Archives For July 2011

Geolocate pictures without EXIF data -> Google image search is incredible. #DFIR #privacy
Chad Tilbury

I recently attended a presentation by Phil Hagen named “SQL Ginsu” and it reminded me of just how important SQL can be for data reduction.  I previously wrote a How-To on Log Parser and recently saw a great article on using Log Parser to assist with reviewing the massive amounts of data we can pull from Windows 7 Volume Shadow Copies (link here).  It all led me to remember the Microsoft Log Parser Toolkit book sitting on my shelf and my intention to write a book review.  In short, I found the book to be very informative and relevant.  It should be required reading for any incident responder or forensic analyst.  The review follows.

From my five-star Amazon book review:

My only regret with this book is that I didn’t read it much earlier in my career.  Log Parser is a must have tool for every forensics professional and incident responder.  Imagine having the ability to take almost any chunk of data and quickly search it using SQL-based grammar.  Given the sheer amount of data the average security professional must analyze, Log Parser is perhaps even more relevant today than it was ten years ago.  Gabriele Giuseppini is the creator of Log Parser and he and his co-authors do a superb job of teaching the tool and demonstrating its often overwhelming feature set.  What could be a very dry manual turns out to be very engaging through copious use of real-world examples that can be used immediately to jump start your investigations.  A model for how technical books should be approached.

I am pleased to announce that my talk was accepted at Paraben’s Forensic Innovations 2011 conference (PFIC).  I will be speaking on Computer Intrusion Forensics:  Tools and Techniques to Find Evil.  This will be my third year speaking at the event, and I have grown to look forward to it as a great way to round out the year.  Paraben does an excellent job with consistently good speakers and interesting topics.  The conference price is unbeatable at $299, and it doesn’t hurt that it is being held at a great resort in my hometown  (Canyons Resort in Park City, Utah).  If you will be attending, make sure to get in touch so we can meet up!

  • PFIC 2011 Agenda
  • Harlan Carvey posted about his upcoming PFIC talk here.

Note: This post originally appeared on the SANS Forensics blog

As memory forensics has become better understood and more widely accomplished, tools have proliferated.  More importantly, the capabilities of the tools have greatly improved.  Traditionally, memory analysis has been the sole domain of Windows internals experts, but recent tools now make analysis feasible for the rank and file forensic examiner.  Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field.   We are also seeing novel ways to attack the problem.  One of the more interesting developments I have been following lately is the advent of live memory analysis.

I credit the free Mandiant Memoryze tool with popularizing the idea of performing live memory analysis, and I believe it is a revolutionary change.  The idea itself could be as controversial as creating a memory image was just a few years ago.  Do you remember the naysayers questioning how our forensic analysis could possibly be valid if we were to run our imaging applications on the live system?  Shouldn’t we still be pulling the plug?  What would they say if we now told them we were going to play “Find the Hacker” on that same live system?  Luckily it turns out that the system impact of doing a live analysis versus (or in addition to) taking a memory image is minimal.  And the benefits are great:

  • Inclusion of the system pagefile, providing a more complete picture of memory
  • Digital signature checks of process and driver executables
  • More accurate heuristics matching
  • Faster triage capability

Keep in mind that live analysis occurs by accessing physical memory, and not relying upon API calls, open handles, or debuggers.  Thus it is just as effective at defeating advanced malware and rootkits as analyzing a standard memory image.  Convinced yet?  If so, here is how to perform a live memory analysis with the new free tool, Redline:

Continue Reading…



Sony Playstation Network Hack Continue Reading…

CidoxKaspersky labs recently provided an interesting writeup of a scareware rootkit that infects both the Master Boot Record (MBR) and the NTFS Volume Boot Record (VBR).

The interesting part is that the Initial Program Loader (IPL) within the NTFS VBR is overwritten.  It seems that the traditional method of looking for modifications to the MBR and any code following it is not enough.  A sanity check of the NTFS boot loader (NTLDR in XP and before, BOOTMGR in Vista and later) should also be accomplished.

A couple of great pages for detailed information on the MBR and NTFS VBR follow.


Digitally signed malware on the rise <-IR procedures need to adapt (via @) #DFIR
Chad Tilbury

Note: This post originally appeared on the SANS Forensics blog

As Windows Registry artifacts go, the “Shellbag” keys tend to be some of the more complicated artifacts we have to decipher.  But they are worth the effort, giving an excellent means to prove the existence of files and folders along with user knowledge.  Shellbags can be used to answer the difficult questions of data enumeration in intrusion cases, identify the contents of long gone removable devices, and show the contents of previously mounted encrypted volumes.   Information persists for deleted folders, providing an invaluable reference for items no longer part of the file system.

Continue Reading…