Sunday, September 06, 2009

Security and Forensics: Perimeter Edition

Hold that line!

Forensic Style

  • Windows Incident Response: Virtualization – Windows Incident Response blog – Harlan Carvey takes a look at how virtualization is keeping the goal-posts moving for forensic examiners.  Great supporting link-set to explore.

  • Papers, Tools, and Such – Windows Incident Response blog – Harlan Carvey moves on with a round-up of various materials to enhance your forensic focus.  Of particular interest was a note “…of master's thesis from Greg Roussas titled "Vizualization of Client-Side Web Browsing and Email Activity"..” (PDF).  Pretty interesting stuff and the paper also contained quite a lot of current tools worth looking into specifically related to email-forensics.

  • Goin’ commando – Windows Incident Response blog – Harlan Carvey’s third post ponders the thought on moving from a reliance on commercial-forensic suites for analysis to task-specific and/or freeware/Open Source tools.  I certainly can say that there is no way I could justify our department outlying the cost of a full-bore commercial forensic suite.  However with a good skill-set, and familiarity with the wonderful number of tools and scripts available for free due to the good-graces of the development community, as a system-administrator, I can take a pretty good assessment and analysis of a system at hand, anyway. Bravo!

  • Flash Cookie Forensics – SANS Computer Forensics, Investigation, and Response blog – Really timely article on how to leverage the information in the “hidden” Flash cookies often overlooked by both user and analyst.  Great info.  For more info see this related GSD blog post: Tip: Managing Flash Cookies.

  • Forensic PC anti-contamination procedures – Computer Forensics Forums – Fascinating discussion thread regarding if/how to “sanitize” a disk before re-using it to host a new imaged system.  In my non-forensics IT work I still prefer to use Windows Diskpart to “clean /all” and zero out all the sectors on a drive to prepare it for the next usage.  In fact, it is our policy that if we are going to re-issue a system from a previous owner to a new one, that we zero-out the drive before putting the fresh (file-based) image on it.  Our thinking is that this scrubs the system of the prior user’s data as well as ensures that any activity (especially in the non-allocated space) can be attributed to actions taken while in the new-owner’s custody.  Yes it adds a bit of time on the system prep but it could save a lot of explanation and analysis on the back-end if needed.  While we use a “all-zero” pattern, I liked the thread post that mentioned using a particular key-word pattern instead.  Funny.

  • DEFT Linux v5 road map and features – DEFT Linux – Looks like this great forensics live cd is getting a fresh coat of paint and engine-work!  Besides application version updates, there is a tease regarding “Dhash 2.0 (now with imaging tool)”.  Expect a beta-release early October 2009 and a final release in November.  I really like DEFT and a few other of the “forensic live cd 2.0” builds that have been released in the past year.  Nice to see this line of tools is continuing to evolve and thrive.

On the Network

  • Web 2.0 for packets | pcapr – An additional packet-capture clearinghouse for folks looking to get sample/test network packet-capture data to work with.  Left via the comment on my related GSD Network Capture Tools and Utilities post.

  • In that GSD post, I mentioned both NetworkMiner as well as NetWitness Investigator Software.  I’ve had the chance to play with both of them a bit more.  I still tend to reach-first for NetworkMiner as it gives some very fast and easy to digest breakdowns on the network packet capture data.  However for much-more fine-grained sorting/searching/examination of the data, NetWitness is very hard to beat.  The only draw-back is that it has a very steep learning curve.  That said, I’ve uncovered a few videos that might be great introductions on using both products.  First, check out this YouTube NetWitness Channel for a series of nice video tutorials on using NetWitness Investigator.  And to compare/conquer both of them, see this wonderful made video hosted on YouTube reviewing both products side-by-side in a demo (runtime 14m:30s ).   (Note:  I don’t intend to make it a habit of embedding video links in posts, it’s just that some are more worthy of others and might be a better draw than the bare-link.)


  • NetGrok -- (free) – Java-based tool to help visualize pcap data and live traffic with both nodes/tree-map views.  Spotted via a PenTestIT post. Get the download from netgrok - Project Hosting on Google Code page.  Yes, there is also a YouTube - NetGrok Screencast as well.  I downloaded the current package at time of this post onto my Win7 system and wasn’t able to get it running.  I’m going to retry on my XP system Tuesday.  I’m not sure if it is a Windows 7 compatibility issue or if it has something to do with the very latest version of JavaRE I am using.  However in the process I did find a few “gotcha’s” us Windows folks need to keep an eye out for.  I’m really excited about this Java-based tool so I really hope I can get it working.  Documentation is pretty thin so if you have used it and have any tips, please drop a line in the comments.
    1. Download and unpack the file. Mine was “”.
    2. Next go into the “lib” folder and then into the “Windows” folder and you will see two setup files: “JpcapSetup-0.7” and WinPcap_4_0_2”.  If you don’t already have these installed on your system from an existing network tool, you will need to install these first. 
    3. Finally I discovered that you will need to find and open the “bat” file (netgrok20080928.bat) which is used to actually launch the Java app.
    4. Edit it so that the first line “java -jar netgrok20080902.jar” reads instead as “java -jar netgrok20080928.jar”  Otherwise it won’t find the jar file distributed with a different name.

  • TNV @ – This is another Java-based network traffic/packet visual analyzer.  From the product page:

    “tnv is a visualization tool for analyzing network packet capture (pcap) data”

    “TNV depicts network traffic as a matrix with the packet capture timeline on the x-axis and all of the host IP addresses in the data set on the y-axis. TNV is intended for network traffic analysis for learning what constitutes 'normal' activity on a network, investigating packet details security events, or network troubleshooting. TNV can open saved tcpdump formatted files or capture live packets on the wire. “

  • InetVis – One more Java-based network traffic tool.  Provided by Network Security Visualisation M.Sc. Research by J-P van Riel.  This one is pretty cool in that it provides a 3-D matrix format to display the data coming in.  Really cool and the development version 0.9.5 now supports Windows.

  • Both the tnv and InetVis tools were found in this post: So fast - so more or less weekly: programming in pentesting is more than essential by “wishi” on the CrazyLazy site.  It actually has a deep list of Ruby and Python related projects for network work as well.  It’s an interesting site and I’m going to add it to my RSS feed list.

With the Firefox

  • HttpFox :: Add-ons for Firefox – Now this looks to be a clever-useful tool.  “HttpFox monitors and analyzes all incoming and outgoing HTTP traffic between the browser and the web servers.”  Cool!  Couple that along with Firebug :: Add-ons for Firefox and you’ve got a pretty powerful combo to sort out what is happening on your page-requests.

  • Gcache Plus – Firefox add-on spotted at the amazing Firefox Extension Guru’s Blog.  I’m often turning to Google cache to look at pages and pre-view changes or the content before “going-live” to the linked site.  This looks to be a helpful tool.

  • Both of these tools brought be back to the excellent FireCAT 1.5 collection of Firefox add-ons used for security/network/pen-testing and other high-value activity in Firefox. FireCAT is maintained by Security Database Tools Watch.  Check out this FireCAT 1.5 PDF for the full list and if you don’t want to pick-n-choose hop over to the lover-ly Firecat package for Firefox Files on to get the whole collection at once.  What surprises me is that no-one has yet submitted it as Firefox Add-ons Collection.  Looks like I may need to crank up a “standalone” profile of Firefox called FireCAT, install them all, then upload the collection like I did for my Claus Valca’s Extension List (Home)   What think thee? Useful perhaps?

In the Reading Room

As I have no formal training in forensics and incident response (I’m working on it!) I have to rely greatly on scouring the net for the best forensics/incident response blogs and presentations/papers to study up and stay current on the latest tools, techniques and issues.  From the links above I found the following material particularly insightful and actually helpfully touched on a few issues I am currently engaged in.

On the Tool Trawler

One added bonus of spending time reading through assorted forensic papers and presentations is that I sometimes uncover new websites and tools that enhance the resources in my tool chests.  This is always a great and happy day when I can add more than a few additional specialized tools to my collection!

  • Computer Forensic Links  -- Collection of links hosted by for various sites, companies, and resources.  Doesn’t look like most have been updated in some time but many are still “live”. Worthy of looking for some good bookmark material.

  • Digital Detective – DCode -- (freeware) – Clever tool that allows you to copy/paste and “…decode the various date/time values found embedded within binary and other file types.”  Much like you might uncover in hex-editors or registry values.

  • » Computer Forensics – An amazing collection of digital forensic-related linkage maintained by Berliner Alexander Geschonneck.  You know it’s got to be quality when he links Hogfly’s computer forensics blog and Harlan Carvey (the windows forensics guy) Windows Incident Response Blog at the very top two positions in his “random list’ of forensic blogs section.   I seriously lost a whole afternoon (during the Notre Dame game) perusing through the massive linkage here.  Pre-check the links carefully, I believe I hovered over at least one forensic link that appears to have be link-squatted by a porn site now.  How ironic.

  • Tools - – Yep.  I know.  “Another German security site?” Yep. Bear with me.  This site has a great lineup of useful tools related to both Linux and Windows forensic utilities.  Some tools are dated and some are fresh.  It’s a great collection of both free and commercial applicatons.  In addition they have  links to their own Forensik CD aus iX 07/2007 and newer Forensik DVD aus iX special 10/2008. Sweet!

  • Runtime Software Products – I’m linking to this site not so much as they do provide the great (free) DriveImage XML Backup Software which is quite popular. Instead you may want to be aware of the following other free products: RemotebyMail which offers remote access to your system for file/program execution command by email as well as Shadow Copy to provide copy of files/systems of running Windows systems and supports command-line execution.  Finally there is the not-free Captain Nemo application which allows mounting of image files and other file-system volumes such as Novell and Linux partitions.

  • md5deep -- (freeware) – an interesting and powerful MD5 (and others) hasher tool (CLI). Particularly useful is the ability to not just hash a file but to hash recursively through and entire directory tree and provide hash for all items.  It also has a time-to-complete feature as well as hash-by filter.  I’ve got my own mini-collection of freeware Windows GUI-based hashing applications that I pick from depending on the reason I am hashing something.  Generally I use the excellent Nir Soft HashMyFiles tool for most of my daily hashing work. Others include Robin Keir’s “Hash", the Hasher tool from [den4b] Denis Kozlov, and finally WinMd5Sum Portable from

  • Live View – Pretty old-news tool, and doesn’t help me much as I tend to be Windows Virtual PC centric, but if you need a handy tool to convert Windows system (limited Linux support exists) image copies that have been captured into a VMWare build for "live” forensic work, this might just be the tool you have been looking for.  I guess there are some times that a “static/off-line” image review just want work or some applications just need it to be running “live” to uncover the data needed.  From the page “…because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. The end result is that one need not create extra "throw away" copies of the disk or image to create the virtual machine..”  Quite handy and has me re-thinking my VPC only operation.


That covered a whole-lot more perimeter space that I expected!


--Claus V.


Nathaniel said...

Maybe you've tried it before, but there's also Live HTTP Headers for Firefox. Maybe it's not full featured as HttpFox (IDK), but if you haven't tried it, it may be worth a spin. It was helpful to me once.

Claus said...

@ Nathaniel - Thanks for the Live HTTP Headers tip!

I hadn't seen that one yet.

I'm going to check it out. The reviews seemed very positive.


--Claus V.