SANS SEC 508 - Discussion
I plan to use this site to post discussion topics related to each session's materials, supplemental resources, and current events relating to our class. I ask that everyone keep their comments professional and related to class. If you don't want to post your question in this public forum, then please send me an email directly or ask me in class.
I am still working on making this part of the site interactive, so check back soon.
Wed, Apr 1, 2009 -- Updated Study Aid for Certification ExamI have posted two copies of the Book Index that Johnny, from the other section, updated based on the version previous students had compiled. The first is sorted in page order (MS Word file) and the second is alphabetical by topic (MS Word file). Posted By: Evan Wheeler |
|
Fri, Mar 27, 2009 -- Malware Analysis ToolsOn Wednesday in class, we talked about fuzzing hashing, but I didn't have time to show you how the ssdeep.exe tool works. If you would like a more detailed analysis of how this technique works, check out these resources:
I also showed you how to use the Sysinternals suite of tools and SysAnalyzer from iDefense to perform malware analysis without having to know anything about programming. Book 6 also has a nice supplemental section at the end which walks you through some of the more technical approaches to malware analysis. Try the following resources for additional information on the art of malware analysis:
We also looked at several free online resources for malware sandbox analysis that I find helpful
I also briefly mentioned Image Mount Pro and Virtual Forensic Computing (VFC) for Windows. These are excellent tools that let you mount a disk image in Windows like we have been doing on our Linux workstation, and VFC allows you boot a disk image using VMWare Player. Posted By: Evan Wheeler |
|
Mon, Mar 23, 2009 -- Legal ResourcesTonight we discussed our own experiences with notifying third-parties about a security incident. Whether that be another victim, an affected vendor, or a security advisory, make sure you know who in your organization is authorized to make that call. Chances are it isn't you.
In addition to joining InfraGard, I highly recommend looking into the HTCIA if you plan to get involved in the computer forensic world. We have a local chapter of this organization in New England that is strongly supported by local experts from law enforcement and private industry. Here are some links in case you are ever inclined to escalate an incident to law enforcement over the Internet:
If nothing else, these sites provide some good information about what kinds of information law enforcement may initially require when you contact them. In the context of reporting vulnerabilities or security incidents, I also mentioned the FS-ISAC as an example of an industry specific version of a CERT. Members of the financial industry use this forum to share security intelligence. It also provides good advisories for security issues in the context of the financial sector. Several similar ISACs exist for other industries as well such as the Multi-State ISAC. Posted By: Evan Wheeler |
|
Tue, Mar 17, 2009 -- Bypassing Disk Encryption, Cold Boot AttackThe cold boot attack is really old news at this point, but from my perspective the most important findings that came out of this research is the ability to find disk encryption keys or passwords in memory and extract them. If you come across a system in a live state and you suspect it has full disk encryption, being able to extract the private key from memory may really help your investigation. What if you gather all the volatile information and image the drive live, shut it down and then realize later that you missed something? Or maybe you're being challenged on the authenticity of the image. This might be your only way to decrypt it. Unfortunately the researchers at Princeton have not released the details of their methods as far as I know. Here are some links to related news:
Hopefully they will release their methodology for the memory analysis piece at least. Posted By: Evan Wheeler |
|
Tue, Mar 17, 2009 -- Some Incidence Response ResourcesOn Monday I mentioned some incident response tools that can be useful when performing a forensic response. I recommend trying out the following:
Also look at this documentation:
The last link describes a boot cd (F.I.R.E.) which is very similar to Helix and actually predated it. It is not commonly used today, but I think the concepts in the paper are applicable in more modern toolkits as well. It never hurts to have more tools at your disposal. Posted By: Evan Wheeler |
|
Tue, Mar 17, 2009 -- Missing Network Capture FilesI have posted copies of the two missing network capture files that we went through yesterday (wiretap.zip and windows_ethereal_capture.zip). These should have been included in your workstation image, and I have notified SANS about the error. I apologize for the inconvenience. I encourage you to go through these network forensic exercises (Supplement 1 in Books 2-3 and 4) manually, and then try out the tools I showed you in class. Compare your results. Posted By: Evan Wheeler |
|
Mon, Mar 16, 2009 -- Online Hash Database ResourcesToday in class, we will talk about using hashes to exclude known good files from your analysis or to identify known malicious files. The following are good resources for building a hash database:
In most cases these hashes can be imported into the tools we are using (such as Autopsy) with little or no manipulations. You can also always create your own hash database for your own system builds and operating systems using the md5deep and hfind tools. Posted By: Evan Wheeler |
|
Thu, Mar 12, 2009 -- Timelining with MS Access & Dirty Words ListI have posted a copy of the MS Access database (ZIP file) I used to analyze the Batman timeline in class today. It includes a few saved queries that focus on identifying noteworthy events based on some common criteria. I have found that this really helps me dig through large data sets. I also told you that I would share my own Dirty Words List (TXT file) that I have been compiling over the years. I find it useful when I am starting a case and don't know where to start looking for an infection or compromise. You would be surprised how often just a list of curse words can quickly point you in the right direction. I have also found this helps to quickly identify symptoms I have seen in previous cases. This list shouldn't replace the specific keywords list you build for each investigation, but you should be adding to it after each case is complete. I have asked other people in the community to share their own lists, but I haven't had any luck so far. Posted By: Evan Wheeler |
|
Tue, Mar 10, 2009 -- Additional Acquisition ResourcesIf you're looking for information about hardware and software write blockers from a trusted source, take a look at NIST's Computer Forensic Tool Testing pages:
If you have the budget for some high-end equipment, I personally like to get my gear from Digital Intelligence. They sell mobile devices, as well as workstations with all the bells and whistles for acquisition and analysis. If you find yourself doing a lot of media acquistions, I would recommend looking at their products. Posted By: Evan Wheeler |
|
Mon, Mar 9, 2009 -- Some Evidence Acquisition and Imaging ResourcesI recommend that you check out the following evidence acquisition resources as a supplement to this week's materials:
There are many commercial and open source tools out there, and even many that aren't specifically forensic tools, so you need to learn how to validate new tools. The above resources are a good start. Posted By: Evan Wheeler |
|
Thu, Mar 5, 2009 -- Forensic Incident ResponseIf you are looking for additional resources, these sites all provide a wealth of content and links to other popular digital forensic resources:
I read the SANS blog often as a way to keep up on the latest developments in the field. I actually maintain the last site listed above and use it as a way to organize the resources I find valuable during an investigation. We went through some of the basic features of the live windows side of Helix in class this week, but I also recommend that you take a look at its bootable Linux interface. Once you are comfortable with it, check out the Boot Options section on page 99 of the Helix Guide v0307 (PDF) for cheat codes and advanced settings when booting with Helix. Posted By: Evan Wheeler |
|
Wed, Feb 25, 2009 -- Forensic Tool TestingIf you would like to learn more about digital forensic tools that have been validated by a trusted third-party, check out these two sites:
Also, another good resource for those of you who are building a jump bag for forensic investigations can be found at this site: http://www.squidoo.com/jumpbag. Posted By: Evan Wheeler |