NO WARRANTY

Unlimited distribution subject to the copyright. This report was prepared for th

Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis

People responsible for computer security incident response and digital forensic examination need to continually update their skills, tools, and knowledge to keep pace with changing technology. No longer able to simply unplug a computer and evaluate it later, examiners must know how to capture an image of the running memory and perform volatile memory analysis using various tools, such as PsList, ListDLLs, Handle, Netstat, FPort, Userdump, Strings, and PSLoggedOn. This paper presents a live response scenario and compares various approaches and tools used to capture and analyze evidence from computer memory

First Responders Guide to Computer Forensics

This handbook is for technical staff members charged with administering and securing information systems and networks. It targets a critical training gap in the fields of information security, computer forensics, and incident response: performing basic forensic data collection. The first module describes cyber laws and their impact on incident response. The second module builds understanding of file systems and outlines a best practice methodology for creating a trusted first responder tool kit for investigating potential incidents. The third module reviews some best practices, techniques, and tools for collecting volatile data from live Windows and Linux systems. It also explains the importance of collecting volatile data before it is lost or changed. The fourth module reviews techniques for capturing persistent data in a forensically sound manner and describes the location of common persistent data types. Each module ends with a summary and a set of review questions to help clarify understanding. This handbook was developed as part of a larger project. The incorporated slides are from the five day hands-on course Forensics Guide to Incident Response for Technical Staff developed at the SEI. The focus is on providing system and network administrators with methodologies, tools, and procedures for applying fundamental computer forensics when collecting data on both a live and a powered off machine. A live machine is a machine that is currently running and could be connected to the network. The target audience includes system and network administrators, law enforcement, and any information security practitioners who may find themselves in the role of first responder. The handbook should help the target audience to * understand the essential laws that govern their actions * understand key data types residing on live machines * evaluate and create a trusted set of tools for the collection of data * collect, preserve, and protect data from live and powered off machines * learn methodologies for collecting information that are forensically sound (i.e., able to withstand the scrutiny of the courts

First Responders Guide to Computer Forensics: Advanced Topics

This handbook expands on the technical material presented in SEI handbook CMU/SEI-2005-HB-001, First Responders Guide to Computer Forensics. While the latter presented techniques for forensically sound collection of data and explained the fundamentals of admissibility pertaining to electronic files, this handbook covers more advanced technical operations such as process characterization and spoofed email. It describes advanced methodologies, tools, and procedures for applying computer forensics when performing routine log file reviews, network alert verifications, and other routine interactions with systems and networks. The material will help system and network professionals to safely preserve technical information related to network alerts and other security issues

Results of SEI Independent Research and Development Projects

The Software Engineering Institute (SEI) annually undertakes several independent research and development (IRAD) projects. These projects serve to (1) support feasibility studies investigating whether further work by the SEI would be of potential benefit and (2) support further exploratory work to determine whether there is sufficient value in eventually funding the feasibility study work as an SEI initiative. Projects are chosen based on their potential to mature and/or transition software engineering practices, develop information that will help in deciding whether further work is worth funding, and set new directions for SEI work. This report describes the IRAD projects that were conducted during fiscal year 2009 (October 2008 through September 2009)