C

D

-d command-line parameter

displaying activity summaries in Honeyd with, 134

-d parameter

Snort command-line switch, 253–254

data analysis.

See also forensic analysis

determining if attack was manual or automated, 302–303

for honeypots, 301–336

a structured forensic approach, 304–325

data backup

needed for operating a honeypot, 12

data capture

in honeypots, 36

keystroke logging programs, 22–23

methods for honeypots, 22–23

data collection

applications for collecting and prioritizing Windows log files, 288–290

importance of centralizing, 287–290

data control

for honeypots, 21–22, 36

data correlation

tools for honeynets, 293

data filtering

importance of, 291–293

data filtering tools, 291–292

DataGrab

for checking for IM services hacker activity, 317

data-link layer

in OSI model, 228

DataRescue’s IDA Pro. See IDA Pro Disassembler and Debugger

Davis, Michael

porting of Honeyd to Windows environment by, 121

porting of Sebek from Unix to Windows by, 277

DBXpress tool

for recovering deleted e-mail files from Outlook Express databases, 315

DCF Software’s Hard Disk Copy

website address, 308

dd --list command

for listing all available storage devices and their GUIDs, 307

Dd.exe command-line tool

example of Dd commands, 307

making copies of the hard drive with, 306–307

website address, 306

Debug register command

using, 347

Debug.exe disassembler

in Windows, 318

Debug.exe program

for seeing an example of Windows 16-bit registers, 346–348

use of by malware programs after initial exploitation, 349

Deception Tool Kit (DTK)

honeypot developed by Dr. Fred Cohen, 21

Decompilation Wiki

website address for links related to decompilation, 357

decompilers

mixed results from for malicious code disassemble, 338

default delay policy

for firewalls, 51

default folder locations

rejecting for honeypot software or applications, 103

default template

creating in Honeyd, 156

defined, 134

defense-in-depth security paradigm

importance of in procting a network, 8

deleted files and formatted disks

recovering after hackers exploit a system, 315

demilitarized zone (DMZ)

defined, 5

Developer.com Windows API Tutorial

website address, 343

DiamondCS forensic utilities

website address, 283

DiamondCS’s Open Ports utility

website address, 276

DiamondCS’s Port Explorer utility

for listing active listening ports, 276

Digital Detective’s hashing tool

website address, 312

Directory Snoop

disk viewer program, 314

disassemblers

free, 356–357

importance of in malware code analysis, 353–357

disassembly

defined, 337

disassembly environment

importance of choice you make for, 360

disassembly practice

steps for code behavior analysis before disassembly, 360–361

disk viewers

programs, 313–314

using to search your entire hard drive, 313–314

disk-cloning software tools

for making copies of a hard drive, 306

shareware and commercial, 308

virtual machine options, 308–309

disk-copying tools. See disk-cloning software tools

DMZ. See demilitarized zone (DMZ)

DMZ placement

of honeypots, 57–58

DNS resolver

use of in TCP/IP communication session, 230

domain controller ports

list of common Windows 2000, 69–70

DOS Attack setting dialog box

in KFSensor honeypot, 211

DOS ATTRIB command

for locating hidden, system, and read-only files, 313

DOS DIR command

for listing all hidden files and folders, 313

Download Sites dialog box

in Cygwin Setup dialog box, 143

DPORT

memory variable useful in scripts, 171

DRA. See EFS data recovery agent

dynamic linking

function of, 342