incidents to their ISPs (using ClearICE Report Utility) and show users the importance of submitting firewall logs to the dshield.org project. Since the installation of BlackICE does not require much work on a single workstation, I will assume that it's already installed and start from the incident itself, passing through the BlackICE's alert, blocking the intruder to avoid his activities and working with ClearICE to create an useful report to the attacker's ISP to help them track the malicious user.
Read the Article
|
Suspicious Unix Log File Entries and Reporting Considerations
In my Kickstart paper I covered basic Unix log files with a configuration file that gathered everything. I would like to expand on that and now cover messages found in those log files that would cause concern and require further investigation. My selection to continue on this subject lies in my inability to find comprehensive information that provides direction to administrators, particularly those in federal government, on what messages in log files could require critical attention and reporting.
Read the Article
|
A 'Bag of Tricks' Approach to Proactive Security
Security does not begin with the detection of a compromised server or other form of detected intrusion. Where then, does security begin? This paper explores this question. Simply stated this paper focuses on common sense. However, practically stated, the goal of this paper is to explore the tools, practices and procedures available to System Administrators prior to a security incident that will serve to negate the incident or significantly improve our recovery and forensic positions.
Read the Article
|
Incident Management 101 Preparation & Initial Response (aka Identification)
The intended audience is for incident handlers who are responding to suspicious activity (versus malicious code or DOS attacks) on both Unix and Windows systems. The guidelines, procedures and tools described are intended for business recovery, not for legal purposes such as preservation of evidence, forensic analysis, or prosecution.
Read the Article
|
Writing an Incident Handling and Recovery Plan
While many websites and papers discuss incident handling and incident response plans, aside from RFC 2350 very few of these lay out exactly what an actual plan might look like. The following is an outline of a typical generalized incident handling and response plan for a small to mid-sized organization that doesn't have a dedicated incident response staff.
Read the Article
|
Windows NTFS Alternate Data Streams
The purpose of this article is to explain the existence of alternate data streams in Microsoft Windows, demonstrate how to create them by compromising a machine using the Metasploit Framework, and then use freeware tools to easily discover these hidden files.
Read the Article
|
