cc attribution: “Hiroshima Day at Töölönlahti, Helsinki” by /kallu on flickr
Well dear friends, I find that another weekend has slipped through my tippity-tappity fingers. What with being on call-duty, the usual round of household chores, and a good two-hours of application crash-dump generating under various circumstances, where does the time go?
Here’s a last round of posting of a more security/forensics bent, offered like one of those little lantern boats released on the water at night.
Seems like newer blog template updates have been popping up in more than a few places. Eric Huber at A Fistful of Dongles also updated the look of his blog…in no small part spurring me on to even greater tweakage this weekend here on GSD.
Eric didn’t let that stop him from making some great posts…such as Stop, Children, What’s That Sound? touching on Super Timeline perspectives.
Hard-drive gurus may want to take notes in this SANS Computer Forensics Investigations and Incident Response blog (can we find an acronym; SANS-CFIIR blog ?) Windows MBR and Advanced Format Drives (e512). Great additional documentation links at the bottom. While the Trusting Your Tools article by Joe Garcia reminds us all that you really need to know, understand, and be intimately familiar with the tools that you apply to your work. I really like how Joe points out that it is good practice to test output by comparing the results from several similar tools. If you are expecting the same thing but getting different results either the tools are actually operating differently or something else may be afoot!
Harlan Carvey is back fresh from a mission of mercy and his Updates post over at the Windows Incident Response blog is great. Chock full of examples, analysis and encouragement for responders to keep their best sword sharp by taking advantage of “practicals”. As I’m getting my feet a bit wet in the network area, I’m finding tons of challenges and puzzles offered by the best teachers there are. These are great ways to learn and stay sharp. And Harlan ties up the recent Stuxnet/LNK mess with some artifacts to dial in on. While you may not run into this, the lesson and principles are great to keep in mind for future encounters of all kinds.
CSI:Internet – PDF timebomb - The H Security -- Great multi-page case illustration of a PDF based malware “attack”.
Hidden past Twitter-talk post Tweeting Forensicators, Eric Huber slips in another sad lesson to be learned in his “Reason #217 Why You Shouldn’t Hire A “Computer Guy” To Do A Forensic Examination”. Linking to Lee Whitfield’s How to do the Worst Job Possible post, we see in all the sad glory yet another mixed up “incident analysis” by an IT professional who knows too much of nothing for our own good. This is a topic that Harlan has mentioned as well. It is a drum I beat on over and over in our own IT shop. The IT guys and gals who are the foot-soldiers run across more than their share of incidents almost daily. In most cases because there is sadly no real “incident response plan” or framework in the organization, it usually boils down to them pulling the network cable, maybe collecting a system log file, wiping the system and putting a fresh image on. The the system (and user) is put back into service. Production is king. There needs to be a plan in all IT shops, everyone needs to know what it is and how to execute it--autonomously if need be--and where their skill set begins and where it ends in application.
I’ve been begging for a while for a chance to take some SANS incident responder courses. As we don’t have a training budget, I remain waiting for one to roll though Metropolis here again and hope the budget gods will bless me.
Eric’s link jarringly reminded me fresh of the “expert” testimony given in the infamous Julie Amero case. Fortunately, Alex Eckelberry and team were able to provide a good example of what true incident responders are capable of: Sunbelt Blog: The Julie Amero forensic analysis. A review of their top-shelf work here (pdf) still is worth reading almost two years later. I think that was a watermark event and it now is featured in more than one forensic book: Sunbelt Blog: Julie Amero case featured in new forensic book (…the section on Julie’s case is available as a free download here (pdf) starting around page 34.)
And “sausage maker” DC1743 shares great detail in his real-world work place blog pieces:
- Gatherer Transaction Log Files - a Windows Search artefact - Forensics from the sausage factory
- Python - Forensics from the sausage factory
Staying current with forensics news and information is both easy and challenging. Easy in that the Web (and those kind folks/companies who toil at their keyboards uploading their field notes and practical information) creates an open classroom for learning and information exchange, challenging in both finding new and fresh material, but even more so in the growing mass of flotsam and jetsam the rising Web tide brings in.
Here are a few digital resources (most all free) that I look forward to regularly to help me stay current with security and forensic trends and news.
- Into The Boxes - “…an e-magazine covering issues concerning Digital Forensics and Incident Response. <snip> Into the Boxes will provide technical and managerial articles and information relating to as many challenges facing the security community as possible.” Check out Issue 0×1 (pdf) and Issue 0×0 (pdf).
- Hakin9 :: Magazine - great incident and security perspectives and material.
- (IN)SECURE Magazine - covers a wide range of inward and outward facing security news and information.
- TechNet Magazine Home Page - I’m including Microsoft’s Windows-centric technical journal here because as a sysadmin, I believe that it isn’t just enough to know how to respond when an incident arises, you really need to understand the larger environment that Windows system exists in…and truth be told they always have lots of cool tools and Windows system tips as well.
- Digital Forensics Magazine - OK, this one isn’t free (except for their DFM-Issue1 (flash viewer driven)). However they clearly are locked in on the forensics arena. I’ve not got a subscription yet, but I’m thinking that this is one periodical that will be will worth the price of admission to access.
If you are aware of any other regularly published (and current) digital forensics/security sources, please drop a tip in the comments!
New Tools of the Week (and one red-herring shark-style!)
SANS Computer Forensics Investigations and Incident Response blog (can we find an acronym; SANS-CFIIR blog ?) Digital Forensics Case Leads: SQLite changes may impact your processes post points us to some great tools including the free Paraben’s P2 Explorer to do drive-image mounting.
Not content to hide his plans for world-domination in the forensic blog arena, our faithful Fistful of Dongles bloggist Eric Huber now is clearly ready to Go After The Flank with two (new to me) tools I got excited to find:
- HSTEX - Digital Detective’s tool by Craig Wilson to be used to extract web browser history. Not free but you get a 30-day unlimited feature trial period to decide if it can do magic for you.
- PALADIN - This is a new (free) forensic LiveCD project based on Ubuntu I hadn’t heard of before (and I know more than a few!) Check out some of the advertised features:
- PALADIN will work on any computer or hardware that is supported by Ubuntu Linux.
- PALADIN allows a user to safely image and preview internal hard drives without having to disassemble the computer or laptop.
- PALADIN has been modified to write-protect all attached media upon boot thereby preventing accidental writes or having to use expensive physical write-blockers.
- Boot standard PCs and Intel Macs in a forensically sound manner (including the MacBook Air)
- Image to several formats including Expert Witness (.E01), Apple Disk Image (.dmg) and Raw (.dd)
- Clone devices
- Create two forensic images or clones at the same time
- Image across a network
- Format any drive as NTFS, HFS+, FAT32 or EXT3
- Create a forensic image of only the Unallocated Space, Free Space and File Slack
- Quickly wipe (sterilize), verify and hash media
- Automatically update via Internet
- Search and preview media by file name, keywords or MIME types
And they have a cool logo as well! I’ve downloaded the ISO file and packed it onto my iodd device for testing if this week’s schedule is kind to me.
Speaking of DEFT, the crew recently posted their DEFT Linux 6, roadmap and features plans. I’m not sure I can wait till December! Christmas was hard enough to handle the excitement of. The integration of WINE in the distro to support native Windows apps is super-cool. “Here are the main features of Linux DEFT 6 and the road map.”
- Based on Lubuntu 10.10 and DEFT Extra 2.1 (Windows side)
- Linux Kernel 2.6.35
- Dhash 2.1
- Xplico DEFT edition
- TSK 3.1.3 (or the latest stable version at the date of release)
- Autopsy 2.24 (or the latest stable version at the date of release)
- Log2timeline 0.50
- Afflib 3.5.12 (or the latest stable version at the date of release)
- Foremost 1.5.7 with a new extended list of header and footer
- Wine 1.2 for the implementation of tools for Windows-based Computer Forensic
- ClamAV Anti Virus / Malware 0.9.6
- Mount Manager 0.2.6
- TrID 2.0
- Feature freeze – September 2010
- CF tools test – September 2010
- Software developed by the DEFT team test and beta releases – October 2010
- Kernel freeze – October 2010
- Extra DEFT test – October 2010
- Wine tools testing – October 2010
- Documentation (beta) – November 2010
- Beta release – November 2010
- Documentation DEFT stable – December 2, 2010
- DEFT Linux 6 stable – December 2, 2010
PrefetchForensics v1.0.2 -- woanware - Mark Woan has updated his free Windows prefetch analysis tool with some really handy features including time management, exporting corrections and enhancements, and pre-population of the “import” location window to a default. If you haven’t added Mark’s spectacular woanware forensic/network/utility tool site to your regular watch-list, then you are definitely missing out of some of the best tools there are for incident response and forensics!
Fresh from the wild savanna of Las Vegas and the BlackHat / Defcon / BSides events this year, at least two cool new species of tools have been spotted that may be of interest to forensic/sysadmin folks.
- BinPack: Preview and BinPack: Las Vegas Edition Release -- West Coast Hackers -- is a super-sauced package of security, network, and forensic tools, all wrapped up and categorized for your downloading pleasure. Use the second link there to grab it via a torrent download. There are also two release versions in zip packs for additional GUI handling (one stable one not-so-much). To preview the
toystools check out the BinPack package inventory xls file they put together.
- BackTrack 4 r1 BlackHat Edition - It’s BlackHat. It’s BackTrack. It’s the BlackHat Edition of BackTrack. What’s else to say?
- BackTrack 4 R1 - Public Release and download -- BackTrack Linux. Check out some of the wicked screenshots then download it!
Never one to stay still, Didier Stevens offers us two special-niche tools in his Quickpost: 2 .LNK Tools post. First one is a 010 Editor template file for the .LNK binary file format the other is a ClamAV signature file to find all .LNK shortcuts (good or bad). Read the post for usage details on both.
Now for the stinky fish courtesy of the white sands of Florida and Tom Kelchner (via Francis Montesino desk work) :
I want to say “who gets fooled by these stupid clearly fake/rouge malware scams” and infects their PC?
Then I had to say to myself, “Self! Wait…didn’t you just spend all day this past Wednesday on your rare ‘odd-day-off” remotely scouring your dad’s PC from a very similar thing and repairing all the bad things it did to make their life in Vista miserable?” (I did do a cursory mini-incident response analysis but promised to wipe the results to qualify for free pizza from an un-named parental family member this week!)
- Encyclopedia entry: Trojan:Win32/FakeSpypro - Microsoft Malware Protection Center
- Encyclopedia entry: TrojanDownloader:JS/Renos - Microsoft Malware Protection Center
Yep. Pretty much a whole day, though all is well and back to normal again now.