Packers are most commonly used for compression, code obfuscation, and malware anti-reversing. While not always malicious, packers are often a clue to look a little deeper into a particular binary. Ange Albertini did a marvelous job of representing the (known) universe of executable packers in this infographic.
Device acquisition may not be the sexiest phase of digital forensics, but it has the most number of pitfalls and can result in catastrophic loss. If a practitioner makes a mistake during acquisition, the investigation may simply be over, with nothing left to examine. Establishing an acquisition process is important, and a critical part of your process should be checking for the presence of full disk and volume-based encryption. Disk encryption is more prevalent than many believe –I am anecdotally seeing it in use on nearly thirty percent of the computers I encounter. If a system is running, the examiner often has a one-time shot to capture any mounted volumes in their decrypted state.
The inherent challenge is how to determine if an encrypted disk or volume exists. From the perspective of the operating system, data on a mounted volume is available in unencrypted form. A separate abstraction layer takes care of encrypting write operations and decrypting data for read operations. Thus when encountering a live system, investigators are often left with ad-hoc tests to try and make a determination. They can look for telltale installed software, or particular icons present on the system, but there are few reliable ways to get a confident answer whether encryption does or does not exist.
I recently had the opportunity to collaborate with the SANS Institute Securing the Human team as a guest editor for their OUCH! Security Awareness Newsletter. It was a rewarding experience working with such a competent and professional team. The theme of the September 2012 newsletter is “Hacked: Now What?”. While I am more used to writing technical articles, topics in OUCH! are written at a higher level and oriented towards the average computer user. It was fun to collaborate on topics relevant to this audience. The goal of the newsletter is to serve as a free resource that organizations of any size can use to increase the security awareness of their employees. Looking back through the archives, I think it consistently achieves this goal.
Mastering Windows Network Forensics and Investigations fills an interesting niche not well addressed in the pantheon of digital forensics resources. The material is well suited for beginning and intermediate forensic examiners looking to better understand network artifacts and go beyond single-system forensics. I highly recommend it for system administrators looking for a different perspective on network security or those interested in designing networks to be forensics-friendly. That said, the topics covered do not fit within the classical definition of network forensics. A more apt title might be Mastering Incident Response Forensics and Investigations.
This is the first book I have read in the Sybex Mastering series, and I was impressed with the writing, research, and editing. The authors blended dense material with relevant examples and insightful and engaging text boxes. Some of my favorite “side” topics were:
“Cross-platform Forensic Artifacts”
“Registry Research”, illustrating the use of Procmon for application footprinting
“Time is of the Essence”, explaining fast forensics using event logs and the registry
The book begins with four chapters familiarizing the reader with Windows networking. While this may slow down those hungry for forensics topics, they are replete with information. Windows domains, hacking methodology, and Windows credentials are all described in these early chapters. Amazingly, this is the first forensics book I have read containing a discussion of the NTDS.DIT Active Directory database file, perhaps the most dangerous file in the enterprise. While there were probably too many pages spent on password sniffing and cracking, I recognize it is beneficial to understand the risks and I commend the authors for also mentioning pass the hash and token stealing attacks. It would have been valuable to see these same attacks identified later in the book via Windows registry and log artifacts. Continue Reading…
The string of financial disasters gripping the globe over the past few years is undeniable proof of the interconnected world that we now live in. Of course, that comes as no surprise to those of us who investigate computer crimes. I can’t remember a case I have worked on that didn’t have an IP address (or malware) sourcing back to a foreign entity. The same technology that has increased our productivity and enhanced our quality of life has opened our doors to anyone with an Internet connection. While many of the voices in the security world seem to be focused on improving domestic security, a key point gets missed: security in a massively interconnected world requires international cooperation and ultimately a global solution. As an example, the FBI and US Secret Service have been very successful in recent years proving that they can reach out and touch international cyber criminals. This simply would not be possible without the cooperation and support of foreign governments, courts and law enforcement. Computer crime is a global phenomenon that can’t be kept in check without international cooperation
I have been using F-Response Tactical lately and wanted to share some of my thoughts. When I first encountered the Tactical product, I had to brainstorm with Matt Shannon at F-Response to understand its use cases. I spend a lot of my time doing incident response, and in that role I have used many of the enterprise forensic platforms. These tools are largely agent based, meaning a small application is run on the target system allowing raw device access to system components and communication back to a central hub for analysis. F-Response has this capability in their Consultant and Enterprise editions, and the capability has even started to filter down to some of our standard forensic suites, such as FTK 3 covered in this previous post. F-Response Tactical takes a different approach. It uses a paired set of dongles instead of agents. While limiting for some applications (such as geographically remote acquisition), it makes up for it by being dead simple to use. To start, you plug the “Subject” dongle into your target system and execute an application to begin beaconing on the network. The matched “Examiner” dongle plugs into your forensic workstation and is used to connect to the Subject. Once connected, you have full access to all physical disks, volumes, and memory on the Subject system. Since access is at the raw device level, even files traditionally locked by the filesystem can be accessed, like Exchange .edb database files, Registry hives, and System Restore Points. These items are mounted on your forensic workstation, allowing analysis using your favorite forensic software.
I am pleased to announce that my talk was accepted at Paraben’s Forensic Innovations 2011 conference (PFIC). I will be speaking on Computer Intrusion Forensics: Tools and Techniques to Find Evil. This will be my third year speaking at the event, and I have grown to look forward to it as a great way to round out the year. Paraben does an excellent job with consistently good speakers and interesting topics. The conference price is unbeatable at $299, and it doesn’t hurt that it is being held at a great resort in my hometown (Canyons Resort in Park City, Utah). If you will be attending, make sure to get in touch so we can meet up!