Data Acquisition handle Lab

FacebookTwitterGoogle+LinkedInEmail
Description
[toggle_content title="Transcript"] Hi, Leo Dregier here. I want to show you a utility handle. Uh, I’ve copied the file to a directory that I have full permissions and control on. The first thing you’re going to want to do is type Handle space forward slash question mark, and spell it right; h-a-n-d-l-e. One of the ones that you’re going to use here most commonly is the dash a: dump all handle information. However, you can show just the page file backed section handles or handles that are directly related to, uh, things that are in the page file. Uh, you can close a specific handle if you want to shut something down. You’ve got prompting options. Uh, you can print the count type for each handle open if you knew the number or you can do a dash u: show the owning user map to that handle, which also can give you really, really interesting information, and then dash p: dump the handles belonging to a process, uh, if you want to tie it just to a, a specific process. So, one easy way to kind of approach using a tool like this is to basically do a handle dash a. But go ahead and put this into a file. Let’s call it, um, handle, handle example.txt, and just go ahead and let that run. After it runs, open it with notepad. So, notepad handle example and tab your way through, just go to the command line, and hit Enter. And then you can see the output. The reason why I told you to put it in a file because as you can see, it’s, it’s quite verbose, all right? So, you got the basic overview here, sysinternals. Uh, Mark created this. It’s been around for some time, but you can see the, the process identifier, the, what it is, like a key, or a port, or a file, or a folder, and then the actual path to the things that it’s referencing whether it be a registry location or something on the hard drive. And it pretty much goes through and calls it for the whole file system. So, you can kind of just scroll down here, uh, and see how it changes throughout the, the, the execution of what handle does for every handle that’s running. Now, keep in mind that the information, that the high level, the 50,000 foot view, um, information that we’re looking at directly relates to proc, uh, well it is process oriented, but it’s these handles right here. There is a utility which you can use forensically to evaluate these. And as you can see, there’s a lot that run on this system so you can expect lots of information. Clearly if this is one line through, you could take this to like a Word document and do a line count or something like that on it, uh, but it’s very, very, very, verbose. So, I’ll let you explore with it. Uh, and go ahead and give, give, your experiences in the chat dialog box; you know, when you’ve used this, the types of things that you’ve evaluated, uh, who would be interested in this, like a, a programmer, a developer, forensics, etc, etc, etc. So, be sure to share, and I’ll see you guys in the chat dialog box. My name’s Leo Dregier. Thank you for watching. [/toggle_content] This is the handle Lab.  The handle is a forensic utility that enables you to capture all handle information within a given target.  For example, if you wanted to capture pageFile information, this is the utility you would use. handle is an in depth tool, but you’ll learn how to use it correctly as no to create install ability with your applications. We’ll also discuss the benefits of dumping all your handle information as an output which is its first option, you’ll learn what data each switch command in the utility can captures and how to output that data capture to Notepad so you can review it, and copy/paste or import into your formal documentation.
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel