You are viewing 'security forensics'

ELMO for Incident Response

Find out how ELMO can assist with a live incident response situation

John Moran

February 02, 2017 - Posted by John Moran to Security Insight

In most incident response situations, it is necessary to collect some form of volatile data. While disk forensics continue to play a role in incident response, we know that the tactics of today’s adversaries require different methods from incident responders. One of those tactics is live forensics to capture volatile data.

Much like traditional “dead box” forensics, most investigators will agree that no single tool can meet the needs of every investigation. Instead, investigators commonly use multiple tools to gather information based on the needs of the investigation. Some examples are memory acquisition, running processes, network connections and open file handles.

Running these tools in a Windows environment is most often achieved by scripting multiple tools through the use of a batch file. This achieves several goals. First, it allows the investigator to execute a single file, which will run multiple tools. Second, it ensures that all tools are... read more >

Hibernation and Page File Analysis

Not All Is Lost When You Lose Your Memory

Jeremy Scott

May 26, 2016 - Posted by Jeremy Scott to Security Insight

Computer Forensics

Some time ago I wrote a blog, Memory: It’s What’s for Dinner, about the importance of capturing volatile data and memory analysis. I also provided an intro for memory analysis in Hunting Malware with Memory Analysis and More Memory Fun. What happens if you are not able to grab memory? Obviously, a full memory capture of the suspect system will give you the best chance at recovering volatile information from the system but if you can’t, not all is lost.

Hibernation and page files contain data that can help put the pieces of the puzzle back together. The hibernation... read more >

Preparation is Key to Incident Response Success!

Are you prepared for a security incident? #WarStoryWednesday

David Biser

December 02, 2015 - Posted by David Biser to Security Insight

Before anything else, preparation is the key to success.” Alexander Graham Bell

Most security personnel follow a six-step process when it comes to incident response. These six steps are outlined as follows:

  1. Preparation (before any incident)

    **Incident Occurs**

  2. Detection and...
read more >

Hiding In Plain Sight

Analyzing Anomalous Data Structures

Ramece Cave

December 09, 2014 - Posted by Ramece Cave to Security Insight

anomalous data structure

Malware authors are known for developing clever, interesting and sometimes dastardly ways to move, hide and distribute their wares to the masses.

They often work tirelessly to stay ahead of security analysts by playing on doubts, limitations and red tape. Some authors use trivial encryptions or encoding schemes like base64 while others use high-grade encryption or perform small modifications to a file to avoid detection.

If that does not work, the attacker can hide content in, or append content to image files or files made to look like images, but structurally they are another file type entirely. From a forensic standpoint, some of these files do not have a known structure and can be extremely difficult to identify and categorize, therefore they fall into the anomalous category.

In my thought process, anomalous data is that binary file that does not have an identified file structure.... read more >

Gathering, Preserving, Tracking and Storing Forensic Data

Top Ten Recommended Steps for an Incident Response

Susan Carter

September 18, 2014 - Posted by Susan Carter to Security Insight

Forensic Data

There may be an occasion when a governmental authority, or your own ISP, will contact your organization and state that one of your organization owned IPs is talking to known bad IPs.

Your first instinct is probably to stop the communication. Your second instinct may be to poke around the system(s) to figure out why there was communication to the bad IPs.

Although these are understandable steps, the poking actions could be altering artifacts that are critical to finding which and why these programs, services and processes are doing the communicating.

If your company does not have an incident response plan with a team or expertise to execute a plan, I highly recommend having at least one manager and one technical employee trained to properly gather, preserve, track and store forensic evidence.

These employees should be the very first contacted in the case of a possible ... read more >

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)