Sunday, April 29, 2012

Forensically Sound: Quick Post #3

While I cannot say the past week was light, it definitely was quieter than most I encounter.

I’m still digging out the trench but the skies are clear.

Here are a couple of items that caught my attention this week.

Utilities and Tools

  • PDF Stream Dumper was recently updated to version 0.9.320. Check the second link for a summary of the new features; one is a VirusTotal plugin.
  • usboblivion - Google Project Hosting. This is actually an “anti-forensics” tool of sorts to strip out evidence of USB connected drives from the registry. It would be interesting to see if the tool itself leaves a signature of its usage (besides a clean registry I suppose…) behind.
  • Exploring Symbol Type Information with PdbXtract - Mandiant blog - New tool to explore programming database files. Probably most interesting to malware analysts.
  • triage-ir - Triage: Incident Response - Google Project Hosting. Another script-based tool to collect key information from a suspect system. Based on the Sysinternals Suite along with a few other key utilities. Kenneth Johnson has some thoughts recently in his Tools in the Toolbox - Triage post at the Random Thoughts of Forensics blog. Triage was updated to version 0.7 back on April 16th. More on the Automated Triage Utility here.
  • For those that still haven’t tried WinFE…. - Windows Forensic Environment blog. Brett Shavers shares a quick-start guide to encourage the hesitant on just how easy it is to build your own WinFE boot disk. Check it out.
  • Z-VSScopy Freeware - Z-DBackup - (free for personal use/$ for commercial use) - Very interesting tool new to me that allows you to browse VSS snapshots, cerate new ones, and copy files from a snapshot back out. It is actually a module of their Z-DBackup backup software, which makes sense as being able to leverage VSS shadow copies makes running backup jobs a bit smoother. Spotted in this AddictiveTips blog post: Create, Access, Delete & Mount Shadow Copies On Any Windows Version - Z-VSSCopy .   Other well-known tools for monitoring/accessing VSS: ShadowExplorer and the VSC Toolset: A GUI Tool for Shadow Copies.

Tips and Reminders

More Mandiant Goodies!

Investigating Indicators of Compromise In Your Environment With Latest Version of Redline - This is an outstanding overview of the use and functionality of Mandiant’s free Redline tool. It really shows the power this tool can provide during a system assessment and incident response…if you are very familiar with it! 

If not, after you have read Doug Wilson’s guided walk-through above, dive deeper into the Redline User Guide.

Then hop over to the OpenIOC Framework page and check out the details there. Need some more Indicators of Compromise (IOC)? Drop into the IOCs on the MANDIANT Forums.

One more item: IOC Finder to collect host system data and report IOC’s.

 An Eye on the Malware Front

Windows 8 forensic previews

The forensic learning and exploring is underway for the new Windows 8 system.  Here are just a few posts I’ve found touching on the new system.

Windows 8 Forensics - Recent post by Ethan Fleisher at the Senator Patrick Leahy Center for Digital Investigation, Champlain College. Ethan goes long and in this first review covers passes at Recycle Bin properties and USB Drive activity.

Windows 8 Forensics Part 2 - Ethan pickups up at Internet History.

Future topics of coverage promised by Ethan include Win 8 “reset and reload” feature, Event logs, Prefetching, Jump Lists, and File History features.

The Computer Forensics at Champlain College Blog where these posts came from contains a great collection of fresh material and the addition of this blog to my RSS feed list seemed a no-brainer!

Windows 8 Forensic Overview - Random Thoughts of Forensics blog - An extensive post by Kenneth Johnson covering Windows Registry artifacts.  Note, Kenneth updated his original post to reflect changes in observations between the Win8 Developer version and the newer Win8 Consumer version. Kenneth’s experience does highlight the challenge examiners and students have when a new OS is released in alpha/beta versions. It’s a great start to the learning process, however the path may be fraught with dead branches and dead-ends. Nothing will be 100% certain until the final release comes out. And even then, I suspect it will take some time for the forensic knowledge-base to be fully built-up.  There is still much to learn about Windows XP systems, and the books are still being written on Windows Vista/Win7 even as Windows 8 appears on the horizon!

The “X” Factor

Beyond the bits and bytes, deeper than the registry keys and that which lurks in unallocated space at the far-end of the hard drive, there is something special that sets some incident responders and forensic investigators apart from the rest.

Whenever I get a bit discouraged of the drudgery and lack of “play-time” learning new tools and techniques and getting my boots dirty in the trenches on a good investigation, I take heart from posts like these that are reminders that it really does take something special--an “X” factor--to be a great responder.

The Core Duo - The Digital Standard blog - From cepoug’s post

So I have recently been doing a lot of speaking and teaching, and came to an interesting conclusion about what are the core (an in my opinion, critical) skills of our trade, which I have affectingly dubbed, "The Core Duo".

When I really started to think about it, what we do (Forensics and Incident Response) really boils down to only two things. 

1. Spotting Patterns

2. Spotting Anomalies

Now, I know this sounds really simple...maybe too simple, but let me explain.  First of all, simplicity is something that I think is frequently minimized as being undesirable.  I think there are a lot of folks who think something to the effect of, "If something can be explained in simple, easy to understand terms, it must not be very complex".  I challenge that this is not the case.  I think, that even the most complex situations (which we all know, cyber investigations are among the most technical and convoluted anywhere) is made up of components that can be broken down and simplified.  Being able to do this is a critical element in actually understanding what you are doing and why you are doing it.  That in turn leads to be successful at what you are doing.  Which finally, leads to you solving the case, and potentially, some bad guy going to jail.

What makes a good forensicator? or how to get a job in Digital Forensics... - WriteBlocked. Michael Wilkinson opens up his review of key traits this way:

If you are already working in IT, it is possible to complete either an industry certification or graduate study or even transfer directly into a forensic position, although this is becoming harder as the pool of qualified applicants continues to grow. However no matter how qualified you are this will never guarantee you a job. Certifications and qualifications are only good for getting past the HR screening process. After that the decision will be based on other factors, partially on your performance in the interview and partly on your performance in previous jobs. When I am looking for employees I am looking for two things, motivation and the ability to solve problems. I will take these attributes over certifications any day.

A Fistful of Dongles: Border Collies - A Fistful of Dongles - Eric Huber turns to the four-legged friends for a nice analogy.

You will live and die by the people you hire and the leadership that you give them. The most critical element of your security program is having the right people on your team and providing them with the leadership and resources that they need.  You absolutely need proper tools to secure your enterprise, but the tools are secondary to the people who use them. The purpose of the tools is to help your people do their jobs. Too many organizations treat their people as glorified tool drivers rather than security professionals. If you are spending more money each year on your tools than you are on your people, you’re probably in a very bad place with your security posture.

Information security is very hard. It takes tremendous time, effort, and expense to even come close to mastery of critical information security skills such as incident response, malware analysis, and digital forensics. There is no tool that can ever substitute for a highly skilled and well led information security professional.


Meet Jet the Border Collie. You will find no creature on Earth more in the moment than a Border Collie like Jet chasing sheep. This is what they live to do. They are fantastic at it and they enjoy it immensely.  Incident response people are the modern day information security Border Collies.  We live in a time where we have an information security community made up of incident responders who absolutely live to get up in the morning and chase people out of our networks.

Eric goes on to expand his meme wonderfully.

This week I’m going to walk into the workplace with a Border Collie mentality; motivated, focused, and ready to perform.


--Claus V.

1 comment:

Troy Larson said...

Regarding Windows 8 forensics: I would be careful of relying too much on the public preview versions for detailed forensic analysis. Offsets and formats can still change.

The index.dat is indeed gone. In it's place is database. This is a Windows change more than an IE change, as the change was to a Windows component. A little work with process monitor will show what is going on.