Monday, November 09, 2009

More Linky Goodness, plus

I attended one day of the NetWitness User Conference last week, and ran into Richard Bejtlich there. Richard posted some of his thoughts on the keynote address that day. Hey, can you pick out in the picture which one is Richard? ;-)

As a side note, I'll be presenting at the WFO-ECTF meeting later this month, on Registry and timeline analysis.

Check out Claus's blog post on spilled COFEE. Claus also has an very good post full of links to useful tools...I know this is kind of circular, me linking to Claus's set of links (in this post by Claus, they come back to this blog...), but Claus's set is comprehensive enough, why bother retyping all that? Claus has always had some excellent links to portable apps, particularly AV tools that can make IR a bit easier, and in his most recent blog points out some remote desktop tools that IT admins may find useful, as well as Wireshark for Windows 7!

Brett and Ovie have got a couple of new CyberSpeak podcasts up...the 7 Nov podcast not only has a news story where a system infected with a keystroke logger led to the conviction of the suspect, but there's also an interview with Matt Shannon of F-Response.

Speaking of Matt, you have GOT to check out his latest press release about TACTICAL and the CyberSpeak podcast! Regarding TACTICAL, this is what Matt has about it on his site:

F-Response TACTICAL is the newest F-Response software product. TACTICAL has been uniquely designed to streamline live analysis, collection, and authentication. TACTICAL is built around the best of the F-Response Field Kit and Consultant edition, it was designed from the bottom up to be easier to use, faster, smaller, and more efficient.

TACTICAL uses a unique dual dongle/storage device solution that allows an investigator to bring their favorite tools to bear on Windows, Apple, and Linux targets.

This sounds very cool! Check out Matt's excellent CyberSpeak interview for more information! I cannot wait to see TACTICAL in action...

The 1 Nov CyberSpeak podcast has an interesting discussion on data breach notification...check it out.

Hey, anyone remember Clippy? If you do, check out the version of Clippy for VIM...

I ran into an interesting issue recently that I thought I'd bring up here. I've been doing some analysis, and as part of that analysis, I've been using regslack to get deleted keys and unallocated space from Registry hive files. When I find a deleted key, there's a LastWrite time associated with it, but sometimes I see Registry keys in the unallocated space of the hive files. What this means is that the key found in unallocated space no longer meets the conditions for or definition of a "deleted key" (more on that later). However, in the hex found in unallocated space, I can clearly see the FILETIME data for the key's LastWrite time, and that's something I might like to translate into something usable. So let's say I see the FILETIME data:

be 31 72 dc d4 94 c9 01

Using Perl, I can run that through a conversion routine and get something a bit more usable:

Sun Feb 22 10:03:50 2009

Pretty simple. Pretty cool.

Speaking of FILETIME objects, its a brave new forensics world, folks! Windows Registry keys have FILETIME LastWrite times, and some values contain FILETIME "objects" within their binary data. Others contain *nix epoch (32-bit) timestamps. Still others contain 128-bit representations of date/time stamps - this format is also found in Scheduled Task .job files. I was parsing some Symantec AV logs recently, and it turns out that they have their own format for date/time stamps! Interesting stuff...and there's SO much more!

No comments: