In this video I describe the incident response process.  Companies should have a policy for incidents that should be followed, once one has been identified. The best place to start is the governmental guidelines listed in the publications listed.
 

In this section I discuss malware.  In particular, I discuss: What malware is, possible consequences of malware, two types of analysis, and demonstrate both types of analysis. 

In this lecture I discuss the use of static techniques to analyze malware. By static I mean techniques you may use without actually running the malware. For instance you can calculate the hash and use Google to search for that hash. If it matches, you know what the program is.  You can also look at any ASCII or UNICODE included in the malware, then Google for those keywords.   Even though you aren't running the malware, it's a very good idea to t setup an experimental host-only system so that the malware can't connect to any live machine on your real network. See the notes below as to how to do this. 

In this lecture I discuss the use of dynamic techniques to analyze malware. By dynamic I mean you are running the malware. When you run the malware you can analyze it's behavior, including changes it makes to the operating system, any attempted connections to other machines, ports that are opened, etc.  Since you are running a live piece of malware it's important you setup an experimental host-only system so that the malware can't connect to any live machine on your real network. See the notes below as to how to do this. 

In this section I discuss how to import a virtual hard drive to an existing VM.  This is a 'setup' video as you'll be using this technique for your assignment. However, it's also very useful if you have a VM or hard drive that has been tampered with, or that might contain evidence.  In that case it would be useful to understand how to import the drive so that you can use your forensics tools to conduct an examination of the drive.  

In this section I discuss how to perform a forensic imaging over a network.  There are commercial tools to do this; however, these are often very expensive. It's good to know a way to perform a network imaging without having to resort to these tools. We do this with two free GNU utilities, nc (netcat) and dd.  It's pretty cool and all you need is a bootable version of Linux (thumb drive or CD) and the IP of the machine to be imaged.  

Sleuthkit is a suite of command line tools that allow you to perform a very detailed forensic analysis.  The tools can be combined with a front-end browser-based GUI called 'Autopsy' to provide a fairly sophisticated forensic workstation. 

Review of TCP/IP fundamentals, the OSI model, TCP vs UDP, application protocols, IP addressing, NAT, and an overview of proxy servers.  This is a REVIEW of the OSI model and TCP/IP.  We assume you have a fundamental understanding of networking. In the 'Additional Information' section we've included some additional resources on fundamentals of networking.

Our networks and systems are constantly being probed and attack.  Each type of probe or attack has a 'signature' that indicates the type of probe or attack.  In this section I discuss types of probes and their signature, as well as types of attacks. Of course there are thousands of different types of attacks so we'll concentrate on some that you might encounter on your own company network. 

Wireshark is a free tool that supports the parsing of network packet captures.  This makes it easy to read and review the contents of packet captures, but it's up to YOU to identify the normal or anomalous behavior. (Note: Intrusion detection systems can be used for this purpose as well, that was covered in CIS4360). Here I review some intrusion detection rules, use tcpdump for capturing and reviewing packets, and then provide an introduction to Wireshark as well as the use of Wireshark filters.  

Digital evidence can come from both static and dynamic sources. Static sources are hard drives, thumb drives, etc. But what about dynamic sources, like RAM and swap files? In this first quick lecture I discuss how to install FTK Imager on a thumb drive. This will set us up for the next installment, which is to grab RAM and swap, and analyze it.

In this lecture I describe how to capture RAM and swap using FTK imager. You will then use other tools to carve information out of captured evidence.

You've worked with network intrusion detection systems, systems that identify anomalous packets or streams as they cross through your network.  A second type of intrusion detection system is the host-based IDS (HIDS).  HIDS work typically by calculating a hash of important files and encrypting these hashes ina a database. On a certain schedule the HIDS will recalculate the hashes and compare it to those in the encrypted database. If the hashes don't match, something hash changed. In this section I discuss HIDS, and demonstrate a well-known (now commercial) HIDS, Tripwire.

A honeypot is a computer security system used to detect, deflect, or, in some manner, counteract attempts at unauthorized use of an information system or computer.  In this video I discuss honeypots and how they are used to defend your network. In particular the technology is useful for identifying and monitoring insider threats, which is the number one threat vector for most networks.

How do you know if there's been an intrusion on your network? It's not an easy task to identify all of the evidence that might point to an intrusion. In these videos I describe sources of information that can be used to identify whether a Linux system has been victim to an intrusion. Note that the same principles apply to any system, only the location of the evidence will be different.                                                  

Ethics come into play in any forensics investigation.  What you do, and when you do it, should be driven by legal and ethical considerations. In this series of presentations John Barbara, retired Florida Department of Law Enforcement, discusses ethical issues in forensics investigations.