An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
4.3. FORENSIC TOOLS 27<br />
psscan Use pool tag scann<strong>in</strong>g to nd processes that are not necessarily<br />
<strong>in</strong> the list of the operat<strong>in</strong>g system. Details to this technique can<br />
be found <strong>in</strong> [Schuster, 2006] and [Van Baar et al., 2008].<br />
psdispscan Similar to psscan but with dierent memory structure to<br />
look <strong>for</strong>.<br />
thrdscan Similar to psscan but search<strong>in</strong>g <strong>for</strong> threads.<br />
envars Lists the environment variables associated with a process.<br />
getsids Lists security identiers associated with a process. Useful <strong>for</strong><br />
detect<strong>in</strong>g privilege escalation.<br />
handles Lists the handles associated with a process.<br />
dlllist Lists the dynamic l<strong>in</strong>k libraries associated with a process.<br />
• Network<strong>in</strong>g<br />
connections Lists the TCP connections that can be found <strong>in</strong> the<br />
s<strong>in</strong>gly-l<strong>in</strong>ked list of the operat<strong>in</strong>g system.<br />
connscan Scans <strong>for</strong> TCP connections or fragments of connection date<br />
<strong>in</strong> the memory.<br />
sockets Similar to connections but <strong>for</strong> all protocols.<br />
sockscan Similar to connscan but <strong>for</strong> all protocols.<br />
• Registry<br />
hivelist Lists the available hives and their location <strong>in</strong> the memory<br />
and on hard disk. <strong>An</strong> example output is shown <strong>in</strong> the appendix<br />
<strong>in</strong> list<strong>in</strong>g B.2.<br />
hivedump Lists all subkeys <strong>in</strong> a specied hive.<br />
pr<strong>in</strong>tkey Pr<strong>in</strong>ts the <strong>in</strong><strong>for</strong>mation stored at a specic key. If no hive is<br />
provided and the key exists <strong>in</strong> more than one hive, the <strong>in</strong><strong>for</strong>mation<br />
of all hives is pr<strong>in</strong>ted.<br />
hivedump2 Custom module that comb<strong>in</strong>es hivedump and pr<strong>in</strong>tkey<br />
functionality. Details are described <strong>in</strong> section 7.4.<br />
The modules that conta<strong>in</strong> scan <strong>in</strong> their name search the memory <strong>for</strong> data<br />
patterns that <strong>in</strong>dicate the relevant data structures. If there are multiple<br />
modules that search <strong>for</strong> the same objects, <strong>for</strong> example pslist, psscan and<br />
psdispscan, the dierences between the results can <strong>in</strong>dicate that someth<strong>in</strong>g<br />
might have been manipulated, <strong>for</strong> example that malware tries to hide from<br />
the operat<strong>in</strong>g systems process list.<br />
As the output of the tools of the dierent categories looks similar only<br />
one output is shown as example. A sample output of psscan from the processes<br />
section is shown <strong>in</strong> list<strong>in</strong>g 4.4. For the network<strong>in</strong>g category the output