Wed, Apr 1, 2009 -- Updated Study Aid for Certification Exam

I have posted two copies of the Book Index that Johnny, from the other section, updated based on the version previous students had compiled. The first is sorted in page order (MS Word file) and the second is alphabetical by topic (MS Word file).

You are permitted to bring in your notes with you to the exam, so this can be a huge help when you need to quickly reference the book for a refresher. I do caution not to rely too much on this tool, and be sure to put in the appropriate time reviewing the materials, listening to the MP3s, and going through the hands-on exercises to prepare for the exam.

A great big Thank You to Johnny for putting this together so quickly!

Posted By: Evan Wheeler

Fri, Mar 27, 2009 -- Malware Analysis Tools

On Wednesday in class, we talked about fuzzing hashing, but I didn't have time to show you how the ssdeep.exe tool works. If you would like a more detailed analysis of how this technique works, check out these resources:

• Identifying almost identical files using context triggered piecewise hashing (The Proceedings of the 6th Annual Digital Forensic Research Workshop)
• Getting Started with ssdeep (Sourceforge Project)
• Fuzzy Hashing for Digital Forensic Investigators (Access Data)

I also showed you how to use the Sysinternals suite of tools and SysAnalyzer from iDefense to perform malware analysis without having to know anything about programming. Book 6 also has a nice supplemental section at the end which walks you through some of the more technical approaches to malware analysis. Try the following resources for additional information on the art of malware analysis:

• Reverse Engineering Malware by Lenny Zeltser (Online | PDF)
• Malcode Analysis Software Tools in ISSA Journal July 2007 (PDF)
• Reverse-Engineering Malware course at the SANS Institute (Online)

We also looked at several free online resources for malware sandbox analysis that I find helpful

• Virustotal Site - Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. It is a quick and easy way to not only identify unknown/suspected malware found during an investigation, but also to compare how well the various malware tools detect the lesser known variants.
  
• SunBelt CWSandbox - Submit your malware sample to this Automated Malware Sandbox for online analysis.
  
• Anubis: Analyzing Unknown Binaries - Anubis is a service for analyzing malware. Submit your Windows executable and receive an analysis report telling you what it does. Alternatively, submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL.
  
• Norman Sandbox Information Center - Free uploads of program files that you suspect are malicious or infected by malicious components, and instant analysis by Norman SandBox. The result is also sent you by email.
  

I also briefly mentioned Image Mount Pro and Virtual Forensic Computing (VFC) for Windows. These are excellent tools that let you mount a disk image in Windows like we have been doing on our Linux workstation, and VFC allows you boot a disk image using VMWare Player.

Posted By: Evan Wheeler

Mon, Mar 23, 2009 -- Legal Resources

Tonight we discussed our own experiences with notifying third-parties about a security incident. Whether that be another victim, an affected vendor, or a security advisory, make sure you know who in your organization is authorized to make that call. Chances are it isn't you.

We also discussed the need to keep communications secure and confidential when sharing information between your team members during an active investigation. Some kind of end-to-end encryption or out-of-band communications system can be critical to operating a discrete or covert investigation. You never know when the person you are investigating might be the email administrator or network engineer.

There are certainly lots of examples of computer network crimes, and in many cases computers are just used as the medium for a traditional crime. The following links provide good resources for further information:

• U.S. Department of Justice Computer Crimes - Computer Crime & Intellectual Property Section
• North Eastern Massachusetts Law Enforcement Council
• FBI InfraGard - Boston Chapter
• Cyber Crime Search & Seizure Manual

In addition to joining InfraGard, I highly recommend looking into the HTCIA if you plan to get involved in the computer forensic world. We have a local chapter of this organization in New England that is strongly supported by local experts from law enforcement and private industry.

Here are some links in case you are ever inclined to escalate an incident to law enforcement over the Internet:

• U.S. Secret Service Online Reporting
• U.S. Secret Service Field Offices
• U.S. Federal Bureau of Investigation (FBI) Contacts
• FBI InfraGard Chapters
• EC Task Force Regional Locations

If nothing else, these sites provide some good information about what kinds of information law enforcement may initially require when you contact them. In the context of reporting vulnerabilities or security incidents, I also mentioned the FS-ISAC as an example of an industry specific version of a CERT. Members of the financial industry use this forum to share security intelligence. It also provides good advisories for security issues in the context of the financial sector. Several similar ISACs exist for other industries as well such as the Multi-State ISAC.

Martin wanted me to mention to you all that although their is no legal obligation to follow chain of custody procedures for evidence to be admissible in court if you are in the private sector, he believes we should aim to follow these established practices. This will give your evidence the best chance of not being torn apart should it be used in a court case. Following these practices also helps to demonstrate your own credibility and professionalism. As long as you don't allow the process of documenting the chain of custody to paralyze your investigation with paperwork and process.

Posted By: Evan Wheeler

Tue, Mar 17, 2009 -- Bypassing Disk Encryption, Cold Boot Attack

The cold boot attack is really old news at this point, but from my perspective the most important findings that came out of this research is the ability to find disk encryption keys or passwords in memory and extract them. If you come across a system in a live state and you suspect it has full disk encryption, being able to extract the private key from memory may really help your investigation. What if you gather all the volatile information and image the drive live, shut it down and then realize later that you missed something? Or maybe you're being challenged on the authenticity of the image. This might be your only way to decrypt it.

Unfortunately the researchers at Princeton have not released the details of their methods as far as I know. Here are some links to related news:

• Princeton University Web Site describing the attack, link to the research paper, and some YouTube demonstration videos (http://citp.princeton.edu/memory/)
• PGP's official comments about the vulnerability (http://www.pgp.com/newsroom/cold_boot_attack_response.html)
• CNet Article on the attack (http://www.news.com/8301-13578_3-9876060-38.html)

Hopefully they will release their methodology for the memory analysis piece at least.

Posted By: Evan Wheeler

Tue, Mar 17, 2009 -- Some Incidence Response Resources

On Monday I mentioned some incident response tools that can be useful when performing a forensic response. I recommend trying out the following:

• Windows Sysinternals Suite (ZIP)
• Foundstone Fport (ZIP)
• Windows Forensic Toolchest (ONLINE)
• RPIER by Intel (ONLINE)
• USB Switchblade by Hak5 (ONLINE)

Also look at this documentation:

• CERT Windows Intruder Detection Checklist (PDF)
• Forensic Analysis with F.I.R.E. by David M. Zendzian (PDF)

The last link describes a boot cd (F.I.R.E.) which is very similar to Helix and actually predated it. It is not commonly used today, but I think the concepts in the paper are applicable in more modern toolkits as well. It never hurts to have more tools at your disposal.

Posted By: Evan Wheeler

Tue, Mar 17, 2009 -- Missing Network Capture Files

I have posted copies of the two missing network capture files that we went through yesterday (wiretap.zip and windows_ethereal_capture.zip). These should have been included in your workstation image, and I have notified SANS about the error. I apologize for the inconvenience.

I encourage you to go through these network forensic exercises (Supplement 1 in Books 2-3 and 4) manually, and then try out the tools I showed you in class. Compare your results.

Posted By: Evan Wheeler

Mon, Mar 16, 2009 -- Online Hash Database Resources

Today in class, we will talk about using hashes to exclude known good files from your analysis or to identify known malicious files. The following are good resources for building a hash database:

• National Software Reference Library (http://www.nsrl.nist.gov/)
• Maresware Hash CD Set (http://www.dmares.com/maresware/hash_cd.htm)
• FileAdvisor (http://fileadvisor.bit9.com/services/search.aspx)
• SunSolve Database (http://sunsolve.sun.com/fileFingerprints.do?mode=coverage)

In most cases these hashes can be imported into the tools we are using (such as Autopsy) with little or no manipulations. You can also always create your own hash database for your own system builds and operating systems using the md5deep and hfind tools.

Posted By: Evan Wheeler

Thu, Mar 12, 2009 -- Timelining with MS Access & Dirty Words List

I have posted a copy of the MS Access database (ZIP file) I used to analyze the Batman timeline in class today. It includes a few saved queries that focus on identifying noteworthy events based on some common criteria. I have found that this really helps me dig through large data sets.

I also told you that I would share my own Dirty Words List (TXT file) that I have been compiling over the years. I find it useful when I am starting a case and don't know where to start looking for an infection or compromise. You would be surprised how often just a list of curse words can quickly point you in the right direction. I have also found this helps to quickly identify symptoms I have seen in previous cases. This list shouldn't replace the specific keywords list you build for each investigation, but you should be adding to it after each case is complete. I have asked other people in the community to share their own lists, but I haven't had any luck so far.

Posted By: Evan Wheeler

Tue, Mar 10, 2009 -- Additional Acquisition Resources

If you're looking for information about hardware and software write blockers from a trusted source, take a look at NIST's Computer Forensic Tool Testing pages:

• Hardware Write Block (http://www.cftt.nist.gov/hardware_write_block.htm)
• Software Write Block (http://www.cftt.nist.gov/software_write_block.htm)

If you have the budget for some high-end equipment, I personally like to get my gear from Digital Intelligence. They sell mobile devices, as well as workstations with all the bells and whistles for acquisition and analysis. If you find yourself doing a lot of media acquistions, I would recommend looking at their products.

In the memory forensics space, acquisition and analysis, I have put a list of good tools up on my Digital Forensics Resources site. Look on the Tools page in the Memory Analysis Tools section towards the bottom. If you are looking for a commercial solution, Responder Professional by H.B. Gary has a really nice product with features like Digital DNA (http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=215801353) to identify patterns of malicious behavior in memory.

We also talked briefly about how Anti-Forensic tools are designed to thwart our timelining efforts. Examples of these freely available tools to modify file MAC times and access systems files without touching the disk can be found on Metasploit's site (http://www.metasploit.com/projects/antiforensics/).

Posted By: Evan Wheeler

Mon, Mar 9, 2009 -- Some Evidence Acquisition and Imaging Resources

I recommend that you check out the following evidence acquisition resources as a supplement to this week's materials:

• Independent Review of Common Forensic Imaging Tools (SANS Reading Room)
• Guidelines for Media Sanitization, SP 800-88 rev 1 (NIST Special Publications)
• Pros and Cons of Using Linux and Windows Live CDs in Incident Handling and Forensics (SANS Reading Room)

There are many commercial and open source tools out there, and even many that aren't specifically forensic tools, so you need to learn how to validate new tools. The above resources are a good start.

Posted By: Evan Wheeler

Thu, Mar 5, 2009 -- Forensic Incident Response

If you are looking for additional resources, these sites all provide a wealth of content and links to other popular digital forensic resources:

• SANS Forensic Web Site (http://forensics.sans.org)
• SANS Forensic Blog (http://sansforensics.wordpress.com)
• WareOnEarth Communications Digital Forensics Site (http://www.wareonearth.com/resources_forensics.html)

I read the SANS blog often as a way to keep up on the latest developments in the field. I actually maintain the last site listed above and use it as a way to organize the resources I find valuable during an investigation.

We went through some of the basic features of the live windows side of Helix in class this week, but I also recommend that you take a look at its bootable Linux interface. Once you are comfortable with it, check out the Boot Options section on page 99 of the Helix Guide v0307 (PDF) for cheat codes and advanced settings when booting with Helix.

Posted By: Evan Wheeler

Wed, Feb 25, 2009 -- Forensic Tool Testing

If you would like to learn more about digital forensic tools that have been validated by a trusted third-party, check out these two sites:

• US Department of Justice (http://www.ojp.usdoj.gov/nij/topics/ecrime/cftt.htm)
• NIST (http://www.cftt.nist.gov/)

Also, another good resource for those of you who are building a jump bag for forensic investigations can be found at this site: http://www.squidoo.com/jumpbag.

Posted By: Evan Wheeler