2012 SANS DFIR Summit Wrap Up

Last week I had the opportunity to attend the 2012 SANS Digital Forensics & Incident Response Summit. It was held in Austin, Tx at the Omni Downtown Hotel for a second consecutive year. First thing I want to say is that this is my third consecutive DFIR Summit. I did not think they could top last year’s offering. Boy was I wrong, dead wrong.

The Summit started off with Cindy Murphy’s most excellent Day 1 Keynote (intentional Bill & Ted reference). She talked about how we sometimes need to step back from our examinations to see the big picture and how data without context is just data. She had a great quote from Helen Keller, “It is a terrible thing to see and not have vision”. It was very inspirational presentation and has motivated me to reflect on who my “monks” are. If you haven’t had a chance to check it out yet, make sure you do (http://computer-forensics.sans.org/summit-archives/2012/6-blind-monks.pdf).

I have to say that I enjoyed all of the talks that I attended, but the ones that stood out for me were:

As far as the SANS360 talks (http://computer-forensics.sans.org/summit-archives/2012/dfir-sans360-talks.pdf) went, I think they were all great.  6-minutes each (roughly) and to the point.

The one thing I’d like to complain about is the fact that there were two tracks this year. The one thing I’d like to commend is that there were two tracks this year.  Confused?  Well, it stunk that I had to miss a few talks because I was attending others. That said, it was great because it gave the opportunity for more people to present. Good thing the slides are available online.

The only real complaint I’ve heard about the Summit was from the folks trying to follow along at home.  Apparently, the live stream kept cutting in and out due to issues with the hotel’s network. Hopefully, that issue is squared away for next year and the remote viewers have smooth sailing.

I will echo what others who have reviewed the Summit have stated. The other best thing (aside from the presentations), was the chance to meet other DFIR Community members. There were a lot of new faces in attendance this year. It was great to meet people I’ve spoken with, helped or had received help from online. When it comes to the DFIR Community, I feel like I don’t have just colleagues, but that I am part of a family. I hope that our close knit ways continue in the future.

The video presentation from the Closing Remarks (http://www.xtranormal.com/watch/13533924/closing-remarks) was epic!!!

I just want to thank Rob Lee & the Staff from SANS that helped to put together and run such a great conference!!!

A little update on things……

Hey all,

It has been some time since I’ve put up a blog post or posted any audio.  To say the least, things have been a bit busy both personally & career wise for me.  As of now, I am not sure what the status of the podcast will be.  It is very time consuming to record & edit, not to mention costly.

The audio from the previously recorded shows is unavailable for the time being.  There was an issue with emails from my host site (LIbsyn) ending up in my Junk folder & I didn’t realize that my credit card had expired.  By the time I realized what had happened, the original feed & audio files had been deleted from my account.  I am not sure if I will be re=posting the old shows anywhere as of yet.

As far as the blog portion of the site.  I will leave it up for the time being.  I would like to post articles here from time to time, so please check back.  Also, if you are interested in guest authoring a post that fits into the profile of the site (Internet crimes/safety & Computer/Device security)  please contact me using the “Contact” page so we can discuss things.

 

Thank you all for your understanding,

Joe Garcia

Book Review: Windows Forensic Analysis 2/e by Harlan Carvey

I had read WFA 2/e a while back and just kept forgetting to post a review.  Well, the wait is over :-)

One caveat though…. I have not read WFA 1/e, so I cannot compare what differences may exist between the two books.  With that said, read on…..

Traditional Digital Forensics methodology was to pull the plug from the back of a PC and conduct a “Dead Box” examination.  Chapter 1 covers Live Response to a scene, where that thought process may not be the best course of action anymore.   It also covers what evidence in memory to collect first before it disappears (volatile data), as well as analyzing that data using the command line.

Chapter 2 (Data Analysis) essentially guides you into taking data that you collected during your Live Response and understanding what it is telling you.  Harlan points out that a lot of times “unusual” or “suspicious activity” that an examiner is seeing is due to their lack of familiarity with how the system operates.

Chapter 3 takes the reader through the tools, such as win32dd & memoryze, and the techniques to conducting an analysis of physical memory (RAM).  He also details examining the Hibernation File as part of memory analysis.  For an investigation where the responder/examiner was unable to get a “memory dump” from the system prior to shutdown (see “Dead Box” exam reference above), this can be a good source of information (That’s right, I am looking at you fellow LEO’s out there).

Moving on, Chapter 4 covers Registry Analysis.   Harlan breaks down the structure of the Registry hive files and what information is contained within those files for the reader.  It also introduces the reader to Registry analysis using tools that Harlan wrote- RegRipper and Rip/RipXP.  Also of note in this chapter is the tracking of USB devices and User activity.

File Analysis is up in Chapter 5.  This chapter is very useful if you are an incident responder.  Harlan discusses the use and understanding event logs, as well as helping you understand how timestamps for files are modified.  The examination of the Recycle Bin, as well as Restore Points and Volume Shadow Copies are discussed also.

Chapter 6 goes into static & dynamic analysis of suspicious files, as well as the need to conduct them in a virtualized environment or a stand alone workstation.  You wouldn’t want to conduct an analysis of a possibly malicious file on a production system and risk infecting “mission critical” systems.  Also covered, is the use of tools like RegShot, Process Monitor and File Monitor for file analysis (as well as others).  The static and dynamic file analysis portion of this chapter reminded me of Day 1 of the SANS Reverse Engineering Malware course, where these techniques are fleshed out in more detail.  This part of the chapter is a good start for an examiner who has not been able to attend that course.

Chapter 7 defines Rootkits, the dangers that they pose on a system and various software solutions to detect & eliminate them.

Chapter 8 essentially goes on to bring everything together that you learned in the previous chapters through the use of case studies.  In my opinion chapters like this one are crucial, as it gives the reader/examiner another perspective at which to conduct or fine tune their own exams through the experience of another (the author).

Chapter 9 ends this book with Reporting and Tools.  Reporting is crucial to any investigation.  If you cannot convey the steps that you took during an investigation to someone who does not have a technical background, it could lead to less than desirable results.  Just imagine testifying in a court proceeding and if you fail to explain (in a human understandable way) what you did to the housewife, plumber, librarian (you get the point) sitting on the jury, you may harm the prosecutor/defense attorney’s case.  You may also harm your credibility for that matter.  The tools listed in this chapter are freely available to use.  I’m sure Harlan didn’t have the budget to grab copies of commercially available tools.  Remember, the free tools are just as good as the commercial ones is you take the time to learn how to use them.

This book is a wonderful resource for any forensic examiner to have on their bookshelf.  Thanks to Harlan for writing this for the Digital Forensics community.  I know a lot of time & research must go into writing a book such as this and there isn’t a ton of money to be made from it.

I look forward to WFA 3/e and it’s coverage of the Windows 7 Operating System.

 

Joe

Online & Offline Digital Forensics Resources

A listener of the show, Joe Tracy, recently queried me on the Facebook Fan Page asking what my Top 10 – 15 favorite online resources and Top 5 offline resources for entry level forensic analyst are.  So I decided to put a list together for each topic to share with you all.  These lists are not necessarily in any order.

 

Top Online Resources for Digital Forensics:

1- Windows Incident Response blog (http://windowsir.blogspot.com):   Hands down, one of the most informative blogs covering both forensics & incident response.  It is authored by Harlan Carvey.

2- The SANS Computer Forensics & Incident Response blog (http://computer-forensics.sans.org/blog): This blog is maintained by a host of authors and has new material being posted regularly from some of the top examiners in the field.

3- Apple Examiner (http://appleexaminer.com):  A great resource for all things Mac Forensics.  Lots of great Mac Forensics news & how-to’s posted here.  Maintained by Ryan Kubasiak.

4- A Fistful of Dongles (http://www.ericjhuber.com):  Eric Huber’s blog, which has some great interviews with some of the heavyweights in the field of Digital Forensics, as well as some excellent insight into Information Security & Incident Response.

5- Journey Into Incident Response (http://journeyintoir.blogspot.com): Site maintained by Corey Harrell, with lots of great information on Timelines, batch scripting, triage and even a post on how to get the most out of your DF & IR news feeds.

6-  Forensic Methods blog (http://forensicmethods.com): Chad Tilbury’s blog with lots of great informational posts and links, as well as some book and product reviews.

7-  Zeltser.com (http://blog.zeltser.com): Lenny Zeltser’s blog that covers topics such as Malware analysis, Forensics and Incident Response.  Lenny also posts a list of his 5 favorite security reads each week.

8-  The Digital Standard (http://thedigitalstandard.blogspot.com): Chris (Beefcake!!!) Pogue’s blog.  Chris’ has lots of great posts regarding “Sniper Forensics”, which deal with getting the information you are looking for that is relevant to your examination rather than wasting time getting (and reporting on) the dreaded “Everything”.

9-  Forensics Wiki (http://www.forensicswiki.org/wiki/Main_Page): A Creative Commons wiki dedicated to Digital Forensics.  Lots of information regarding File Systems, File Analysis, Tools and How-To’s among other things.

10-  ForensicKB (http://www.forensickb.com): ForensicKB is a great resource for users of EnCase (which I happen to be).  Maintained by Lance Mueller, there are lots of great how-to’s to help you get the most out of EnCase.  Lance even has a 4-part tutorial on EnScript concepts.

 

Top Offiline Resources:

1-  SANS Digital Forensics & Incident Response Summit/DoD CyberCrime Conference/CEIC/AD Users Conference: These conferences are a great opportunity to hear about cutting edge techniques, as well as get a chance to network with others in the community.

2-  A Local/Regional DFIR Group:  I am fortunate to have NYC4SEC in my backyard.  Groups like this are a great way of discussing current trends & techniques, and also great networking opportunities.  One just got started recently in Northern Virginia (NoVA Forensics Meetup) and one is getting underway in Boston.

3-  Security Conferences (Insert DefCon/Shmoocon/Any SOURCE con/B-Sides here): Every time I attend a security conference, I always pick up some nugget or two that may help me in future exams/investigations.

4-  Books: There are a ton of excellent books on the subject of DFIR.  Here is a start: http://www.amazon.com/Digital-Forensics-Reads/lm/R1C3BRA0RPR9JE/ref=cm_lm_byauthor_title_full

5-  Your co-workers:  Hopefully, you are as lucky as I am to work with a talented bunch of Forensicators.  The ability to bounce things off of another examiner can help you fine tune your examinations.  It will also give you all a chance to learn from each others experience.

 

Hope this helps!

 

Joe

Episode 32- Operational Security with Bugbear

In this episode, I discuss the challenges of Operational Security with Tim M. (@bug_bear) about .

Make sure to check out Tim’s blog: http://securitybraindump.blogspot.com/

Episode 31- Talking CDFS with Eric Huber

In this episode, I chat with Eric Huber about the recently announced Digital Forensics organization, The Consortium of Digital Forensic Specialists.  We discuss who is on the interim board, the goals and benefits of CDFS and the organization’s outlook.

Visit www.cdfs.org for more information.

 

Joe

xkcd on Password Strength

xkcd gets it right when it comes to users creating difficult to remember passwords and the strength of those passwords.  It’s better to create a good passphrase rather than a password with just substituted characters.

 

 

Book Review: Windows Registry Forensics by Harlan Carvey

Windows Registry Forensics by Harlan Carvey is a book that I had picked up some months ago on sale  (50% off) from the Publisher and had just didn’t have the time to read it until recently.  Once I picked it up though, I could not put it down.  Harlan Carvey has placed his knowledge and vast experience in dealing with the Windows Registry as an incident handler into this book.  WRF should be considered a companion work to his Windows Forensic Analysis 2/e book (WFA 3/e is in the works as of this review and will cover Vista and Windows 7).  Harlan packs a lot of information into 200 pages without overloading the reader.

Let’s look at the Chapters in this book:

Chapter One (Registry Analysis)- Here is where the Windows Registry is explained.  What it is, why analyzing it can be important to a digital forensic examiner and its nomenclature.

Chapter Two (Tools)- In this chapter, Harlan goes over some tools that an examiner can use while working on their cases and for conducting research.  Tools like Regshot, Autoruns and Process Monitor from Microsoft Sysinternals, F-Response, and Harlan’s own RegRipper (which should be in every examiner’s toolkit).

Chapter Three (Case Studies- The System)- For this chapter, Harlan highlights various Registry artifacts that deal with the computer system itself.  Topics such as USB devices that were connected to a system, file system settings and wireless networks that a system has connected to, to name a few.

Chapter Four (Case Studies- The User)- Finally, in this chapter Harlan goes over some key Registry artifacts that help show User activity on a system and how it ties into the information gained back in Chapter Three (like using the Mount Points 2 artifact to assist in creating a timeline of when a device was connected to a system).  In both Chapter Three & Four, he draws from his experiences in the field during various Incident Handling engagements.

The DVD that accompanies this book contains a few goodies.  A few of which are PDF’s that cover topics such as how to tell if a CD image was burned by the user, an explanation of the ACMRU & UserAssist keys and how to locate shares on a Windows image.  These are great reference materials to an examiner.  A copy of RegRipper is also included on the DVD.  By the time of this review though, an update version is available at http://code.google.com/p/winforensicaanalysis/downloads/list.

Two complaints I’ve heard or read about this book have been, “For the price of this book, I can’t believe this book is only 200 pages and doesn’t have a list of every registry key” and “man, those large graphics use up a lot of page space”.  I would like to address these one at a time.

First, there are many keys that can/do hold a wealth of information.   Unfortunately, from Windows version to Windows version, these locations and the information held within them may and do change.  I agree with the approach Harlan took with this.  He gave the readers the keys that haven’t changed much or if they did it was with the benefit of providing additional information with each passing version of Windows.  There are plenty of resources on the Internet that have additional Registry key information (The Forensics Wiki, The SANS DFIR Blog, ForensicArtifacts.com, etc…).  If you are only interested in lists, go to those sites and find them.  The best part about Harlan’s writing is that it is to the point.  No fluff in this book.  I know that I do not have the time to waste when trying to learn something.  If that is what you are looking for, then I’d recommend that you buy a novel.

Second, I was happy to see larger graphics in this book.  I have read a bunch of technical books that contain small images that make it hard to get the authors point, especially when dealing with directories and files.  Each of the images provided in this book make it comfortable enough for the reader to follow along and not to guess as to what the author was speaking about.  I cannot comment on the quality of the graphics on the Kindle version of this book since I did not have it available to me.

As far as Cons for this book, the one I’d have to go with was the poor editing.  There are quite a few grammatical and spelling mistakes that were glaring enough that they should have been picked up before this book went to print.  I lay that blame on the Publisher, not on the Author.

Overall, some may think the price point of $69.99 (originally) was a bit steep.  It is worth the price tag to gain the knowledge that Harlan has put into this book.  If I did not luck out and get this on sale, I would have paid full price.  Trust me, you will find yourself going back and highlighting sections of this book for later use in your exams.

Thanks to Harlan for another fine effort!

 

Joe

Apple PDF Vulnerability patch available

Hey kids,

Apple has gone and updated iOS to fix a security issue relating to PDF’s.  The vulnerability had to do with how iOS Mobile Safari handles fonts that are embedded into PDF’s.  iOS version 4.2.9 covers CDMA iPhone 4′s, while version 4.3.4 covers the iPhone 4 (GSM), iPhone 3GS, iPad & iPad 2 and iPod Touch 3rd & 4th Generation.

So fire up your iTunes & get a patchin’

 

Joe

HowTo: Opt out of BeenVerified results

BeenVerified is one of the many information gathering websites that offer “Background Checks” to it’s customers.  Essentially, BeenVerified aggregates information from public records & publicly available sources.  To get started on the site, you enter in a First and Last Name, as well as a State and hit “Search”.  You can also leave the “All States” option to get broader search results.

 

 

 

 

 

 

 

 

 

Now in the above image you can see that it lists the names they have matching the one that you have entered, along with a hometown and possible relative.  I used “John Doe” as name search criteria in this example.  Depending on the information available to Been Verified, a person may have more than one hometown and relative listed.  The site’s results are pretty accurate, which I found when running myself as well as the names of friends.  When you click on the “That’s The One” button, you’ll be asked to enter your information into a popup form.

 

 

 

 

 

 

 

 

You will then arrive at a screen which gives you two options: Pay $19.95 for one background check or sign up for a 7-day free trial.  The 7-day free trial gives you unrestricted information & unlimited searches.  That is a lot of information gathering that can be accomplished against you, your family, a business partner or even employees which can then be used in targeted Social Engineering attacks.

 

 

 

 

 

 

 

 

 

 

 

Now that we see what is available from BeenVerified, let’s move on to opting out of having your personal information (or your family, friends, co-workers, employees, etc.) being returned in BeenVerified’s search results.  Follow the directions below:

- First if you find yourself listed in the search results, right click on the link for your name and choose “Copy Link Location” or “Copy Link Address” (or however your browser of choice labels that option in the popup menu).

- Then open up your mail application of choice and create an email to “support@beenverified.com”.  Also, make sure to CC yourself in the email.

- Next, make the subject “Site Removal”.

- In the body of the email, first paste the link for your name that you copied earlier.

- Finally, add your name as it is spelled in the search result that you found and list all fo the cities and states that were associated with the listing.

Within a few minutes of sending this email, you should receive an automated response with a ticket number with a message telling you that your request is being worked on.  You will then receive a follow up email that confirms that your information has been removed from search results on the site.  In my case, I received confirmation within an hour or so of the initial response.  I have heard from a couple of sources that they received their confirmation email a day or so later.

One thing to keep in mind is that they are constantly collecting data, so it is possible your information may end up on their site in the future.  So the obvious thing to do is check back from time to time and if need be, follow the above steps again to have you information removed.

Thanks to my co-worker Donna for pointing this site out to me!

Joe

Subscribe to RSS Feed Follow me on Twitter!