Download
coen 252 computer forensics n.
Skip this Video
Loading SlideShow in 5 Seconds..
COEN 252 Computer Forensics PowerPoint Presentation
Download Presentation
COEN 252 Computer Forensics

COEN 252 Computer Forensics

162 Vues Download Presentation
Télécharger la présentation

COEN 252 Computer Forensics

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. COEN 252 Computer Forensics Investigating Hacker Tools

  2. Program Analysis • Given an executable, how do we find out what it does? • Try to find the program online. • Perform source code review. • Execute the program in a sandbox.

  3. Program Compilation • Compiler • Translates HLL code to Assembly / ILL • Assembler • Translates Assembly code to machine language • Linker • Creates object code out of several modules. • A program usually makes library calls (stdio)

  4. Program Compilation • Statically Linked: All library code is part of the object code • Dynamically Linked: Program calls library functions. (DLL) • Stripping: Removes all symbols from object code. • Packing with UPX.

  5. Program Compilation • Static compilation needs more memory

  6. Program Analysis • Static Analysis: • Determine the type of executable. • file in Unix • exetype in Windows • Symbol Extraction: • Use a program like strings to find symbols left in object code. • Names give hints on program. • Will not work for stripped files.

  7. Program Analysis • Find the program online: • Use the name of the file to find online versions. • Use strings to check whether this is a similar file. • Use same compiler to compile the online version and check for similarity.

  8. Program Analysis • Investigate source code

  9. Program Analysis • Dynamic Analysis of a Hacker Tool • Create a sandbox. • VMWare • Do not connect to the internet. • Sniff on a closed network. • On Unix, use strace. • Monitors OS calls. • On Windows, use Filemon, Regmon, ListDLLs, PsList, Fport