SANS SEC 508 - Discussion

I plan to use this site to post discussion topics related to each session's materials, supplemental resources, and current events relating to our class. I ask that everyone keep their comments professional and related to class. If you don't want to post your question in this public forum, then please send me an email directly or ask me in class.

I am still working on making this part of the site interactive, so check back soon.

Wed, Apr 1, 2009 -- Updated Study Aid for Certification Exam

I have posted two copies of the Book Index that Johnny updated based on the version previous students had compiled. The first is sorted in page order (MS Word file) and the second is alphabetical by topic (MS Word file).

You are permitted to bring in your notes with you to the exam, so this can be a huge help when you need to quickly reference the book for a refresher. I do caution not to rely too much on this tool, and be sure to put in the appropriate time reviewing the materials, listening to the MP3s, and going through the hands-on exercises to prepare for the exam.

A great big Thank You to Johnny for putting this together so quickly!

Posted By: Evan Wheeler

Wed, Mar 11, 2009 -- Malware Analysis Tools

Yesterday in class, we talked about fuzzing hashing, I showed you how the ssdeep.exe tool works. If you would like a more detailed analysis of how this technique works, check out these resources:

I also showed you how to use the Sysinternals suite of tools and SysAnalyzer from iDefense to perform malware analysis without having to know anything about programming. Book 6 also has a nice supplemental section at the end which walks you through some of the more technical approaches to malware analysis. Try the following resources for additional information on the art of malware analysis:

  • Reverse Engineering Malware by Lenny Zeltser (Online | PDF)
  • Malcode Analysis Software Tools in ISSA Journal July 2007 (PDF)
  • Reverse-Engineering Malware course at the SANS Institute (Online)

I also briefly mentioned Image Mount Pro and Virtual Forensic Computing (VFC) for Windows. These are excellent tools that let you mount a disk image in Windows like we have been doing on our Linux workstation, and VFC allows you boot a disk image using VMWare Player.

Posted By: Evan Wheeler

Tue, Mar 10, 2009 -- Additional Acquisition Resources

If you're looking for information about hardware and software write blockers from a trusted source, take a look at NIST's Computer Forensic Tool Testing pages:

If you have the budget for some high-end equipment, I personally like to get my gear from Digital Intelligence. They sell mobile devices, as well as workstations with all the bells and whistles for acquisition and analysis. If you find yourself doing a lot of media acquistions, I would recommend looking at their products.

In the memory forensics space, acquisition and analysis, I have put a list of good tools up on my Digital Forensics Resources site. Look on the Tools page in the Memory Analysis Tools section towards the bottom. If you are looking for a commercial solution, Responder Professional by H.B. Gary has a really nice product with features like Digital DNA (http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=215801353) to identify patterns of malicious behavior in memory.

We also talked briefly about how Anti-Forensic tools are designed to thwart our timelining efforts. Examples of these freely available tools to modify file MAC times and access systems files without touching the disk can be found on Metasploit's site (http://www.metasploit.com/projects/antiforensics/).

Posted By: Evan Wheeler

Tue, Mar 4, 2009 -- Legal Resources

Tonight we discussed our own experiences with notifying third-parties about a security incident. Whether that be another victim, an affected vendor, or a security advisory, make sure you know who in your organization is authorized to make that call. Chances are it isn't you.

We also discussed the need to keep communications secure and confidential when sharing information between your team members during an active investigation. Some kind of end-to-end encryption or out-of-band communications system can be critical to operating a discrete or covert investigation. You never know when the person you are investigating might be the email administrator or network engineer.

There are certainly lots of examples of computer network crimes, and in many cases computers are just used as the medium for a traditional crime. The following links provide good resources for further information:

Here are some links in case you are ever inclined to escalate an incident to law enforcement over the Internet:

If nothing else, these sites provide some good information about what kinds of information law enforcement may initially require when you contact them. In the context of reporting vulnerabilities or security incidents, I also mentioned the FS-ISAC as an example of an industry specific version of a CERT. Members of the financial industry use this forum to share security intelligence. It also provides good advisories for security issues in the context of the financial sector. Several similar ISACs exist for other industries as well such as the Multi-State ISAC.

Martin wanted me to mention to you all that although their is no legal obligation to follow chain of custody procedures for evidence to be admissible in court if you are in the private sector, he believes we should aim to follow these established practices. This will give your evidence the best chance of not being torn apart should it be used in a court case. Following these practices also helps to demonstrate your own credibility and professionalism. As long as you don't allow the process of documenting the chain of custody to paralyze your investigation with paperwork and process.

Posted By: Evan Wheeler

Tue, Mar 3, 2009 -- Study Aid for Certification Exam

I have posted a copy of the Book Index (MS Word file) that previous students compiled to help them prepare for the certification exam. Keep in mind that this file was made from a 2008 version of the courseware, and likely needs to be updated. Maybe someone from our class would be willing to go through and update it so I can share it with everyone ... any volunteers?

You are permitted to bring in your notes with you to the exam, so this can be a huge help when you need to quickly reference the book for a refresher.

Posted By: Evan Wheeler

Tue, Feb 3, 2009 -- Timelining with MS Access

I have posted a copy of the MS Access database (ZIP file) I used to analyze the Batman timeline in class today. It includes a few saved queries that focus on identifying noteworthy events based on some common criteria. I have found that this really helps me dig through large data sets.

Posted By: Evan Wheeler

Mon, Feb 2, 2009 -- Some Evidence Acquisition and Imaging Resources

I recommend that you check out the following evidence acquisition resources as a supplement to this week's materials:

There are many commercial and open source tools out there, and even many that aren't specifically forensic tools, so you need to learn how to validate new tools. The above resources are a good start.

Posted By: Evan Wheeler

Tue, Jan 27, 2009 -- Forensic Incident Response

If you are looking for additional resources, these sites all provide a wealth of content and links to other popular digital forensic resources:

I read the SANS blog often as a way to keep up on the latest developments in the field. I actually maintain the last site listed above and use it as a way to organize the resources I find valuable during an investigation.

We went through some of the basic features of the live windows side of Helix in class this week, but I also recommend that you take a look at its bootable Linux interface. Once you are comfortable with it, check out the Boot Options section on page 99 of the Helix Guide v0307 (PDF) for cheat codes and advanced settings when booting with Helix.

Posted By: Evan Wheeler

Tue, Jan 20, 2009 -- Forensic Tool Testing

If you would like to learn more about digital forensic tools that have been validated by a trusted third-party, check out these two sites:

Also, another good resource for those of you who are building a jump bag for forensic investigations can be found at this site: http://www.squidoo.com/jumpbag.

Posted By: Evan Wheeler