Wednesday, June 29, 2011

A few links

Corey Harrell has a review of Digital Forensics with Open Source Tools up on his Journey Into Incident Response blog. He recommends the book, just as I and quite a few others have done as well. If you don't normally read Corey's blog, you should start doing so. He's always got great content there.


Claus has a very interesting and helpful post up on the Grand Stream Dreams blog titled Anti-Malware Tools of Note. This is an excellent write-up about the tools and some of the methods he uses in combating malware infections. This is another excellent blog that is well worth taking the time to read regularly.

Over on the Windows Incident Response blog, Harlan Carvey has a new post titled Meetup, Tools and Other Stuff. In addition to several other topics, he talks about his research into Windows 7 Jump Lists, as well as information on the Master Boot Record. Jump Lists have become a topic of interest lately and deservedly so. Harlan has done a great job researching them and provides a nice write-up of what he's discovered thus far. Kudos to him for sharing this information and to everyone who does research and shares what they find.

Also, the talk about the MBR is quite interesting. Harlan mentions some tools and other resources for further study. I plan to try out the tools he links to and see for myself if they'll do the job I need done.

This topic is quite timely, given this post at the Microsoft Malware Protection Center blog on Technet about the 'bootkit' they call Trojan:Win32/Popureb.E. According the MS, the solution when your system is infected by this particular malware is to "simply" do an MBR repair followed by an operating system reinstall. I plan to do considerably more reading about this in the very near future, as the number of pc's being brought to me for malware cleanup has been increasing greatly as of late. If I learn anything useful, I'll post it here.


I still hope to learn how to reverse engineer malware and bought "Introduction to 80x86 Assembly Language and Computer Architecture" to help me learn that part of the reverse engineering process. I just started reading it, so I'm far from knowing much about the subject now, but hope to be able to put what I learn from it to good use soon.



I'm still catching up on all my favorite blogs, so I'm sure I've left out more than a few posts by others. I'm hoping to get caught up on all my reading in the next day or two and I'll post if I see something of interest.

Wednesday, June 22, 2011

Quick Post

Wanted to do a quick post here to say my review of Digital Forensics with Open Source Tools is now up on the SANS Computer Forensics Blog. As a frequent user of open source forensic tools, I found this book an excellent addition to my library. I think most forensic examiners will benefit from it in some way, while I think it could be essential reading for newcomers to the field.

On another subject, it's not often I give props to Microsoft, but today will be one of those rare moments. I think it's great that they've released their Microsoft Safety Scanner for both 32 bit and 64 bit versions of Windows. This tool will create either a bootable cd, usb flash drive or an .iso image for later burning. Just this morning I used it on an infected system brought to me and was impressed with the ease of use. Basically, it's a stand alone version of their Microsoft Security Essentials antivirus and it seems to work very well. It's nice to get new tools from vendors to help clean up the messes created by the various malware people find accidentally every day. You can download the tool from Microsoft Safety Scanner webpage.

Speaking of malware, I've been seeing a lot of infections by yet another fake security application. Most recently I've been receiving quite a few machines for clean up that are infected with variants called XP Recovery, Windows Vista Repair and so on. This one sets the hidden attribute on most every file and folder on the system and then does a fake scan claiming all sorts of terrible problems exist on your system and encourages you to pay the ransom register the program so it can fix your problems and get your files back. It doesn't seem to do any serious damage at first, but the one I'm repairing now did get the extra gift of a rootkit patch to the C:\Windows\System32\drivers\volsnap.sys file. It would be really nice if those responsible for creating this fake security programs would find new jobs as speed bumps for trains.

An excellent resource for information on fake security app and other malware is the S!RI.URZ blog. The information there has been helpful to me on quite a few occasions.

That's all for now.

Thursday, June 16, 2011

And..... it's over

Over, as in my two weeks of conferences are now complete. Last time, I talked about my plans to attend both the  SANS 2011 Digital Forensics and Incident Response Summit in Austin, Tx followed the next week by the 2nd Annual Sleuth Kit and Open Source Digital Forensics Conference in McLean, Va. Those two events are now history and I'm happy to say I enjoyed both very much. As seems to always happen, I looked so forward to them and then once it was time for them they just flew by. Ah well, perhaps I'll have the good fortune to attend one or both of them again next year.

One of the truly great things these conferences were good for, aside from the excellent presentations, were the tremendous opportunities to network with others in the field. I have been so happy to find that the "superstars" of this field are just like the rest of us, except way smarter ;-)  Seriously, they're really good people and I was glad to meet and greet with them. Both conferences provided multiple opportunities to interact with the other attendees and speakers. Both were very well run and well attended as well, which is understandable given the quality of the speakers and the topics they were presenting.

Without a doubt, the best part of the two conferences for me was finally getting the chance to meet some of the people I've "known" online for several years but never met in person. Finally putting a face with the name for people I'd never even seen before was really cool. I talked with several of them over the two conferences about how we all have considered each other as friends, despite the lack of actually ever actually meeting in person. In most cases, we've managed to connect via Twitter and some of us have forged very close friendships with other "tweeps" who share our job interests and duties. There are many social media websites and services, but I would find it hard to believe any have a greater ability to unite people in the digital forensics and security fields than Twitter.

Each conference was great overall,  with each only having one presentation I was a little disappointed in, though for different reasons. In fact, I wouldn't even say I was disappointed in the second one I'll talk about, but it was the one I got the least out of for reasons I'll explain.

I really enjoyed every speaker at SANS but one, even though some talked about subjects pretty far over my head. Unfortunately, one speaker seemed far more interested in promoting his product and showing his arrogance than conveying information. That seemed to be the general consensus of most everyone in the room from what I was able to tell and that's a shame, as the talk could have been very good. As he went on, it got better and more informative, but by that time he'd already lost most of the crowd. I read more than a few tweets by other attendees and heard many whispered comments complaining about this speaker while he was still talking.

At the open source conference, all speakers were likable and informative. Unfortunately, one spoke only very broken English, making it hard to really follow what he was talking about. He was aware of that and started off his talk by apologizing for his poor English. Just the same, he did his best and completed his talk. The information he provided was interesting and the slides he used were helpful, so I really hesitate to say I was "disappointed" exactly. The subject of his talk was something I was really interested in, but it was hard to come away with anything useful.

Overall, these two conferences where chock full of great information, both in the talks and in the informal meet-ups. I truly hope I can attend one or both next year, as they were both great learning experiences. Thanks to Rob Lee and Brian Carrier for all their hard work in getting these conferences up and running each year.