This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Advanced Forensic Techniques"

From OWASP
Jump to: navigation, search
(Created page with '= '''Advanced Web Hacking – Securing Ajax, RIA and SOA''' = Course: Advanced Web Hacking – Securing Ajax, RIA and SOA<br>Course ID: SB1DAWH<br>Instructor: Shreeraj Shah<br>C…')
 
(Advanced Forensics Techniques)
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
= '''Advanced Web Hacking – Securing Ajax, RIA and SOA''' =
+
= '''Advanced Forensics Techniques''' =
  
Course: Advanced Web Hacking – Securing Ajax, RIA and SOA<br>Course ID: SB1DAWH<br>Instructor: Shreeraj Shah<br>CPE Credits: 7 CPE’s <br>Duration: 1 Day<br>Date: November 20th, 2009 (9 AM – 6 PM)<br>
+
Course: Advanced Forensics Techniques<br>Course ID: SB1DAFT<br>Instructor: Dr. Chandrasekar Umapathy<br>CPE Credits: 7 CPE’s<br>Duration: 1 Day<br>Date: November 19th, 2009 (9 AM – 6 PM)<br>
  
'''Who should attend?'''<br>• SOA Architects<br>• Software Developers<br>• Penetration Testers / Security Analysts<br>• Security Architects
+
'''Who should attend?'''<br>• General IT security specialists and administrators<br>• IT security specialists who are interested in learning core concepts of Forensics specifically<br>• Security officers for organisations and companies<br>• Law Enforcement agencies<br>• Incident Response Team members
 +
 
 +
'''Class Pre-requisite:'''<br>• This class is for anyone who wants to begin with Forensics.
 +
 
 +
'''Class Requirement:'''<br>• Students to carry their laptop with at least Windows XP professional SP2.<br>• Students should have Administrative access / Privileges on the laptop for installing software.<br>• USB or CD/DVDROM device (N.B for bootable software).<br>• Wireless Enabled<br>• Required tools would be distributed during the session
  
'''Class Pre-requisite:'''<br>• Experience developing or assessing Web Applications &amp; Web Services.<br>• Understanding of SOA and RIA Concepts <br>• Knowledge of penetration testing / security Assessment will be an advantage but is not essential.
 
  
'''Class Requirement:'''<br>• Entirely Demo based class- No laptop required.<br>• Trainer may provide DVD containing tools demo’ed during the class.
 
  
 
'''Course Description:'''
 
'''Course Description:'''
  
Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web-based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lots of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies.
+
This course covers the fundamental steps of the in-depth computer forensic methodology so that each student will have the complete qualifications to work as a computer forensic investigator in the field helping solve and fight crime.
 +
 
 +
'''Module 1 - Computer Forensic Investigative Theory'''<br>
 +
- History of Digital Forensics<br>
 +
- Digital Evidence<br>
 +
- Three Main Aspects to Digital Evidence Reconstruction<br>
 +
- Attack Guidelines for the Recovery of Digital Data<br>
 +
- Classification<br>
 +
- Reconstruction<br>
 +
- Demo - TimeStomping<br>
 +
- Behavioral evidence analysis (BEA)<br>
 +
- Equivocal forensic analysis (EFA)<br>
 +
- Victimology<br>
 +
- Demo - Following the Clues from an Email Header<br>
 +
 
 +
'''Module 2 - Computer Forensic Processing Techniques'''<br>
 +
- Goal of Digital Evidence Processing<br>
 +
- Demo - Logical Review with FTK<br>
 +
- Duplication<br>
 +
- Documenting and Identifying<br>
 +
- Disassembling the Device<br>
 +
- Disconnecting the Device<br>
 +
- Document the Boot Sequence<br>
 +
- Removing and Attaching the Storage Device to Duplicated System<br>
 +
- Circumstances Preventing the Removal of Storage Devices<br>
 +
- Write Protection via Hardware/Software<br>
 +
- Geometry of a Storage Device<br>
 +
- Host Protected Area (HPA)<br>
 +
- Tools for Duplicating Evidence to Examiner's Storage Device<br>
 +
- Demo - Hashing and Duplicating a Drive<br>
 +
- Preparing Duplication for Evidence Examination<br>
 +
- Recording the Logical Drive Structure<br>
 +
- Logical Processes<br>
 +
- Known Files<br>
 +
- Reference Lists<br>
 +
- Verify that File Headers Match Extensions<br>
 +
- Demo - Introduction to FTK<br>
 +
- Regular Expressions<br>
 +
- Demo - Using Regular Expressions<br>
 +
- File Signatures<br>
 +
- Demo - Hex Workshop Analysis of Graphic Files<br>
 +
- Module 2 Review <br>
 +
 
 +
'''Module 3 - Crypto and Password Recovery'''<br>
 +
- Background<br>
 +
- Demo - Stegonography<br>
 +
- History<br>
 +
- Concepts 1<br>
 +
- Demo - Cracking a Windows Hashed Password<br>
 +
- Concepts 2<br>
 +
- File Protection<br>
 +
- Options 1<br>
 +
- Demo - Recovering Passwords from a Zip File<br>
 +
- Options 2<br>
 +
- Rainbow Tables<br>
 +
- Demo - Brute Force/Dictionary Cracks with Lophtcrack<br>
 +
- Demo - Password Cracking with Rainbow Tables<br>
 +
- Module 3 Review <br>
 +
 
 +
'''Module 4 - Specialized Artifact Recovery'''<br>
 +
- Overview<br>
 +
- Exam Preparation Stage<br>
 +
- Windows File Date/Time Stamps<br>
 +
- File Signatures<br>
 +
- Image File Databases<br>
 +
- Demo - Thumbs.DB<br>
 +
- The Windows OS<br>
 +
- Windows Operating Environment<br>
 +
- Windows Registry<br>
 +
- Windows Registry Hives 1<br>
 +
- Demo - Registry Overview<br>
 +
- Windows Registry Hives 2<br>
 +
- Windows NT/2000/XP Registry<br>
 +
- Windows Registry ID Numbers<br>
 +
- Windows Alternate Data Streams<br>
 +
- Demo - Alternate Data Streams<br>
 +
- Windows Unique ID Numbers<br>
 +
- Other ID<br>
 +
- Historical Files 1<br>
 +
- Demo - Real Index.dat<br>
 +
- Historical Files 2<br>
 +
- Demo - Review of Event Viewer<br>
 +
- Historical Files 3<br>
 +
- Demo - Historical Entries in the Registry<br>
 +
- Historical Files 4<br>
 +
- Windows Recycle Bin<br>
 +
- Demo - INFO Files<br>
 +
- Outlook E-Mail<br>
 +
- Outlook 2k/Workgroup E-Mail<br>
 +
- Outlook Express 4/5/6<br>
 +
- Web E-Mail<br>
 +
 
 +
'''Exercises'''
  
The course is designed by the author of "Web Hacking: Attacks and Defense", “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges. Application Hacking is hands-on class. The class features real life cases, hands one exercises, new scanning tools and defense mechanisms. Participants would be methodically exposed to various different attack vectors and exploits. In the class instructor will explain new tools like wsScanner, scanweb2.0, AppMap, AppCodeScan etc. for better pen-testing and application audits.
+
Two cases modeled after real-world examples will be presented to the students. Students will work in a group to investigate and analyze evidence related to a computer crime and present their findings to the class.
  
'''Course Overview'''<br>• Application security fundamentals: Application evolution, Web 2.0 framework, Layered threats, Threat models, Attack vectors and Hacker’s perspective.<br>• Application infrastructure overview: Protocols (HTTP/SSL), SOAP, XML-RPC, REST, Tools for analysis, Server layers and Browsers with plugins.<br>• Application Architecture: Overview to .NET and J2EE application frameworks, Web 2.0 application architecture, Widgets framework, Application layers and components, Resources and interactions, other languages.<br>• Advanced Web Technologies: Ajax, Rich Internet Applications (RIA) and Web Services.<br>• Application attack vectors and detail understanding: SQL injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Path traversal, Session hijacking, LDAP/XPATH/Command injection, Buffer overflow, Input validation bypassing, Database hacks and Blind SQL injections.<br>• Advanced Attacks: Ajax based XSS, CSRF with Web Services, Decompiling Flash and RIA apps, WSDL scanning, XML poisoning, SQL injections through XML, External Entity attacks, Widget exploitation, RSS injections, Cross Domain bypass, and many more.<br>• Application methodologies: Blackbox /Whitebox approaches, tools, techniques and little tricks<br>• Advanced application footprinting and discovery: Leveraging search engines, Cross domain mashup discovery and Web 2.0 application domain enumeration.<br>• Fingerprinting: Web and Application server, Ajax framework, Flash based application and technology fingerprinting.<br>• Advanced browser based attacks: XSS proxy and browser hijacking, Intranet scanning, JavaScript manipulation and DOM injections.<br>• Web Fuzzing: Fuzzing XML, JSON, RPCs etc. for vulnerability detection.<br>• Scanning Web Services: Footprinting, discovery, scanning and attacking XML-RPC, SOAP and REST based applications.<br>• Scanning for vulnerabilities through Source: Function and Method signature mapping, entry point identification, data access layer calls, tracing variables and functions.<br>• Applying validations: Input validations, Output validations, Data access filtering, and Authentication validates.<br>• Web Application Firewall: Advanced content filtering by tools and techniques<br>
+
=  =

Latest revision as of 14:05, 25 October 2009

Advanced Forensics Techniques

Course: Advanced Forensics Techniques
Course ID: SB1DAFT
Instructor: Dr. Chandrasekar Umapathy
CPE Credits: 7 CPE’s
Duration: 1 Day
Date: November 19th, 2009 (9 AM – 6 PM)

Who should attend?
• General IT security specialists and administrators
• IT security specialists who are interested in learning core concepts of Forensics specifically
• Security officers for organisations and companies
• Law Enforcement agencies
• Incident Response Team members

Class Pre-requisite:
• This class is for anyone who wants to begin with Forensics.

Class Requirement:
• Students to carry their laptop with at least Windows XP professional SP2.
• Students should have Administrative access / Privileges on the laptop for installing software.
• USB or CD/DVDROM device (N.B for bootable software).
• Wireless Enabled
• Required tools would be distributed during the session


Course Description:

This course covers the fundamental steps of the in-depth computer forensic methodology so that each student will have the complete qualifications to work as a computer forensic investigator in the field helping solve and fight crime.

Module 1 - Computer Forensic Investigative Theory
- History of Digital Forensics
- Digital Evidence
- Three Main Aspects to Digital Evidence Reconstruction
- Attack Guidelines for the Recovery of Digital Data
- Classification
- Reconstruction
- Demo - TimeStomping
- Behavioral evidence analysis (BEA)
- Equivocal forensic analysis (EFA)
- Victimology
- Demo - Following the Clues from an Email Header

Module 2 - Computer Forensic Processing Techniques
- Goal of Digital Evidence Processing
- Demo - Logical Review with FTK
- Duplication
- Documenting and Identifying
- Disassembling the Device
- Disconnecting the Device
- Document the Boot Sequence
- Removing and Attaching the Storage Device to Duplicated System
- Circumstances Preventing the Removal of Storage Devices
- Write Protection via Hardware/Software
- Geometry of a Storage Device
- Host Protected Area (HPA)
- Tools for Duplicating Evidence to Examiner's Storage Device
- Demo - Hashing and Duplicating a Drive
- Preparing Duplication for Evidence Examination
- Recording the Logical Drive Structure
- Logical Processes
- Known Files
- Reference Lists
- Verify that File Headers Match Extensions
- Demo - Introduction to FTK
- Regular Expressions
- Demo - Using Regular Expressions
- File Signatures
- Demo - Hex Workshop Analysis of Graphic Files
- Module 2 Review

Module 3 - Crypto and Password Recovery
- Background
- Demo - Stegonography
- History
- Concepts 1
- Demo - Cracking a Windows Hashed Password
- Concepts 2
- File Protection
- Options 1
- Demo - Recovering Passwords from a Zip File
- Options 2
- Rainbow Tables
- Demo - Brute Force/Dictionary Cracks with Lophtcrack
- Demo - Password Cracking with Rainbow Tables
- Module 3 Review

Module 4 - Specialized Artifact Recovery
- Overview
- Exam Preparation Stage
- Windows File Date/Time Stamps
- File Signatures
- Image File Databases
- Demo - Thumbs.DB
- The Windows OS
- Windows Operating Environment
- Windows Registry
- Windows Registry Hives 1
- Demo - Registry Overview
- Windows Registry Hives 2
- Windows NT/2000/XP Registry
- Windows Registry ID Numbers
- Windows Alternate Data Streams
- Demo - Alternate Data Streams
- Windows Unique ID Numbers
- Other ID
- Historical Files 1
- Demo - Real Index.dat
- Historical Files 2
- Demo - Review of Event Viewer
- Historical Files 3
- Demo - Historical Entries in the Registry
- Historical Files 4
- Windows Recycle Bin
- Demo - INFO Files
- Outlook E-Mail
- Outlook 2k/Workgroup E-Mail
- Outlook Express 4/5/6
- Web E-Mail

Exercises

Two cases modeled after real-world examples will be presented to the students. Students will work in a group to investigate and analyze evidence related to a computer crime and present their findings to the class.

Retrieved from "https://wiki.owasp.org/index.php?title=Advanced_Forensic_Techniques&oldid=72208"