Sunday, August 16, 2009

Rapid-Fire Security and Response Linkpost

Trying to clear out the “to-blog” hopper so I can have a clean start next week.

  • TaoSecurity: 2009 CDX Data Sets Posted. packet captures generated by NSA Red Team activity, packet captures from West Point defenders, and Snort, DNS, Web server, and host logs all brought to you by the Information Technology Operations Center of the United States Military Academy. That’s West Point to you. Have fun culling though the material for tips and techniques.

  • Two convicted for refusal to decrypt data – The Register.  Just because you can encrypt it, doesn’t mean you don’t have to surrender your passwords to it under legal court order.  Encryption is great for protecting data from physical device loss. However, if you do want to be a hero (or patriot) and try to go down fighting, be aware there may be a penalty to not surrendering your passwords.

  • Update: Win32dd (fixes + improvements) - Matthieu Suiche’s blog – Go snag this updated version of a useful memory-capture tool.

  • The Lab Rat – Testing Digital Forensics Tools and Gear – SANS Computer Forensics, Investigation, and Response blog.  Another review I found of the Tableau T35es write-block device that I am trying hard to get appropriations for purchase at work for.

  • A Forensic Analysis Of The Windows Registry – by Derrick Farmer – Computer Forensics forums and Forensic Analysis of the Windows Registry Computer Forensics (PDF) by Peter Davies. Two very good overviews of Windows Registry Forensics.  I’m saving pennies so I can get the gold-standard in Windows Registry Analysis: Windows Forensic Analysis DVD Toolkit, Second Edition by the esteemed Harlan Carvey.  In the meantime, I’m adding these materials to my “study-kit”. Check out this recent Q&A: Windows forensics at Helpnet Security that Harlan responded to.  He has some excellent statements that apply not just to forensic examiners or incident responders, but to system admins and “family-fix-it-geeks” as well.  Quoting from that “interview”:

    Which Windows forensics tools would you recommend to our readers?

    …I tend not to recommend commercial tools, as doing so seems to create an over-reliance on these tools, where the reliance should be on the examiner's ability to understand the goals of the examination, as well as their ability to develop an appropriate analysis plan. The "tool" I recommend is "wet-ware", or your brain. If you don't know what "Registry analysis" consists of and what you're trying to prove or disprove through this activity, then no tool, free or commercial, is going to be of any use. A builder doesn't decide what a building will look like based on the tools that are available, and throughout history, new tools have been developed because a need was recognized and understood. The same should be true for incident response and forensic analysis - understand the need first, then choose the tool. – Harlan Carvey

  • Computer Forensic Guide To Profiling USB Devices on Win7, Vista, and XP -- SANS Computer Forensics, Investigation, and Response blog – Two more excellent take-a-way PDF guides to approaching USB device forensics on XP and Vista systems. As noted in the comments, probably good coupled with Nir Sofer’s freeware utility USBDeview along with the unofficial list of VendorID/ProductID for USB devices, found here.

  • Windows 7 Firewire Attacks and Defense Techniques – SecurityResearch.  Spend some time here!  Using Firewire to attack a Windows system is not new. (more at Firewire, DMA & Windows).  Security Research has done some pen-testing work using this technique against Windows 7 and found it still (generally) comes up lacking. Quoting:

    “Windows 7 systems are susceptible to Firewire-based attacks as well, as the Security Research Lab demonstrates. Besides a description how password authentication can be bypassed through memory manipulation via Firewire ports, the implications on BitLocker, Encrypted File System (EFS) and Windows Domains are described as well.”

Get the Windows 7 Firewire discussion materials from the post above or the links below:

  • Whitepaper (PDF) – Very readable material great for pentesters and sysadmins alike.
  • Whitepaper (PDF) – describing software-based attack blocking technique developed in the process.  Great stuff and quite thought-provoking.
  • After you read both the papers, you might find yourself wanting to apply the researcher’s proposed solution.  Get the free download for the application described above.  Still in development but it is worth looking into and testing on your own if you have some particular high-value needs to secure.

Lock it down or loose it.

--Claus V.

No comments: