Tuesday, March 31, 2009

Some WAY Cool Stuff

First...you've GOT to see this. Tell me that the main character doesn't look surprisingly like Marcus Ranum.

Second, a huge shout out to JT for her work on regslack.pl, which is available in the Downloads section of RegRipper.net. I was running a search across an image recently for some important data, and surprisingly, I got several hits in Registry hive files; specifically, the Software hive, a couple of NTUSER.DAT files, and even in some UsrClass.dat files. This was odd, so I opened up a couple of the hive files in UltraEdit to view the guts of the hive files and didn't see any key value structure information anywhere near the entries. To be sure, I ran JT's regslack.pl against the hive files...I had done so previously to check for some of the hive files for deleted keys...and was able to verify that the sensitive data was, in fact, part of the unallocated space within the hive file and NOT part of any Registry structures. If you've ever found hits for your keywords within Registry hive files, you'll know that having this kind of definitive information can make a HUGE difference!

Rich over at HBGary showed me a neat trick for tracking down data in memory dumps. In this same engagement, I had collected a memory dump from a Windows 2003 system using Fast Dump Pro, and had used some of the same tools I use to search images for sensitive data on the memory dump...and found stuff. Well, the next step was to nail this down to a specific process. Unfortunately, within Responder Field Edition, you can export the executable image for the process but not the memory pages it uses. That's where Rich came to the rescue...he told me to right-click on the imported memory snapshot, choose View Binary from the context menu, and after the binary contents of the memory dump appeared in the right-hand view pane, click on the binoculars at in the menu bar above the memory dump and enter my search terms. I did this, and based on the output, was able to determine that the data I was searching for was not associated with a specific process. Interestingly, the strings associated with the process itself had not contained the information I was looking for (based on my search terms) and that served to corroborate my findings. Thanks to Rich with for his helping hand in showing me how to ring just a little bit more out of Responder!

4 comments:

Anonymous said...

That 'Captain Forensics' comic is pretty cool. I found your site and that site here: http://twitter.com/RobertDeBord/status/1432424191

Looks like you've got some interesting and useful stuff on here too, though most of it seems far above my head :)

Robert DeBord said...

Thanks for the link to Captain Forensics! I put the site together and our guy Mike draws the comics, and unfortunately neither of us knew of Marcus until seeing your reference to him. Now that we've seen his picture (and he really does resemble Peter Mason) maybe we'll give Marcus a cameo as Peters long lost brother or something...

Thanks again for linking to us. You might want to take a look at our blog also. While it's not nearly as detailed as yours, it's geared more for attorneys and people who aren't quite as techy.

Keydet89 said...

Robert,

Cool blog...I wish I'd known about Captain Forensics while I was writing WFA 2/e! I checked out Marcus's site again...he used to have an anime version of himself as a graphic on the page...we all need an anime avatar, I guess! Anyway, that's where I first saw the likeness.

I had looked at your blog before, and was particularly interested in the cyberbullying stuff. I also read recently where a 14 yr girl was arrested on charges of CP for posting nude pictures of herself on MySpace...she said so that her boyfriend could see them. People simply do not realize how pervasive technology is in their lives, and that stuff truly isn't gone when they hit the delete key.

Robert DeBord said...

You're absolutely correct, most people just don't know that when they hit delete, it's not gone. And, unfortunately, most kids don't realize how serious the cyber-bullying and 'sexting' can be, as they probably view it as harmless fun.

Our last Captain Forensics comic in the cyber-bullying series went up this afternoon. You can take a look here.

I was thinking about featuring Windows Incident Response in a future episode of Captain Forensics. When you get a minute, shoot me an email and let me know whether you'd be ok with that.

rmd
at
njlc.net