Based on some comments I received from folks who reviewed WFA 2/e, I am strongly considering writing a book on Windows Registry Forensic Analysis...and I'll probably use that as the title! ;-)
I'm working on a proposal now, and one of the things I'm doing is including those things from previous books that have been successful...in particular, writing style, use of demonstrations, short case studies, and generally trying to show how this information can be used to further an investigation. My goal is to be a thorough as possible, providing information on format and structure, how to monitor the Registry, and provide as much information as I can with respect to keys and values that are (should be) of interest for examinations.
One of the issues I'm sure I'll run into is that same one I've run into with respect to WFA 2/e...there are folks out there who expect certain things to be in the book, but don't (a) realize that I can't do everything without assistance, or (b) don't voice that expectation until after the book is published.
So, here's your chance...if you were shopping for a book on Registry Analysis, what would you be looking for with respect to content?
I've already received emails from folks who say that they're looking for information on P2P applications, without saying which ones. There's already information available on a lot of topics such as P2P artifacts, and I understand that part of the problem is that this information isn't all in one place...but the way to make things like this a real success is to get input from folks in the community. As was discussed at the Summit last week, there really hasn't been a great number of requests for plugins or anything over at the RegRipper site...
Saturday, July 11, 2009
SANS Forensic Summit
I spent all day last Tuesday in downtown DC attending the SANS Forensic Summit...it was totally awesome and well worth every second I was there.
First, a HUGE thank you to Rob Lee for setting the Summit up and inviting me and all of the other speakers, and an only slightly-smaller thank you to all of the folks who attended and made the Summit the success that it was!
Now on to the Summit itself...
Presentations
Richard
Richard Bejtlich gave the keynote address which was very entertaining. Richard is a dynamic and informative speaker, and has some very well thought-out and articulated views, and he's definitely someone worth listening to, even if you don't necessarily agree with everything he says. Unlike Ken Bradley, I don't work for Richard, so I can say anything I want! ;-) Seriously, though...Richard is truly one of the thought leaders in the industry, and definitely someone worth listening to.
Kris Harms
Kris had some great things to say as an incident responder for Mandiant. As a responder, for me, it's great to see other folks in the industry, listen to their presentations, and talk to them about what they're doing, and how they're addressing those problems that we all run into. Many times you'll pick up things that you didn't know, and other times you'll get validation regarding some of the things you're doing when you get a chance to see how others are addressing those same challenges. Kris and the Mandiant crew have a great deal of experience with APT, or advanced persistent threat, so if you get a chance to pick Kris's brain on the subject, do it.
Jamie and Peter
Jamie and Peter, both also from Mandiant, had some great things to talk about with respect to memory analysis, with a specific focus on malware detection. If you haven't really looked at it, you should definitely consider looking at Memoryze and AuditViewer.
Brendan
Brendan's presentation on analyzing Windows Registry hives extracted from a memory dump was a great piece of work! My (top)hat's off to Brendan on the work he's done to extend the work put into tools such as Volatility and RegRipper. Who knew you could grab a memory dump from XP, and the using open source tools, extract the password hashes which you can then crack using your tool-of-choice?
Panels
The panels are a summit/conference format that Rob uses to great effect. I first encountered this sort of technique at Aaron's OMFW last year, and Rob has included it at the Summit. Several folks from a particular field (I was on the IR panel) each give short presentations, and then the floor is opened for questions which Rob filters so that things keep moving. This is a great way to do two things; first, to really push through some varying views in a short period of time, and second, to open up discussions that continue between individuals later, during breaks or even over email after the summit is over.
PodCast
Ovie and Bret were nice enough to invite me, as well as Rob Lee, Ken Bradley, and Jesse Kornblum to take part in the live recording of the CyberSpeak podcast, which was a LOT of fun...as I'm sure you'll be able to tell when you listen to it.
Hey, don't listen just to me...Chris and Matt have posted their impressions of the Summit, as well.
Tips
One of the things I picked up from Kris Harm's talk was a great tip on a means for doing differential analysis of volatile data. Most of use are familiar with the use of pslist to get process information, and how to analyze the information that we receive. I tend to combine that information with the output of tlist, as well as other tools (netstat, etc.) to develop an overall picture of what was happening on the system. What I picked up from Kris is that grep()'ing through the output of handle.exe, you can look for "pid:", which provides you with yet another means of locating processes. The same technique can be used for malware detection, by looking for mutants/mutexes (mentioned by both Kris, and his cohort over at Mandiant, Peter Silberman) using something called the "least frequency of occurrence" (thanks, Peter!).
First, a HUGE thank you to Rob Lee for setting the Summit up and inviting me and all of the other speakers, and an only slightly-smaller thank you to all of the folks who attended and made the Summit the success that it was!
Now on to the Summit itself...
Presentations
Richard
Richard Bejtlich gave the keynote address which was very entertaining. Richard is a dynamic and informative speaker, and has some very well thought-out and articulated views, and he's definitely someone worth listening to, even if you don't necessarily agree with everything he says. Unlike Ken Bradley, I don't work for Richard, so I can say anything I want! ;-) Seriously, though...Richard is truly one of the thought leaders in the industry, and definitely someone worth listening to.
Kris Harms
Kris had some great things to say as an incident responder for Mandiant. As a responder, for me, it's great to see other folks in the industry, listen to their presentations, and talk to them about what they're doing, and how they're addressing those problems that we all run into. Many times you'll pick up things that you didn't know, and other times you'll get validation regarding some of the things you're doing when you get a chance to see how others are addressing those same challenges. Kris and the Mandiant crew have a great deal of experience with APT, or advanced persistent threat, so if you get a chance to pick Kris's brain on the subject, do it.
Jamie and Peter
Jamie and Peter, both also from Mandiant, had some great things to talk about with respect to memory analysis, with a specific focus on malware detection. If you haven't really looked at it, you should definitely consider looking at Memoryze and AuditViewer.
Brendan
Brendan's presentation on analyzing Windows Registry hives extracted from a memory dump was a great piece of work! My (top)hat's off to Brendan on the work he's done to extend the work put into tools such as Volatility and RegRipper. Who knew you could grab a memory dump from XP, and the using open source tools, extract the password hashes which you can then crack using your tool-of-choice?
Panels
The panels are a summit/conference format that Rob uses to great effect. I first encountered this sort of technique at Aaron's OMFW last year, and Rob has included it at the Summit. Several folks from a particular field (I was on the IR panel) each give short presentations, and then the floor is opened for questions which Rob filters so that things keep moving. This is a great way to do two things; first, to really push through some varying views in a short period of time, and second, to open up discussions that continue between individuals later, during breaks or even over email after the summit is over.
PodCast
Ovie and Bret were nice enough to invite me, as well as Rob Lee, Ken Bradley, and Jesse Kornblum to take part in the live recording of the CyberSpeak podcast, which was a LOT of fun...as I'm sure you'll be able to tell when you listen to it.
Hey, don't listen just to me...Chris and Matt have posted their impressions of the Summit, as well.
Tips
One of the things I picked up from Kris Harm's talk was a great tip on a means for doing differential analysis of volatile data. Most of use are familiar with the use of pslist to get process information, and how to analyze the information that we receive. I tend to combine that information with the output of tlist, as well as other tools (netstat, etc.) to develop an overall picture of what was happening on the system. What I picked up from Kris is that grep()'ing through the output of handle.exe, you can look for "pid:", which provides you with yet another means of locating processes. The same technique can be used for malware detection, by looking for mutants/mutexes (mentioned by both Kris, and his cohort over at Mandiant, Peter Silberman) using something called the "least frequency of occurrence" (thanks, Peter!).
User Account Analysis
Something I picked up on recently (albeit not directly at the SANS Summit) was how to determine if a password had been set on a system, when all you have is an image to analyze. Brendan has provided tools to use with Volatility to extract Registry hives from Windows XP memory dumps, and subsequently to extract hashes, but what if you only have an image of a system? Well, one of the user flags extracted by the RegRipper samparse plugin is "Password not required"...now, this does NOT mean that the account doesn't have a password.
What I got from someone at MS is as follows:
That specifies that the password-length and complexity policy settings do not apply to this user. If you do not set a password then you should be able to enable the account and logon with just the user account. If you set a password for the account, then you will need to provide that password at logon. Setting this flag on an existing account with a password does not allow you to logon to the account without the password.
Another thing you can do is extract the System and SAM hives and run them through SAMInside.
Where something like this won't work is when the system is accessed by domain users, as their user account information isn't stored in the local SAM hive file.
What I got from someone at MS is as follows:
That specifies that the password-length and complexity policy settings do not apply to this user. If you do not set a password then you should be able to enable the account and logon with just the user account. If you set a password for the account, then you will need to provide that password at logon. Setting this flag on an existing account with a password does not allow you to logon to the account without the password.
Another thing you can do is extract the System and SAM hives and run them through SAMInside.
Where something like this won't work is when the system is accessed by domain users, as their user account information isn't stored in the local SAM hive file.
Friday, July 10, 2009
RipXP Released!
I've decided to release RipXP, which I've demo'd at both SANS Forensic Summits, as is. Go to the RegRipper site Downloads section, and you'll see it. Be sure to read the instructions in the zipped archive...
Monday, July 06, 2009
SANS Forensic Summit 2009
I'm really looking forward to getting to the SANS Forensic Summit tomorrow! This is a great place to meet, listen to some great presentations, and to chat with folks from various fields (LE, FTE, corporate consultant, etc.) in the industry. My hat's off to Rob Lee for pulling this fantastic event together!
Per the Summit agenda, I will be on the IR panel in the morning, and then giving my Registry Analysis presentation at 1pm, right after lunch. When I was teaching at TBS while I was on active duty in the USMC, we used to call this "the death hour", so I'm going to address this urge to nap after lunch with several live demos, as well as a surprise at the end of the presentation!
But that's not all! There's more! Check out who else is attending...Mandiant is well represented at the conference, and Chris Pogue will be there, as will Eoghan Casey. Chris and Eoghan are fellow Syngress authors, so be sure to swing by the Syngress table at the Summit, get a copy of their books, and then hunt them down to have them sign them for you!
There's a rumor that Troy Larson of Microsoft will be there as well...but I have to tell ya, while I've heard the guy's name and been told that he's been on conference calls, I've never actually seen the guy! As far as I know, Troy is the yeti of the forensics community! ;-) Hopefully, he'll turn up sometime before the live recording of Ovie and Bret's Cyberspeak podcast.
While I only plan to be at the Summit on the 7th, there are a LOT of great speakers and panelists who are going to be there, and this is definitely an event that anyone who can attend, should! Without question! Where else are you going to be able to have so many giants of the forensics community together in one place, from various areas (corporate, federal gov't, LE), and covering so many pertinent topics (memory analysis, courtroom preparation, etc.)?
And if you have a Captain Picard fetish and have a "thing" for bald men, this is THE place to be in DC! ;-)
Per the Summit agenda, I will be on the IR panel in the morning, and then giving my Registry Analysis presentation at 1pm, right after lunch. When I was teaching at TBS while I was on active duty in the USMC, we used to call this "the death hour", so I'm going to address this urge to nap after lunch with several live demos, as well as a surprise at the end of the presentation!
But that's not all! There's more! Check out who else is attending...Mandiant is well represented at the conference, and Chris Pogue will be there, as will Eoghan Casey. Chris and Eoghan are fellow Syngress authors, so be sure to swing by the Syngress table at the Summit, get a copy of their books, and then hunt them down to have them sign them for you!
There's a rumor that Troy Larson of Microsoft will be there as well...but I have to tell ya, while I've heard the guy's name and been told that he's been on conference calls, I've never actually seen the guy! As far as I know, Troy is the yeti of the forensics community! ;-) Hopefully, he'll turn up sometime before the live recording of Ovie and Bret's Cyberspeak podcast.
While I only plan to be at the Summit on the 7th, there are a LOT of great speakers and panelists who are going to be there, and this is definitely an event that anyone who can attend, should! Without question! Where else are you going to be able to have so many giants of the forensics community together in one place, from various areas (corporate, federal gov't, LE), and covering so many pertinent topics (memory analysis, courtroom preparation, etc.)?
And if you have a Captain Picard fetish and have a "thing" for bald men, this is THE place to be in DC! ;-)
Saturday, July 04, 2009
The Case of the Missing MFT Entry
A bit ago, I received an email from someone mentioning the following facts with respect to an examination they were doing:
- Malware was suspected as having been running at one point on a Windows XP SP2 system
- A Prefetch file was found the related directly to the malware
- AV logs indicated that the malware had been deleted
- An XP Restore Point included an INI specific to the malware
- Between the time that the malware had been deleted and the system imaged, 8 Restore Points were created
Given these facts, the question was...why does there appear to be no MFT entry for the malware file?
I responded with my answer...I want to know what YOU think.
- Malware was suspected as having been running at one point on a Windows XP SP2 system
- A Prefetch file was found the related directly to the malware
- AV logs indicated that the malware had been deleted
- An XP Restore Point included an INI specific to the malware
- Between the time that the malware had been deleted and the system imaged, 8 Restore Points were created
Given these facts, the question was...why does there appear to be no MFT entry for the malware file?
I responded with my answer...I want to know what YOU think.
Monday, June 22, 2009
Links
My interview with Lee Whitfield is up as Forensic4Cast episode 17. Lee asked some interesting questions, so be sure to listen to the entire podcast...we talk about some things at the end of the interview that you like to hear.
Chris Pogue, co-author of Unix and Linux Forensic
Analysis, has started his own blog...check it out! Chris and I have worked together, and it's good to see him getting into the mix now and bringing his experience and knowledge to the blogosphere, including posting a review of WFA 2/e! Chris will also be at the SANS Forensic Summit, speaking on the IR panel. I'm sure if you asked him, he'd be more than happy to sign your copy of ULFA, which, by the way, Syngress will have table at the Summit with their books available.
Hogfly posted on the Need for Speed, and I really think that this is something that cannot be said enough. While there is a need for speed in response, there's also a need to ensure that things are still done right and still done to a standard of accuracy and quality. Again, though...the need for speed in response is very real. In many cases, you'll have an issue of suspected data leakage or exposure, and acquiring a small number of systems and taking 2 months or more to provide an answer is simply unacceptable, as much or more so than providing the wrong answer too quickly. Processes and techniques need to be addressed, improved and implemented in such a manner as to answer the three most important questions:
1. Was the system compromised?
2. Did the system house or store "sensitive" data?
3. Did #1 lead to the exposure of #2?
Suffice to say that a lot of what it takes to answer these questions rests squarely on the shoulders of the system owners themselves. There's only so much that can be done when the breach goes unnoticed (often, for weeks), and then the first reaction of the on-site staff is to shut the system down and take it off of the network.
Hogfly also posted his review of WFA 2/e...check it out. I like to see what practitioners have to say about the book (or any other resource, for that matter), because who better to have an opinion on something like that than someone who works in the business, right? Seriously. If you wanted to get someone's opinion on, say, the acceleration and handling of a sports car, who would you look to? Eddie, the introvert who reads car magazines (and other things) online, or Danika Patrick?
Chris Pogue, co-author of Unix and Linux Forensic
Analysis, has started his own blog...check it out! Chris and I have worked together, and it's good to see him getting into the mix now and bringing his experience and knowledge to the blogosphere, including posting a review of WFA 2/e! Chris will also be at the SANS Forensic Summit, speaking on the IR panel. I'm sure if you asked him, he'd be more than happy to sign your copy of ULFA, which, by the way, Syngress will have table at the Summit with their books available.Hogfly posted on the Need for Speed, and I really think that this is something that cannot be said enough. While there is a need for speed in response, there's also a need to ensure that things are still done right and still done to a standard of accuracy and quality. Again, though...the need for speed in response is very real. In many cases, you'll have an issue of suspected data leakage or exposure, and acquiring a small number of systems and taking 2 months or more to provide an answer is simply unacceptable, as much or more so than providing the wrong answer too quickly. Processes and techniques need to be addressed, improved and implemented in such a manner as to answer the three most important questions:
1. Was the system compromised?
2. Did the system house or store "sensitive" data?
3. Did #1 lead to the exposure of #2?
Suffice to say that a lot of what it takes to answer these questions rests squarely on the shoulders of the system owners themselves. There's only so much that can be done when the breach goes unnoticed (often, for weeks), and then the first reaction of the on-site staff is to shut the system down and take it off of the network.
Hogfly also posted his review of WFA 2/e...check it out. I like to see what practitioners have to say about the book (or any other resource, for that matter), because who better to have an opinion on something like that than someone who works in the business, right? Seriously. If you wanted to get someone's opinion on, say, the acceleration and handling of a sports car, who would you look to? Eddie, the introvert who reads car magazines (and other things) online, or Danika Patrick?
Wednesday, June 17, 2009
#1 on Amazon!
Just today, I found out that WFA 2/e is #1 in the Amazon Sales Rank for Forensics books! Awesome! Thanks to everyone who's reviewed the book and to everyone who's purchased a copy of the book!
Tuesday, June 16, 2009
Buy F-Response, get a free copy of WFA 2/e!
Hey, no kidding! Check it out! Matt's offering a free (as in "beer") copy of WFA 2/e with each purchase or renewel of F-Response CE/EE. Got four consultants? Outfit each of them with a copy of F-Response EE, and they'll each get a copy of WFA 2/e. Sweet! Don't think so? Check out the reviews!
Subscribe to:
Posts (Atom)
Posts
