Archives For Incident Response

Malware Analysis Quant Research ProjectTom from the c-APT-ure blog recently pointed me to the Malware Analysis Quant Research Project spearheaded by Securosis.  The goal of the project is to develop a malware analysis model, complete with specific processes and metrics.  The published white paper is 53 pages.  Every organization has a malware problem and rapid identification and scoping is a big step towards successfully allocating precious security resources towards important events like attacks from determined adversaries as opposed to commodity worms and malware.  The open nature of the model allows existing infrastructure within your organization to be readily integrated, shifting the focus towards identification and measurement of any process gaps. Those of you routinely hammered by ROI questions will applaud the focus on actionable metrics aimed at cost quantification.

Microsoft Targeted AttackMicrosoft Trustworthy Computing recently released several installments in their Targeted Attacks Video Series.  While the short videos are largely low-tech, the accompanying documents provide detailed mitigation strategies.  Mike Pilkington wrote an excellent review of the 282 page Best Practices for Securing Active Directory document on the SANS Forensics blog.  The Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques deck is also worth a read. Interestingly, Microsoft lists common mitigation techniques like “smart cards and multi-factor authentication” and “jump servers” as having only minimal effectiveness.

Packers are most commonly used for compression, code obfuscation, and malware anti-reversing.  While not always malicious, packers are often a clue to look a little deeper into a particular binary.  Ange Albertini did a marvelous job of representing the (known) universe of executable packers in this infographic.

Universe of Executable Packers

[Click to enlarge]

The full PDF file can be found here.

Device acquisition may not be the sexiest phase of digital forensics, but it has the most number of pitfalls and can result in catastrophic loss.  If a practitioner makes a mistake during acquisition, the investigation may simply be over, with nothing left to examine.  Establishing an acquisition process is important, and a critical part of your process should be checking for the presence of full disk and volume-based encryption.   Disk encryption is more prevalent than many believe –I am anecdotally seeing it in use on nearly thirty percent of the computers I encounter.  If a system is running, the examiner often has a one-time shot to capture any mounted volumes in their decrypted state.

The inherent challenge is how to determine if an encrypted disk or volume exists.  From the perspective of the operating system, data on a mounted volume is available in unencrypted form.  A separate abstraction layer takes care of encrypting write operations and decrypting data for read operations.   Thus  when encountering a live system, investigators are often left with ad-hoc tests to try and make a determination.   They can look for telltale installed software, or particular icons present on the system, but there are few reliable ways to get a confident answer whether encryption does or does not exist.

Truecrypt in Taskbar

Bitlocker is Installed

See any evidence of encryption products?

Continue Reading…

OUCH! Security Awareness Newsletter

I recently had the opportunity to collaborate with the SANS Institute Securing the Human team as a guest editor for their OUCH! Security Awareness Newsletter.  It was a rewarding experience working with such a competent and professional team.  The theme of the September 2012 newsletter is “Hacked: Now What?”.  While I am more used to writing technical articles, topics in OUCH! are written at a higher level and  oriented towards the average computer user.  It was fun to collaborate on topics relevant to this audience.  The goal of the newsletter is to serve as a free resource that organizations of any size can use to increase the security awareness of their employees.  Looking back through the archives, I think it consistently achieves this goal.

Continue Reading…

New anti-forensics tool SetRegTime can change Registry last write times. | via @
Chad Tilbury


Harlan Carvey discusses the ramifications of Windows Registry anti-forensics on his blog:

You can find SetRegTime here:

Mastering Windows Network Forensics and Investigations fills an interesting niche not well addressed in the pantheon of digital forensics resources.  The material is well suited for beginning and intermediate forensic examiners looking to better understand network artifacts and go beyond single-system forensics.  I highly recommend it for system administrators looking for a different perspective on network security or those interested in designing networks to be forensics-friendly.  That said, the topics covered do not fit within the classical definition of network forensics.  A more apt title might be Mastering Incident Response Forensics and Investigations.

This is the first book I have read in the Sybex Mastering series, and I was impressed with the writing, research, and editing.  The authors blended dense material with relevant examples and insightful and engaging text boxes.  Some of my favorite “side” topics were:

  • “Cross-platform Forensic Artifacts”
  • “Registry Research”, illustrating the use of Procmon for application footprinting
  • “Time is of the Essence”, explaining fast forensics using event logs and the registry

Mastering Windows Network Forensics and InvestigationThe book begins with four chapters familiarizing the reader with Windows networking.  While this may slow down those hungry for forensics topics, they are replete with information.  Windows domains, hacking methodology, and Windows credentials are all described in these early chapters.  Amazingly, this is the first forensics book I have read containing a discussion of the NTDS.DIT Active Directory database file, perhaps the most dangerous file in the enterprise.  While there were probably too many pages spent on password sniffing and cracking, I recognize it is beneficial to understand the risks and I commend the authors for also mentioning pass the hash and token stealing attacks.  It would have been valuable to see these same attacks identified later in the book via Windows registry and log artifacts. Continue Reading…

Handy TechNet article describing each of the services installed in the Windows Server & Wkstn family:
Mike Pilkington

Biggest Security Breaches of All Time Continue Reading…

International Cyber Defense Workshop

The string of financial disasters gripping the globe over the past few years is undeniable proof of the interconnected world that we now live in.  Of course, that comes as no surprise to those of us who investigate computer crimes.  I can’t remember a case I have worked on that didn’t have an IP address (or malware) sourcing back to a foreign entity.  The same technology that has increased our productivity and enhanced our quality of life has opened our doors to anyone with an Internet connection.  While many of the voices in the security world seem to be focused on improving domestic security, a key point gets missed: security in a massively interconnected world requires international cooperation and ultimately a global solution.  As an example, the FBI and US Secret Service have been very successful in recent years proving that they can reach out and touch international cyber criminals.  This simply would not be possible without the cooperation and support of foreign governments, courts and law enforcement.  Computer crime is a global phenomenon that can’t be kept in check without international cooperation

Continue Reading…