Use of Passive DNS Databases in Incident Response and ForensicsReturn to TOC presented at FIRST 2014

by Paul A. Vixie,

Summary : Several projects and companies now collect massive quantities of DNS traffic and use them to build searchable databases. Incident responders and forensic analysts can use these databases to aid in attribution and prediction. A little knowledge of DNS itself is required, in order to know what to look for and what you're looking at. In this presentation, Dr. Vixie will briefly outline the workings of Passive DNS in theory, and then work several example incidents to show what a responder or analyst can do with Passive DNS in practice.