Archives For Incident Response

Device acquisition may not be the sexiest phase of digital forensics, but it has the most number of pitfalls and can result in catastrophic loss.  If a practitioner makes a mistake during acquisition, the investigation may simply be over, with nothing left to examine.  Establishing an acquisition process is important, and a critical part of your process should be checking for the presence of full disk and volume-based encryption.   Disk encryption is more prevalent than many believe –I am anecdotally seeing it in use on nearly thirty percent of the computers I encounter.  If a system is running, the examiner often has a one-time shot to capture any mounted volumes in their decrypted state.

The inherent challenge is how to determine if an encrypted disk or volume exists.  From the perspective of the operating system, data on a mounted volume is available in unencrypted form.  A separate abstraction layer takes care of encrypting write operations and decrypting data for read operations.   Thus  when encountering a live system, investigators are often left with ad-hoc tests to try and make a determination.   They can look for telltale installed software, or particular icons present on the system, but there are few reliable ways to get a confident answer whether encryption does or does not exist.

Truecrypt in Taskbar

Bitlocker is Installed

See any evidence of encryption products?

Continue Reading…

OUCH! Security Awareness Newsletter

I recently had the opportunity to collaborate with the SANS Institute Securing the Human team as a guest editor for their OUCH! Security Awareness Newsletter.  It was a rewarding experience working with such a competent and professional team.  The theme of the September 2012 newsletter is “Hacked: Now What?”.  While I am more used to writing technical articles, topics in OUCH! are written at a higher level and  oriented towards the average computer user.  It was fun to collaborate on topics relevant to this audience.  The goal of the newsletter is to serve as a free resource that organizations of any size can use to increase the security awareness of their employees.  Looking back through the archives, I think it consistently achieves this goal.

Continue Reading…

New anti-forensics tool SetRegTime can change Registry last write times. | http://t.co/atWsf4sE via @
@chadtilbury
Chad Tilbury

 

Harlan Carvey discusses the ramifications of Windows Registry anti-forensics on his blog:  http://windowsir.blogspot.com/2012/08/setregtime.html.

You can find SetRegTime here: http://code.google.com/p/mft2csv/wiki/SetRegTime

Mastering Windows Network Forensics and Investigations fills an interesting niche not well addressed in the pantheon of digital forensics resources.  The material is well suited for beginning and intermediate forensic examiners looking to better understand network artifacts and go beyond single-system forensics.  I highly recommend it for system administrators looking for a different perspective on network security or those interested in designing networks to be forensics-friendly.  That said, the topics covered do not fit within the classical definition of network forensics.  A more apt title might be Mastering Incident Response Forensics and Investigations.

This is the first book I have read in the Sybex Mastering series, and I was impressed with the writing, research, and editing.  The authors blended dense material with relevant examples and insightful and engaging text boxes.  Some of my favorite “side” topics were:

  • “Cross-platform Forensic Artifacts”
  • “Registry Research”, illustrating the use of Procmon for application footprinting
  • “Time is of the Essence”, explaining fast forensics using event logs and the registry

Mastering Windows Network Forensics and InvestigationThe book begins with four chapters familiarizing the reader with Windows networking.  While this may slow down those hungry for forensics topics, they are replete with information.  Windows domains, hacking methodology, and Windows credentials are all described in these early chapters.  Amazingly, this is the first forensics book I have read containing a discussion of the NTDS.DIT Active Directory database file, perhaps the most dangerous file in the enterprise.  While there were probably too many pages spent on password sniffing and cracking, I recognize it is beneficial to understand the risks and I commend the authors for also mentioning pass the hash and token stealing attacks.  It would have been valuable to see these same attacks identified later in the book via Windows registry and log artifacts. Continue Reading…

Handy TechNet article describing each of the services installed in the Windows Server & Wkstn family: http://t.co/q8EaTaHX
@mikepilkington
Mike Pilkington

Biggest Security Breaches of All Time Continue Reading…

International Cyber Defense Workshop

The string of financial disasters gripping the globe over the past few years is undeniable proof of the interconnected world that we now live in.  Of course, that comes as no surprise to those of us who investigate computer crimes.  I can’t remember a case I have worked on that didn’t have an IP address (or malware) sourcing back to a foreign entity.  The same technology that has increased our productivity and enhanced our quality of life has opened our doors to anyone with an Internet connection.  While many of the voices in the security world seem to be focused on improving domestic security, a key point gets missed: security in a massively interconnected world requires international cooperation and ultimately a global solution.  As an example, the FBI and US Secret Service have been very successful in recent years proving that they can reach out and touch international cyber criminals.  This simply would not be possible without the cooperation and support of foreign governments, courts and law enforcement.  Computer crime is a global phenomenon that can’t be kept in check without international cooperation

Continue Reading…

I have been using F-Response Tactical lately and wanted to share some of my thoughts.  When I first encountered the Tactical product, I had to brainstorm with Matt Shannon at F-Response to understand its use cases.  I spend a lot of my time doing incident response, and in that role I have used many of the enterprise forensic platforms.  These tools are largely agent based, meaning a small application is run on the target system allowing raw device access to system components and communication back to a central hub for analysis.  F-Response has this capability in their Consultant and Enterprise editions, and the capability has even started to filter down to some of our standard forensic suites, such as FTK 3 covered in this previous post.   F-Response Tactical takes a different approach.  It uses a paired set of dongles instead of  agents.  While limiting for some applications (such as geographically remote acquisition), it makes up for it by being dead simple to use.  To start, you plug the “Subject” dongle into your target system and execute an application to begin beaconing on the network.  The matched “Examiner” dongle plugs into your forensic workstation and is used to connect to the Subject.  Once connected, you have full access to all physical disks, volumes, and memory on the Subject system.  Since access is at the raw device level, even files traditionally locked by the filesystem can be accessed, like Exchange .edb database files, Registry hives, and System Restore Points.  These items are mounted on your forensic workstation, allowing analysis using your favorite forensic software.

Live Response Applications

Continue Reading…

I am pleased to announce that my talk was accepted at Paraben’s Forensic Innovations 2011 conference (PFIC).  I will be speaking on Computer Intrusion Forensics:  Tools and Techniques to Find Evil.  This will be my third year speaking at the event, and I have grown to look forward to it as a great way to round out the year.  Paraben does an excellent job with consistently good speakers and interesting topics.  The conference price is unbeatable at $299, and it doesn’t hurt that it is being held at a great resort in my hometown  (Canyons Resort in Park City, Utah).  If you will be attending, make sure to get in touch so we can meet up!

  • PFIC 2011 Agenda
  • Harlan Carvey posted about his upcoming PFIC talk here.

Note: This post originally appeared on the SANS Forensics blog

As memory forensics has become better understood and more widely accomplished, tools have proliferated.  More importantly, the capabilities of the tools have greatly improved.  Traditionally, memory analysis has been the sole domain of Windows internals experts, but recent tools now make analysis feasible for the rank and file forensic examiner.  Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field.   We are also seeing novel ways to attack the problem.  One of the more interesting developments I have been following lately is the advent of live memory analysis.

I credit the free Mandiant Memoryze tool with popularizing the idea of performing live memory analysis, and I believe it is a revolutionary change.  The idea itself could be as controversial as creating a memory image was just a few years ago.  Do you remember the naysayers questioning how our forensic analysis could possibly be valid if we were to run our imaging applications on the live system?  Shouldn’t we still be pulling the plug?  What would they say if we now told them we were going to play “Find the Hacker” on that same live system?  Luckily it turns out that the system impact of doing a live analysis versus (or in addition to) taking a memory image is minimal.  And the benefits are great:

  • Inclusion of the system pagefile, providing a more complete picture of memory
  • Digital signature checks of process and driver executables
  • More accurate heuristics matching
  • Faster triage capability

Keep in mind that live analysis occurs by accessing physical memory, and not relying upon API calls, open handles, or debuggers.  Thus it is just as effective at defeating advanced malware and rootkits as analyzing a standard memory image.  Convinced yet?  If so, here is how to perform a live memory analysis with the new free tool, Redline:

Continue Reading…