Thursday, April 28, 2011

A Quick Note

Just wanted to mention that, according to Amazon, Digital Forensics with Open Source Tools has been released. This is a book I've really been looking forward to. The two authors, Cory Altheide and Harlan Carvey are well known in the field and bring a lot experience and knowledge to this book, so I know it's going to be great. I'll be posting a review after I receive and read my copy.

Related to the use of Open Source, I also wanted to mention some interesting posts being made over on the SANS Forensic Blog by Dave Hull. He's made two related recent posts on the use of the Linux command line to aid in data reduction during an investigation. The posts are called "Least Frequently Occurring Strings?" and "Data Reduction redux and map-reduce." I love reading things like this, because these are methods anyone can use without buying high dollar forensic software. The Linux operating system comes as an almost ready made forensics investigation platform, with just a few things still needed to do the job. I still work in both Linux and Windows and make use of paid software in both, but my heart is with the open source tools available to all.

I hope to be putting out a new blog post in the near future that contains info on some research I've been doing lately, but I haven't had time to finish things up yet. I'll be back with a new post "soon".

Friday, April 15, 2011


The only thing I hate about blogging is finishing up a post, publishing it, going to bed and then realizing the next morning I left things out of the post unintentionally. In my last post, I had three other things I wanted to mention, so here they are.

First, my friend Tom (@cdtdelta) has started his own blog. The name of the blog is RAM Slack and he writes about digital forensics. I'm mad at him, because he came up with a way better name for his blog than I did for mine  ;-)

Also, Jason Andress has two books coming out in June, one of which he authored and the other he co-authored. Syngress is the publisher of both books. Jason solo-authored The Basics of Information Security and co-authored Cyber Warfare with Steve Winterfeld. Both look really interesting and I plan to buy both.

Okay, I think that's it for now, but who knows?

A few links

What's this??? Me with another blog post in the short span of 2 whole days? Yep, it's true. I'm really going to try to start posting more often, so we'll see how it goes. I don't have a lot planned for this one, but wanted to mention some other blog posts I thought were worthwhile.

Andre M. DiMino, on his SemperSecurus blog posted a nice write-up on using Volatility 1.4 to analyze a memory capture from a machine infected by the recently disclosed Adobe 0-day (CVE-2011-0611). Andre does a great job of detailing the work he did, complete with screenshots. I've only dabbled in memory analysis occasionally, but greatly enjoy reading posts like this that explain in detail how a goal was accomplished and providing the reader with the means of repeating the process in their own lab environment.

On his TaoSecurity blog, Richard Bejtlich recently posted his slides entitled "Cooking the Cuckoo's Egg" from his talk at the DOJ Cybersecurity conference back in February. I just recently bought the book "The Cuckoo's Egg" but haven't started reading it. From looking at the slides, I can tell I would have enjoyed the talk and would love to get the chance to hear Richard speak sometime.

My good friend Brad Garnett has re-titled his blog Digital Forensic Source. Brad is a smart guy and excellent forensics analyst as well. I say nice things about him, even though he calls me old ;-)

I wanted to thank Harlan Carvey for his blog post in which he referred to my review of Windows Registry Forensics. I looked my blogs stats over and found the overwhelming number of visits to this blog come directly from his.

Speaking of Harlan, the book he co-authored with Cory Altheide will be out soon. The book is called Digital Forensics with Open Source Tools. This is yet another of those books I plan to get as soon as it's released. I love working with open source tools in both Linux and Windows (especially Linux), so I'm really excited about getting this one soon. I've never met Cory, but I follow him on Twitter and he seems like someone I'd enjoy meeting one day. Very funny guy.  Now, if I could just convince Chris Pogue to write a second edition of Unix and Linux Forensic Analysis, all would be well. Unfortunately, last I heard, such a project is not in his plans

Ira Victor posted a new Case Leads over on the SANS Computer Forensics blog. I really like those Case Leads posts. Everyone who does them really does a fine job of bringing a lot of good info into each post.

Also on the SANS blog, Lenny Zeltser posted an interesting new article entitled Context-Specific Signatures for Computer Security Incident Response. I've thought about creating my own signatures for use with ClamAV before, but so far haven't taken the time to try it. Lenny makes a good case for doing that during an incident to help identify the scope of the incident.

Finally, Corey Harrell created something cool...a digital forensics specific search tool. This was a really cool idea and it works great. It's nice to have that option when needing info on some forensic artifacts, saving you the time of wading through all the irrelevant hits just to find that one little nugget of information you need. Well done Corey and thanks for sharing it!

That's about it for now. Hope to be posting again in the near future.

Tuesday, April 12, 2011

Books I recommend

Just me, back from the blogging dead again for another drive-by blog post! I wanted to mention a couple of books I've read recently that I wanted to recommend. Notice I said "mention" the books, not review. Frankly, I suck at doing book reviews, so I'm just going to talk about them briefly without going into a full scale breakdown. If you want to read well written book reviews, I refer you to the master of that domain, Richard Bejtlich

The first book I wanted to mention I actually finished quite a while back. There aren't many books (or anything else) that I pre-order. I usually figure that I'll get it when it comes out, no need to pre-order. However, I also have certain favorite authors whose work I look so forward to that I want it as soon as possible after it becomes available. One of those author's is my friend, Harlan Carvey.

Many of us in the computer forensics world consider Harlan's blog as one of those "must read" blog's. His interest and knowledge in the area of the Windows Registry is well known, with his RegRipper tool one of those many of us (including me) use on pretty much every case. So when I heard he was going to be writing a new book called Windows Registry Forensics, I placed my order at the first opportunity.

If you're looking for a book that will teach you step by step how to use some commercial tool, this isn't it. For that, I am thankful. When Harlan first started talking about doing this book, I remember some people asking in comments on his blog if he was going to cover this commercial tool or that for registry analysis. I replied in a comment that if it were up to me, no commercial tools would be concentrated on in the book. Frankly, I'm going to learn a lot more about the registry by actually studying the registry itself, not a commercial tool I likely may never have. In my opinion, it's far better to concentrate on the registry and get my hands dirty, looking under the hood with open source tools, leaving it to the various commercial vendors to teach you how to use their particular tools . Fortunately, Harlan felt the same way and took the approach I had hoped he would take, resulting in a book I've already referred back to on several occasions while doing case work.

The book is just over 200 pages and divided up into four chapters. The author makes it clear that he isn't going to provide you with every single registry key that may come in handy some day. Rather, he takes the "teach a man to fish" approach and starts you down the path of registry forensic analysis, giving you the knowledge to continue on your own.

Chapter One is a good introduction to just what registry analysis is and reasons you might do it. One thing I liked in this chapter was that he points out the importance of preparing yourself ahead of time, deciding what the goals of your analysis are instead of wasting time just grabbing everything. I know after reading this book that I have changed the way I approach all of my investigative work, not just that which involves the registry.

Chapter Two covers the various free and free open source tools available for doing registry analysis. I had already used some of them, but others were new to me. Examining the registry on a live machine, as well as post-mortem analysis are discussed in this chapter and good examples are given. Tools available for documenting changes to the registry after certain actions are performed (e.g.: using RegShot after running a program) are also covered. I thought this chapter did a good job of covering those tools that are out there for anyone to use, such as RegRipper, Regshot, Autoruns and so on.

I was pleased with the whole book, but I have to say I especially enjoyed the final two chapters. Chapter Three is titled "Case Studies: The System," while Chapter Four is "Case Studies: Tracking User Activity." I love reading examples of just how I might put all that I've learned thus far into practical use. I also like "war stories" if you will; real stories of registry analysis telling just how the analysis was conducted and how it turned out. These two chapters do all of that, with real world cases discussed and examples of how to accomplish your goals.

I most certainly recommend Windows Registry Forensics to anyone who wants to learn more about the Windows registry and how it can help you make or break a case. The book is suitable for all forensic examiners, both in the public and private sectors, as well as students and others who simply want to learn more on the subject.

The other book I wanted to mention briefly is Kingpin, by Kevin Poulsen. I just finished reading this book the night before last and must say I really enjoyed it. The book details the criminal exploits of Max Butler, aka Max Vision, who is now doing time in federal prison for the crimes detailed in this book. Butler became a leader in the underground marketing of stolen credit card information, among other "cyber" crimes.

I liked the fact that Poulsen didn't just report the facts, but rather looked at who Max Butler is and perhaps what led to his eventual downfall. Butler's motivations were an important part of the story and I thought all of that was covered well. I have read where others have somewhat criticized Poulsen's approach, as they felt it made Butler more of a sympathetic character than he deserved, but I disagree with that assertion.

Max Butler founded the website Carders Market, where stolen credit card data was traded openly and also where vendors of equipment, such as card skimmers and such could offer their products for sale. Butler took the unprecedented step of taking down rival sites and absorbing those sites members without their permission or desire to do so in the spirit of bringing the entire carding world together on one site. I remember hearing about this when it happened and found it very interesting indeed. Kevin Poulsen did a great job telling the story of how it all came to be, as well as the stories of the law enforcement agents that finally brought Butler down.

I recommend this book to pretty much anyone who enjoys a great story. One need not be overly techno savvy to enjoy it, though I'll admit having some passing knowledge of some of the terminology used in the world of computers and networks doesn't hurt.

That's about all I have time for now. I hope to be back with more posts on a semi regular basis soon, but I don't make any promises.