Incident Response

Incident Response – Overview

Cyber attacks originating from around the world such as Advanced Persistent Threats are difficult to detect. Attackers often target financial data and stealing credit card information. As part of their intrusion attackers may establish back doors that are invisible to conventional detection tools based on standard malware signatures and behavior analysis since they may compromise operating system structures and software. It is well known that a large fraction of such zero-day attacks go undetected. The results of breached financial data can be valued at millions of dollars of damage and  can result in irreparable damage to reputations and brands. Often times, it is unclear the extent of the damage, when the attack began and how it evolved — a legal liability in addition to potential vulnerabilities for new attacks. WindowsSCOPE tools are ideal to address these concerns. They can be utilized for live cyber crime investigation or cyber forensics, and also cyber attack detection in suspected systems. WindowsSCOPE is also equipped with advanced search capabilities to extract critical data from raw memory. This can include visited URLs, credit card numbers, names, social security numbers, logins, etc.

WindowsSCOPE is the most comprehensive tool for cyber security analysis, e.g., to capture and analyze virtual and physical memory through both software and hardware-assisted methods and to evaluate changes to a system that occurred during a period of time or compare with other systems. WindowsSCOPE allows detecting illegal network connections, hooks to core kernel structures, malicious modifications in the registry, etc. By  detecting and analyzing system vulnerabilities and discovering some of the most sophisticated cyber attacks that unravel in the memory system, e.g., rootkits, botnets, trojans and worms, it allows users to optimize their security processes.  With its multiple-memory-snapshot repository and comparison feature, a user can, by creating regular snapshots, enable the retroactive discovery of zero-day attacks that were left undetected by conventional anti-malware tools and asses any other damage such as backdoor communications, etc. Please view the related video from the Movies/Tutorials page:

  • Rootkit Video Series: Understand and Detect the Shadow Walker Rootkit.
    • It demonstrates how WindowsSCOPE can be used to reverse engineer real malware and rootkits by using Shadow Walker rootkit as an example. You will witness how WindowsSCOPE uncovers its hooks on the virtual memory system.