I got to confess, a few weeks ago while I was working on a rather challenging data-rescue project over the course of a week or so, I was having a blast.
Then I shifted gears and had the opportunity to work on a high-level workgroup and provide documentation support.
I really miss it when I’m not “getting my hands dirty” directly on systems.
Working an issue with trusted tools or searching for just the right new one to do a task better is so much fun.
Here’s a well-rounded selection of security and forensics tools and resources that are almost certainly will have you scrabbling around for a system or two to throw them at.
- More Links - Windows Incident Response – Harlan has a most excellent and jam-packed post full of forensics goodies such as a reference to a new Windows memory imaging tool update for the free Win32dd. Also in that post was introduction (to me) of a new system info-gathering tool called MIR-ROR. Like similar “collective” tools such as his own RegRipper, Security Database’s Evidence Collector, and Mandiant’s First Response these multi-function info collection tools aren’t solutions in themselves, but they can make the collection of first-pass level logs and information simpler. Armed with these after careful analysis by the responder, more surgical system analysis can take place with task-specific tools. I’ll let Harlan’s own words on MIR-ROR speak for themselves…
I recently heard about a tool called MIR-ROR, put together originally by Troy Larson and then expanded by Russ McRee, both of Microsoft. Russ blogged about it here, and there's a toolsmith article available on it, as well. MIR-ROR is a batch file that is useful for running tools on a system as part of incident response; what I like about this is that Russ isn't sitting back hoping that someone does something like this, he's taking advantage of his knowledge and capabilities to put this together. And he's made it available to the public, along with instructions on how to run it. I like tools like this because they're self-documenting...properly constructed and commented, they serve as their own documentation. As always, the standard caveat applies...use/deploy tools like this as part of an incident response plan. If your plan says you need to acquire a pristine image of the drive first, you will want to consider holding off on using a tool like this...
You will have to collect many of the executables that are needed and assemble them into the package. The documentation is great. As I recall I found a few references that were off but some patient Googling turned up the correct locations and I soon had it all put together.
- Memory Acquisition for First Responders – Forensic Incidence Response blog – Since I just mentioned win32dd this post by hogfly came at an opportune time. I believe that while memory acquisition and imaging is still primarily of use to forensic examiners, system admins can use the same lessons and apply them when doing incident response to a malware-infected system. As I say over and over again, too many IT Techs when getting a report of a virus/trojan/malware infection just run roughshod over the system with anti-virus/anti-malware cleaning tools and remove critical information to help understand WHAT is going on and WHY. There are LOTS of great Windows-based tools to capture memory images and data…many of them free (another post) so there’s little excuse not to capture an image of the memory of an infected system before going to town on the cleaning. Getting a sector-based image of the physical drive could also be valuable as well. This gets the end-user up and producing again and lets the analysts have more time in the lab dissecting the cadaver without everyone breathing down their neck with impatience.
- Live Analysis Part I - Changing of the Guard - The Digital Standard – Thoughtful post by cepogue on just that prior theme. Sometimes some incidents (or organizational attitudes/processes just don’t support the “by-the-book” Incident Response handling methodologies. Managers want the system cleaned and up and running, users complain about loss productivity, you can’t convince anyone who matters about the need to determine what if any data may have leaked. So many techs (and “my-blood-runs-IR” analysts) have to do a crash-n-dash response. That said, with skill and pre-planning, you can still make the best of a bad IR situation and hopefully walk away with valuable info despite the organizational “head-in-the-sand” culture. I’m looking forward to Part II.
- Forensics 101: Acquiring an Image with FTK Imager – SANS Forensics blog – Great how-to post on using FTK Imager to perform a GUI-based image pull from a system or storage device.
- Directory Link Counts and Hidden Directories – SANS Forensics blog – This post was a neat review of Unix file-structure handling and how to leverage it for searching for hidden directories. I was wondering if there was a Windows-supported solution. I saw in the comments note that OSSEC has this ability and in poking around found an agent tool compatible with Windows in the Downloads section. Though not exactly the same there is Joanna’s tool FLISTER from her invisiblethings.org tools page which might be worth looking into as well for Windows folks.
- Getting your fill of Reverse Engineering and Malware Analysis - Room362.com. An outstanding collection of links to sites/sources for reverse engineering and malware analysis tools, techniques and news. Quite bookmark-worthy.
- New BackTrack 4 “Forensics Mode” - CyberSec.eu. News that the next version of BackTrack (security and pen-testing LiveCD) will offer a “forensics-mode” boot-option from the Grub loader. Nice to have this option available to a venerable security minded LiveCD. If you just can’t wait, Remote-Exploit has made the BackTrack 4 Pre Release download ISO (fyi-DVD sized) available at that link. For even more info check out the release pdf and Introduction Video.
- Helix3 2009R1 FREE is once again available for download from the developers. Please see this GSD post Helix3: Thanks for the memories… to come up to speed on the issue. A recent comment by Lauren on that post got me looking around (and I did have to look hard to find it!) for the download link on the e-fense site. It can be found here. Registration is required to get to the download page, but if you hadn’t already tucked away a ISO file of the last free version, you do now have a safe option to get it fresh. Of course, to e-fense’s credit, they would rather you pony up some $ to get the newest (non-free) version of HelixPro and depending on your needs, that might be a better thing to do. Either way, it’s nice having the choice again.
- Download HelixCE200401brc1.iso RC1!!! Updated – Meanwhile, out of the previous “Helix going commercial” drama mentioned above, Charles Tendell struck on a new Helix “Community Edition” version. Due to licensing and other issues (RE: IAMAL) , he had to strip out some e-fense specifically-developed apps from his build that were present in the original Helix project builds. However he continues to plug away at filling the voids with new tools from other sources. Check it out including these screenshots and application list.
- Explorer Suite (PE analyzer) III – NTCore – A jam-packed tool to allow analysis and review of executable PE files. From the developer:
Created by Daniel Pistelli, a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.
- Ophcrack 3.3.0 and Ophcrack LiveCD 2.3.0. – New versions of these password auditing/cracking tools are now available. Don’t let the unsync’ed versioning fool you. The main program is version 3.3.0 and the LiveCD version 2.3.0 contains the program version 3.3.0. Go figure. Changes in the new version are described on their News page as follows:
Ophcrack version 3.3.0 includes support for our new tables vista_seven. These tables crack 99% of passwords of length 7 composed of almost any character including special characters. This table set will be included in our professional tables bundle.
New features have been added like the table size verification in order to warn the user if the tables have not been fully downloaded for example. It is also possible to tune how the preloading should be done.
An important effort was made to release a brand new LiveCD. A very interesting and refreshing distribution called Slitaz was customized to make a lighter than ever ophcrack LiveCD. It should enable us to update the LiveCD more often and to make your experience much better too. We would like to thank Slitaz team for their support in making this LiveCD. Do not hesitate to give a look at their stable distribution!
- NetworkMiner v0.88 – New release on this awesome packet-capture management tool. What I really like about it is the ability to parse PCAP files for offline study as well as the ability to extract and save media files (such as audio or video files) which are streamed across a network. Supported protocols for file extraction are FTP, HTTP and SMB. I don’t have to packet-sniff often, but when I do and I need to analyze a lot of the content being moved, this is the first tool I reach for…hands down!
- Wireshark version 1.2 – Speaking of network packet capturing..Wireshark got a bump to version 1.2. According to the Release notice:
This is the new stable release branch of Wireshark and many new and exciting features have been added since 1.0 was released.
In this release
- Wireshark has a spiffy new start page.
- Display filters now autocomplete.
- A 64-bit Windows (x64) installer is now provided.
- Support for the c-ares resolver library has been added. It has many advantages over ADNS.
- Many new protocol dissectors and capture file formats have been added.
- Macintosh OS X support has been improved.
- GeoIP database lookups.
- OpenStreetMap + GeoIP integration.
- Improved Postscript(R) print output.
- The preference handling code is now much smarter about changes.
- Support for Pcap-ng, the next-generation capture file format.
- Support for process information correlation via IPFIX.
- Column widths are now saved.
- The last used configuration profile is now saved.
- Protocol preferences are changeable from the packet details context menu.
- Support for IP packet comparison.
- Capinfos now shows the average packet rate.
For a complete list of changes, please refer to the 1.2.0 release notes.
- VirtualBox 3.0 Beta 1 released. – While Sun’s VirtualBox public (stable) release version is at Version 2.2.4, this new 3.0 Beta 1 version brings a whole mess of exciting (and probably unstable) features! Along with lots of tweaks, bug-fixes, and enhancement, the following new features are on their way in this version:
Version 3.0 will be a major update. The following major new features were added:
- Guest SMP with up to 32 virtual CPUs (VT-x and AMD-V only)
- Windows guests: ability to use Direct3D 8/9 applications / games (experimental)
- Support for OpenGL 2.0 for Windows, Linux and Solaris guests
For more information on VirtualBox betas, drop into and monitor the VirtualBox Beta Feedback forum.