Auditing NT - Catching Greg Hoglund

Presented at Black Hat USA 1999, July 8, 1999, 9:50 a.m. (60 minutes)

This talk will address the issue of auditing an NT box after a break in. Specifically, we will examine the evidence left behind by an intruder and how to preserve this evidence for criminal prosecution. NT's built in tools are not sufficient and can damage what you are looking for. I will present a tutorial on using a few free tools I have made specifically for this purpose. The demonstration will make use of multiple overheads displaying the auditing notes and actual step by step details of a break in. Details will include: * Examining the event log in an enlightened way. * Looking at the file system configuration. *Examining permissions. *Examining file attributes. *Examining surrounding systems. *Looking for trojan behavior. *Looking for backdoors. *Closing down the holes. Again, the focus will be on looking at this data in a non-destructive manner. Hope to see you there.

Presenters:

• JD Glaser - NT Network Security Specialist, NT Objectives.
  JD Glaser is CEO of NT OBJECTives, Inc., a maker of security audit tools for Windows NT. Most notably, NTLast and Forensic Toolkit, which are free tools for the security community. He is an MCSE/MCSD that specializes in contract DCOM programming and NT network security. Clients have included, Intel, HP, Columbia Sportsware and Tripwire. Latest projects have involved NTFS file system code for Tripwire for NT and file system filters for real-time detection systems for NT that bypass NT's untrusted API.

Similar Presentations:

• Black Hat USA 1999 / Over the Router, Through the Firewall, to Grandmaâs House We Go.
• DEF CON 9 (2001) / Windows NT and Novell Host Based Intrusion Detection Using Native Logging and 3rd Party Log Reporting Tools.
• Black Hat USA 1998 / Penetrating NT Networks Through Information Leaks and Policy Weaknesses.