Friday, January 9, 2015
As the title of this post states, nominations are now open at the Forensic 4cast website for this years awards. These awards ceremony has become a highly anticipated event each year at the SANS DFIR Summit in Austin, Tx. I'm proud to say I've been nominated twice and won once, winning the 2013 Digital Forensic Blog of the Year.
Journey Into Incident Response blog and Harlan Carvey's Windows Incident Response blog. I'm still making up my mind over those and a couple others.
Some candidates I'm considering nominating for Digital Forensic Examiner of the Year include Ken Johnson, Eric Zimmerman and Frank McClain. Ken has done some amazing work on Windows 8 forensic artifacts, while Eric has done excellent work in the area of shellbags artifacts and even released a tool called Shellbags Explorer. Frank is this guy who is always there for people. If you're on any of the DFIR related email lists, you've no doubt seen him there. He is often the first to reply to a request for help and can always be counted on for good advice and suggestions.
Without a doubt, I will be nominating The Art of Memory Forensics for Digital Forensic Book of the Year. I don't remember the last time a forensic book generated as much excitement at the time of its release as this one did. It's a huge book with so much good information. I will be very surprised if this book doesn't take the award. Win or lose, I offer my congratulations to Michael Hale Ligh, Jamie Levy, Andrew Case and AAron Walters on the success of this book.
For the software tool category, I'm looking at such good candidates as Brian Moran's Live Response and Eric Zimmerman's Shellbags Explorer. I'm sure others will come to mind, but these two are definitely in the running.
I do very little in the area of mobile device forensics, so I really don't have any opinions on the Phone Forensics categories. Likewise, I haven't had the opportunity to try out any new hardware, so I really have nothing to add there as well.
I'm still making up my mind on other nominations. If I failed to mention you or your favorites above, that doesn't necessarily mean I'm not considering them as well, so please don't be offended. These are the ones that stand out in my mind at this moment. There are so many good people, blogs and tools out there that it's hard to remember each one as I write this.
I hope you'll take the time to submit your nominations. Thanks again to Lee Whitfield for putting the awards program together each year.
Friday, January 2, 2015
I was pleasantly surprised to be nominated for election to the board of the Consortium of Digital Forensic Specialists and even more surprised to find out I got elected. I gave it considerable though before accepting the nomination. I decided to go for it because I do care about the CDFS and the role it can play in our field. I'll have more to say about it as I get involved with the board. Thank you very much to all those who voted for me.
I was fortunate to attend both the Open Memory Forensics Workshop and the Open Source Digital Forensics conference back in November. As expected, both were very much worth attending. I plan to talk more about them in a (hopefully soon) future post, but I just wanted to say thanks to the Volatility crew and Basis Technology for such a great couple of days. Besides the great talks, I was happy to connect with friends I hadn't seen in a long time. I was also happy I got my copy of the Art of Memory Forensics signed by all four authors. I will be very surprised if this book doesn't win a 4cast award this year I was also the lucky recipient of a $100 Amazon gift card at the OSDF conference!
My friend Carlos Cajigas has a new post up on his Mash that Key blog talking about using the built-in tools in Linux to view text based logs. He goes through auth logs from his Linux server and shows how to use grep, cut, head and other commands to narrow down the data to what you're really wanting to see. This is well worth a read if you find yourself parsing through server logs to the point of driving you nuts.
That's all I've got for right now. 2014 was a great year for DFIR and I look forward to seeing what this new year will bring.
Thursday, January 1, 2015
This is a big book, with 20 chapters comprising a total of 476 pages, not including the index. There are supplemental materials and a Linux virtual machine available for download that allow the reader to work the examples in the book. Additionally, guidance is given on setting up your entire virtual lab. The guidance includes setting up Windows XP, Windows 7, along with Android emulators. I loved how detailed the instructions were for setting everything up. There were quite a few files to download for the labs, but it was well worth my time and bandwidth to get them.
Along with the above, a torrent is available to download the same version of Kali Linux used in the book. I was unable to use it with VMWare Workstation and it turned out it would run in VMWare Player, but not necessarily in Workstation. I wound up building my own Kali virtual machine and used it through all the labs.
The book covers a little programming in some spots, so a programming primer was included. I am definitely NOT a programmer, so I found this primer to be very helpful.
Throughout the rest of the book, topics such as Metasploit, information gathering, finding vulnerabilities and even post-exploitation are covered. Instruction is given on web application testing, wireless attacks, exploit development and mobile device hacking are also covered in great detail.
After reading this book, I understand so much more about penetration testing than I did before. I learned a lot about how pen tester's gather the information and use it to their advantage through social engineering and other means. I also now have a much greater understanding of how attacks are done and I believe that understanding will help me do my work as a forensic investigator even better.
Weidman does an outstanding job of covering a pretty big range of topics in this book. With the wide range of topics, I can see how it would be difficult to put it all in one book and wind up with something that works, but she managed to pull it off. I enjoy her writing style and loved the labs, too. I don't know how long it took her to put this book together, but it's obvious she spent a lot of time writing and creating the labs and supplementary materials.
If you want to learn about many aspects of penetration testing, I highly recommend this book to you. This book is everything, including the kitchen sink and after reading this book you'll come out with a much better understanding of what pen tester's do and how they do it.
Monday, September 8, 2014
The two-day event included optional training courses (for extra fee) on Friday. The two available courses were Malware Analysis, taught by Tyler Hudak and Network Analysis with the Bro Platform taught by Liam Randall. I chose the malware course, although I would have loved to have taken the Bro class as well.
The malware class was a one-day version of what is normally a two-day course. Tyler started out the day teaching about basic static analysis and then moved into dynamic analysis after lunch. There was plenty of hands-on work to keep you interested and involved. Tyler provided an excellent course manual that included the material for the full two-day class. The class was very good and I felt like I came away better off for having attended.
The conference continued on Saturday with the full line-up of speakers. ArchC0N reminded me of another conference that started off with a bang, the WACCI conference a few years back. ArchC0N had some of the biggest names in infosec, a three track lineup of speakers, provided lunch both days and did all of this for an extremely low price. The keynote speakers were Richard Bejtlich, Bruce Schneier, Emily Brandwin and Charlie Miller. Sadly, I had to hit the road before Charlie Miller spoke, but I found the other three keynotes very good. Emily Brandwin was a very pleasant surprise and I enjoyed her talk, which had nothing to do with infosec.
The list of speakers for all the sessions was just as impressive. It was very difficult to pick which ones to attend, due to the high quality of all the sessions. You can view the speakers lineup on the ArchC0N site. I attended great talks by Kyle Wilhoit, Ken Johnson, Tyler Hudak, Scott Roberts and Kyle Maxwell. There were others I wanted to attend, but could only find the means to be in one place at one time.
I want to say kudos to Paul Jaramillo and Jason Barnes for putting together a fantastic first of what I hope will be many many annual returns. I also want to thank the sponsors. You can't hold such a great conference without the backing of some great sponsors and I appreciate their doing so.
If you didn't make it to ArchC0N this year, I urge you to be there next year. Our part of the country needs more conferences and I'm thrilled Paul and Jason took the bull by the horns and got the job done.
Sunday, July 13, 2014
Linux forensics/incident response is a new thing for me. I've never had occasion thus far to conduct a "real" investigation into a Linux machine. This "intrusion" into my honeypot inspired me to conduct my own attack and investigation so I could learn more about the subject. I'm a noob to this stuff, so if you see things I did wrong or could have done better, I'd be delighted to hear constructive criticism from you.
Given my lack of experience with Linux based investigations, I've searched for information on the subject but haven't found a lot. I read the excellent book by Chris Pogue, Unix and Linux Forensic Analysis DVD Toolkit a few years ago and still refer to it from time to time. A note to Chris, I'd still love to see a second edition of the book! But I digress...
I began by creating a new Ubuntu Server 12.04 server virtual machine. I installed openssh-server so I could connect to the VM from the host and placed the VM network settings to Host Only. I also set a password for the root user, so I could log in immediately with root privileges, just as my honeypot attackers had done.
I installed Inetsim on my host machine and placed a copy of the file my attackers had downloaded to my honeypot to the "fake" files so I would be able to download it in the VM. Prior to starting my attack, I configured Inetsim to be listening on the Host Only network and started the program. I also started tcpdump, using the -i option to listen to the host only, vmnet1 adapter and -w to output a .pcap file. Finally, the time to attack had arrived.
With my virtual machine running and logged out, I opened a terminal on the host machine (Ubuntu 14.04 LTS) and typed the command:
I was greeted by the usual warning that the system can't identify the authenticity of the host I'm trying to connect to and wanting me to verify I really wanted to do it. I hit Y and the host was added to the .ssh/known_hosts file. After entering the password, I was in and ready to do my nefarious deeds.
I decided to type in all the same commands my honeypot attacker had, with a couple of exceptions. When I got to the point of downloading the file, I decided to just make up a fictional URL instead of using an IP address with port number, as the real attacker had done. I also decided to simply execute the file once downloaded instead of using the nohup command so I could be a little more sure I would see everything in my memory capture. I may do it again later with the nohup command and compare the results of memory analysis.
After going through all the commands the real attacker had, including downloading the .bash_root.tmp3 file to the /tmp directory and running it, I entered the ps x command, just to see what I could see before logging out. I noted the downloaded file was running in memory as expected. I then logged out and disconnected from the ssh session.
My initial plan was to conduct the attack on a virtual machine, then pause it and collect the .vmem file for memory analysis, followed by grabbing the .vmdk file for disk analysis. However, that didn't seem very realistic, so I changed my plan.
For the memory collection, instead of using the .vmem file, I decided to use Hal Pomeranz' Linux Memory Grabber script (lmg). lmg makes use of Joe Sylve's excellent LiME, a loadable kernel module which allows the collection of RAM from a Linux or Android system. lmg also makes use of Volatility and dwarfdump to create a Linux profile of the system for use with Volatility. I have used LiME by itself before with good results, but I wanted to try lmg and see how it worked automating the collection of memory and the creation of the Volatility profile.
I followed the directions for setting up lmg on an 8 gb thumb drive, but had some problems getting lmg to setup properly. Hal was kind enough to help me with it and I was able to use it for this investigation. I won't go into how to set it up here. You can read the install directions on the lmg Github page. I added a static version of dwarfdump and a freshly downloaded copy of Volatility 2.3.1 to the thumb drive and tested it on a non-infected system with positive results.
I went back to the virtual machine, logged in as root and mounted the lmg thumb drive. The simple command ./lmg -y started the script and it executed with no problems. lmg captures RAM and saves it in a capture folder on the thumb drive. As noted previously, it also automatically creates a Volatility Linux profile and saves it to the thumb drive as well. The VM only had 1 gb of RAM, so this process didn't take long. Once it was complete, I shut the VM down.
I next went to the VM folder on the host machine and used dc3dd to make a copy of the .vmdk file. Kinda silly, I guess, but I wanted to do things semi-realistically. I could have booted the VM again to a live CD and imaged it that way, but decided I would save a little time.
So now, I have a RAM capture, a disk image and a .pcap file. I'll be taking a look at the RAM capture first with the awesome Volatility and post about that in part 3. I will also post the Linux profile to my Linux Volatilty Profiles Github page soon.
Sunday, July 6, 2014
As I mentioned in my last post, Brett Shavers is offering a free course on the Windows Forensic Environment (WinFE). If you've never heard of WinFE, it's a Windows Forensic boot CD and it's highly customizable for your individual needs. In the past, the build process was a bit cumbersome, but several different improved ways of building it have since been created. Brett has been a champion of WinFE for quite a while now, so I was sure his course would be very good. I signed up as soon as I first learned about the it and completed it in a few days. It could be done all in one day, but I preferred splitting it up a little.
The Windows Forensic Environment course covers the history, building and usage of WinFE. The course consists of 30 modules, including 27 video lessons, a wrap-up video, a qualification exam and a course downloads page. The vast majority of the videos are done by Brett himself, while a couple videos by others are included as well. All of the videos are short enough that you can sit down and watch a few without spending your whole day at it. Registration is easy enough, either by creating a new account through skilljar.com or signing in with your Google or Facebook account.
The course begins with a brief introduction to WinFE and its history. Something I really liked was Brett starts out from the beginning making it clear what WinFE is and what it's good for, as well as talking about when it might not be the best choice. He talks about potential pitfalls when using it along with ways you can screw up by not using it right (accidentally boot the evidence drive, etc).
After the introductory section, Brett covers when it's a good idea to use a boot cd and suggests other times when you're better off just removing the evidence hard drive and imaging through a hardware write blocker. As he points out, if you've got all the time you need and have no reason to boot the machine on-site, you may as well remove the hard drive in the lab and do things the "traditional" way.
An overview of forensic boot systems is next. WinFE and various Linux forensic boot CD's are talked about and compared. I like that Brett doesn't tell you that WinFE is the answer to all your needs and that you'll never need Linux. Rather, he says right up front that sometimes WinFE isn't going to work for you for some reason and a Linux boot CD might be your best option. He suggests having both available when you go on-site so you're ready for any situation.
WinFE development is next, followed by the use of DiskPart and the WinFE Write Protection Tool. Demonstrations are given of DiskPart and the Write Protection Tool after the lecture on each. Following this, he talks about the importance of tool validation and that you must validate tools yourself and not simply rely on the word of others.
One of the cool things about WinFE is that there are multiple ways you can build your own. Some are a bit cumbersome, while others are strikingly easy. Brett covers them all and demonstrates how to use each method to build your own version of WinFE. Two of the videos in this section were created by other people, while Brett takes care of the remainder.
Next up, quite a few different use cases are presented for WinFE. Suggestions for each of those use cases are given and some other tips are given at the end of this section.
After the wrap-up, you get your chance to take the course exam. The exam consists of 25 questions and you must score an 80% or above to pass. You get two chances to take it, so if things don't go well the first time, you can still take another shot at it. I'm happy to say I passed on the first try.
The final section of the course is a downloads page. Links to lots of different WinFE related materials are here, including materials referenced throughout the course.
I was very pleased with this course. I thought Brett did a great job presenting the material. He speaks with the voice of experience and you can tell the suggestions he makes throughout the course are taken from his own use of WinFE. This course is free, but it is definitely worth paying for.
Speaking of which, Brett has also come out with another course that does cost a little money. This course is titled the X-Ways Forensics Practitioners Guide Online Course. As you may know, Brett and Eric Zimmerman wrote the book of the same name. The course costs $195, but if you sign up before July 17 and use discount code xwf1, you'll get a 25% discount. Not only that, but if you sign up before the 17th, you'll also get part 2 of the course for free! I hope to come up with some cash and take these courses, as I've been an X-Ways user for over 4 years. I learned a lot from the book and I'm sure the class will be good as well.
Wednesday, July 2, 2014
Next, I want to say congratulations and awesome job to David Cowen for completing 365 straight days of posting to his Hacking Exposed Computer Forensics Blog. I find it difficult to get 10 or 11 posts up a year, so I can't imagine coming up with a new one every single day. His Forensic Lunch and Sunday FunDay contests have also been an excellent way to learn more about CF and I thank him for his hard work.
Corey Harrell has an fantastic post on his Journey Into Incident Response blog: Improving Your Malware Forensics Skills. He goes through his process for conducting forensic analysis of an infected system and points out that establishing the process you will use should be the first step in the investigation. He talks about tools, setting up your test environment and describes various ways of infecting your test systems. It's a great post and I learned from it. I suspect you will too.
I'm excited that The Art of Memory Forensics, written by the core developers of the Volatility Framework will be released later this month. The front and back covers along with the table of contents and preview are already available to view on the Amazon page for the book. Without even seeing it yet, I will predict right now this book will be a strong contender for a Forensic 4cast Award next year.
From all the talk I've heard, it sounds like this year's SANS DFIR Summit in Austin, Tx was another first class event. I've been fortunate to attend twice and found the conference to be an excellent venue for learning and networking. Congrats to Rob Lee and everyone at SANS for another successful Summit. Wish I could have been there, but my funding didn't come through. Also, congrats to Lee Whitfield on another successful 4cast Awards. Congratulations to the nominees and winners as well!
A new learning opportunity has come about and I'm already signed up. Brett Shavers announced a new, FREE course on using the WindowsFE boot environment. From the course web page, "This course will give you everything you need to know in order to fully understand, build, use, and testify to the use of the Windows Forensic Environment." You can learn more and sign up on the Windows Forensic Environment course page.
Brett also announced a separate course he'll be releasing soon on the use of X-Ways Forensics. Brett, along with Eric Zimmerman, wrote the award winning X-Ways Forensics Practitioners Guide, so I know he knows what he's talking about when it comes to XWF. Follow the book website or Twitter account for details.
UPDATE: The class is now available at http://courses.dfironlinetraining.com/x-ways-forensics-practitioners-guide
UPDATE 2: Use discount code "xwf1" between now and July 17 to get a 25% discount on the course tuition.
That's all I have for now. Take care and thanks for reading!