Monday, December 14, 2009

Link-idy link-idy

Tools
Claus (no, I'm not saying that Claus is a tool...) has posted a nice summary of some of the free tools posts from WindowsIR and added some really nice grep tools for the Windows platform. Using tools like this would greatly increase an analyst's capabilities with respect to some of the Analysis stuff I've mentioned recently. For instance, if you're interested in doing searches for PANs/CCNs, you can use BareGrep and consult the Regex reference for syntax in writing your regex; of course, additional checks will be necessary (in particular, the Luhn formula) to reduce false positives, but it's a start.

Memory
JL's got a new Misc Stuff post goin' on over on her blog. I'd picked up on the demise of support for mdd.exe from her blog post, as well as from Volatility (note the recommendation to use Matthieu Suiche's windd for your memory dumping needs). She also points out that MHL has some new and updated Volatility plugins, even one that incorporates YARA for scanning of malware!

Analysis
Speaking of malware analysis, Kristinn posted on PDF Malware Analysis over on the SANS Forensic Blog, as well. Add this information to Lenny's cheat sheet, and you can develop a pretty decent approach for determining the method by which a system was compromised or infected. This is often one of the most difficult aspects of analysis, and very often left to speculation in a report. Many times, the assumption is made that the initial infection/compromise vector was via web browser "drive-by" ("browse-by"??)...I say "assumption" because there is no specific data or analysis within the report which supports the statement. In most cases, the assumption is based on malware write-ups provided by AV vendors; this may be an initial indicator, but the analysis of identified files using techniques such as those identified by Kristinn and others, and listed in Lenny's cheat sheet, can provide definitive answers, and potentially even identify sources and additional issues.

Anti-Analysis
Remember the hoopla surrounding MS's COFEE being leaked? Well, check out DECAF. I wonder how this will affect other response toolkits and techniques that are similar to COFEE? Check out this post from the Praetorian Prefect blog on DECAF (thanks to Claus for the mention of the blog...).

2 comments:

Claus Valca said...

;-)

--Claus V.

Claus Valca said...

and RE: COFEE and DECAF.

I just found this gem on DECALF analysis (I'm sure the first of many) in my RSS list.

Regular or Decaf? Tool launched to combat COFEE -Praetorian Prefect blog.

Not only does it have a useful breakdown of how this verison works and what it does, where it calls home, but it also touches on some of the forensic impact angles (albiet lightly) as well.

Neat post...

Cheers.

--Claus V.