Monday, September 29, 2008

Updates - 29 Sept

Some new items have popped up on the IR radar over the past week or so...

CyberSpeak podcast with an interview of Kevin Mandia. Kevin talks about his experiences with volatile data collection and analysis in recent incident response engagements. Much of what Kevin talked about with respect to what he's seeing...fewer attempts to obfuscate malcode, use of SQL injection, etc...that seem to be pretty common in the commercial incident response space. Kevin also talks about MIR, and a free memory acquisition/analysis tool from Mandiant called FreeAgent. Yes, I'm going to be checking that out when I get the time (work keeps me tres busy...)

Christina updated the E-Evidence site recently. Check out the RCMP Incident Responder's guide and the shoot-out between live response and memory analysis...excellent stuff. Definitely well worth the read.

Brian Kaplan has finally been able to release his Key Extraction proof-of-concept tool, which he addresses in his Master's Thesis (good job, Brian!!). Since I won't do Brian any justice at all attempting to describe the tool, It highlights the virtues of volatile memory analysis by demonstrating how key material and passphrases can be extracted from volatile memory to facilitate the analysis of encrypted media in a forensically sound manner. If you're using mdd.exe, win32dd.exe, or any other memory dumping tool, I would definitely include a copy of Brian's tool in your toolkit. (Note: Don't forget Jesse's blog post on BitLocker!)

There have been some updates to the Forensics Wiki recently involving browser forensics and network forensics. On the browser forensics side of things, Historian has been updated to include Google Chrome. The ForensicWiki is an excellent resource, and you should consider consulting and adding to it. As with any other resource, you should take the information available with a grain of salt, but to be honest, when I've needed to use it, it's been invaluable.

James McFarlane has updated the Win32::ParseRegistry module to version 0.40 and included a number of useful tools. James has left regdump.pl and regfind.pl, and added regexport.pl (dump the Registry in RegEdit 5.0 format), regscan.pl, and regview.pl (GTK+ - based Registry viewer). Thanks, James!

This wasn't so recent, but definitely worth mentioning...Moyix has been busy, and a bit ago posted on using Windows messages (from the message queue) as a resource in forensic analysis. He's got an excellent point...if you're using Volatility at all (or even thinking about using it), you should definitely take a look at his modules and be sure that you've got them added to your installation. There's no telling what artifacts you'll find laying around from the message queue.

No comments: