Thursday, July 28, 2011

WFA 3/e

I've mentioned a couple of times, in this blog as well as in a couple of lists, that I'm working on completing Windows Forensic Analysis 3/e, and I thought it would be a good time to give a little bit of information regarding the book. 

First off, while the title includes "third edition", this edition is not one where if you purchased the second edition, you're out of luck.  Rather, the third edition is a companion book to the second edition, so you'll want to have both of them on your shelf (or Kindle).  Where a great deal of 2/e was focused on Windows XP, in 3/e I'm focusing primarily on Windows 7.

The third edition has 8 chapters, as follows:

1. Analysis Concepts - Seeing comments from those who've read DFwOST thus far, and seeing the mileage that Chris Pogue is getting from his Sniper Forensics presentations, it appears that there are a lot of analysts out there who like to hear about the concepts that drive analysis.  It's one thing to say to do timeline analysis and talk about how, but I think that it's something else entirely to discuss why we do timeline analysis, as that's the difference between an analyst who creates a timeline, and one who has a reason, justification and analysis goal for creating a timeline.

2.  Live Response - With this chapter, I wanted to take something of a different approach; rather than writing yet another chapter that gives consultants hints on doing IR, I wanted to provide some thoughts as to how organizations can better prepare for those inevitable DFIR activities.  If 2011 thus far hasn't been enough of an example, maybe it's worth saying again...it's not a matter of if your organization will face a compromise, but when.  I would take that a step further and suggest that if you don't have visibility into your systems and infrastructure, you may have already been compromised.  As a consultant, the biggest issue I've seen during IR is the level of preparedness...there's a huge difference between companies that accept that incidents will occur and take steps to prepare, and those who have "not me" culture/attitude; the latter usually ends up paying out much more, in terms of fees, fines, and court costs.  This is something consultants talk about with their customers, but it's a whole new world when you actually see it in action.

3.  Volume Shadow Copies - This chapter is somewhat self-explanatory.  I was doing some research that involved accessing VSCs, and found pretty much the only way to do what I wanted to do required significant resources (ie, $$).  What I did with this chapter is show how VSCs can be accessed within an acquired image without using expensive solutions, as well as provide some insight into how accessing the VSCs can really provide some very valuable information to an analyst.

4.  File Analysis - This chapter is very similar to the corresponding chapter in WFA 2/e, but focuses on some of the files you're likely to see on Windows 7 systems.  I also reference some of the files that you'll find on Windows XP systems, but are different on Windows 7 systems (ie, format, content).  I cover Jump Lists in this chapter, and not just the LNK-like streams, but also the DestList streams (which appear to be some sort of MRU listing for shortcuts).

5.  Registry Analysis - I know, a lot's been said about Registry analysis, particularly in WRF, but this time, instead of doing a break down of what can be found in the Registry, on a hive-by-hive basis, I'm taking more of a solutions-based approach. For example, I see a LOT of folks in the forums and lists who don't understand the role that the USBStor subkeys play in USB device analysis, so what I've done is take the more common analysis processes (that I see, based on questions asked in lists...) and I'm trying to provide solutions across all hives.

One of the things I face with writing chapters such as this one is that folks will say things like, "I want to know about blah...", and very often, there's already information out there on the subject.  One great example is the Registry ShellBags...Chad Tilbury recently posted on this topic to the SANS Forensic Blog, so given that, I have wonder, "what do you want to know?" and "how much are you willing to support the effort to present/share that topic?"  Now, by "support", I mean through such efforts as providing example hives, or just taking a few minutes to elaborate on your thoughts or questions.

6. Malware Detection - I have had a good number of "here's a hard drive that we think is infected with malware..." exams, and given that there are a number of folks out there who likely get similar cases (LE gets CP cases that evolve into the "Trojan Defense", etc.) I wanted to put together a good resource to help address this issue.  This is not a malware analysis chapter...MHL et al did a fantastic job with this topic in the Malware Analyst's Cookbook, and I'm not about to try to parrot what they've done.  Instead, this chapter addresses the topic of detecting malware within in acquired image, and I even provide a checklist of steps you can use.

Note: Many of the tools mentioned in the book are available online, and those items that are not specifically available now (the malware detection checklist, etc.) will be provided online, as well.  I really don't like the idea of providing a DVD with the book, because there are simply too many issues with getting the materials to people who purchase only the ebook, or leave their DVD at home when they go to work...

7.  Timeline Analysis - In this chapter, I not only present how to create a timeline, but I also discuss the concepts behind why we'd want to create a timeline, as well as some of the uses of timelines folks may not be too familiar with.  I presented these concepts and use case scenarios during a course I taught recently, and they seemed to have been very well received.

8.  Application Analysis - Another class of question I see a lot of in the lists has to do with application artifacts; when you think about it, there isn't too terribly much difference between some classes of dynamic malware analysis, and what you'd do to analyze an application for artifacts.

Now, there are some things that I don't cover in the book, in part because they're covered or addressed through other media or resources.  One example is memory analysis...there are a number of resources already available that cover how to capture physical memory, as well as perform analysis of a Windows memory dump, using the freely available tools. 

I wanted to provide something of a preview, because I do get a lot of those, "...does it cover...??" questions, most often from people at conferences, who are holding a copy of the book while they're asking the question.  The simple fact is that no book can cover everything, and it's especially difficult when analysts don't communicate their needs or desires beforehand.  I've done the best I can to collect up those sorts of things from lists, forums, as well as people I've talked to at conferences...but I know that the question is still going to come up, even after the book is printed.

One thing I would like to add is that, as with my other books, the focus is almost exclusively on free and open source tools to get the job done.  Like I said earlier, many of the tools are already available online, and those other items I've developed and mentioned in the book will be posted to the web when the book goes final.

From the lists and forums, I see a lot of questions regarding Windows 7, specifically, "What has changed from Windows XP?"  Truthfully, this is the WRONG question to ask, albeit a popular one.  But if you really want to know, from an analyst perspective, WFA 3/e goes final (manuscript submitted) in October, so it should be available around the beginning of 2012.

HTH

11 comments:

Bill said...

I appreciate the Concept to Practice approach. Many years ago, too many, when an ROTC cadet in college, they taught us the concepts of war, battlefield operations, tactics and strategies before we started playing war games. I think that "concept" level is missing for some and we jump right into the WHAT can I find, not why should I find it and why it should even be there (and where "there" is). Can't wait to add it to my working library.

Keydet89 said...

Bill,

I have to agree. Many times, I see or hear of analysts doing something, performing some particular analysis technique, and there is apparently no reason or justification for doing so...not even, "..it's part of our documented procedure."

When working with other analysts, I like to ask (and be asked), "Why would you do that?" This isn't a question meant to second guess what's being done, but to instead understand the rationale and base assumptions behind that particular action or technique.

Without this understanding, there's too much missed. If you don't have a reason for doing something, how do you interpret the results, and perhaps more importantly, how do you determine when something is missing?

A great example of this is that when XP came out, a default installation had 5 instances of svchost.exe running...how would you determine which one was suspicious?

Anonymous said...

I'd like to see a chapter on memory analysis that explains how memory works, how attackers take advantage of the way it works, and how to detect that with something like volatility.

Either way, this book sounds great so far.

Keydet89 said...

Anonymous,

Now, there are some things that I don't cover in the book, in part because they're covered or addressed through other media or resources. One example is memory analysis...there are a number of resources already available that cover how to capture physical memory, as well as perform analysis of a Windows memory dump, using the freely available tools.

Anonymous said...

Harlan,

Yes, I already read that. From what you've said about this book so far, there is already information out there about Volume Shadow Copy analysis, timeline analysis, etc. It sounds like you're consolidating that information, and I'm sure adding something new. I just think the same could be done with memory analysis...

Keydet89 said...

Anonymous,

It sounds like you're consolidating that information..

Like you said, it's so much more than that, and it's more than just adding something new.

Corey Harrell said...

I like the approach of discussing the thought process behind performing an analysis. I think explaining the why certain things are done makes it easier for analysts to put the tool/technique into context of their investigation.

Will the registry keys for certain Windows 7 features be discussed? By this I mean will the registry keys that impact bitlocker (and bitlocker to go), jumplists, volume shadow copies, virtual hard drive support, etc be explained in the book. I'm aware of a few keys (such as for VSCs) but would be interested if there are other keys that affect the behavior of these features or provide a MRU.

Anyway, thanks for the glimpse into the book and I'm looking forward to reading it.

Keydet89 said...

Corey,

Will the registry keys for certain Windows 7 features be discussed?

I'm not sure what you're referring to specifically, so I'm not sure how I can answer that question.

Let me ask you this...what keys are you referring to, and what are specifically interested in being discussed?

It may be that the topic you're interested in has been addressed...

Corey harrell said...

I'm not even sure if the registry keys do exist so I'm asking about something that is unknown to me. As it relates to functionality, vscs have keys to determine what goes into the shadow copy. I'm curious if any keys affect the behavior of jump lists.

I'm also wondering if there are any registry keys that show usage of the feature being used. If a user mounts a VHS or uses bit locker (or bit locker to go) then is this reflected somewhere in the registry.

Not sure if this clarifies what I'm asking about.

Corey harrell said...

I'm not even sure if the registry keys do exist so I'm asking about something that is unknown to me. As it relates to functionality, vscs have keys to determine what goes into the shadow copy. I'm curious if any keys affect the behavior of jump lists.

I'm also wondering if there are any registry keys that show usage of the feature being used. If a user mounts a VHS or uses bit locker (or bit locker to go) then is this reflected somewhere in the registry.

Not sure if this clarifies what I'm asking about.

Jimmy_Weg said...

I think that the timeline presentation was amomng the most valuable segments of the SANS 508 course. That said, it may be a little paradoxical to note that I haven't used it (yet!) in the format that was presented (SIFT Workstation, etc.) However, I have been able to more keenly identify those areas where tempooral data is most relevant to my case. I think that's the key: focus on what you need and know where to find the information. I also find that time stamps show up almost out of the blue in some cases. For instance, as some of the P2P experts have documented, there's a timestamp in a properties that evidences when a file was downloaded. How handy can that be when the file (links, MRUs, etc.) and virtually all of its metadata are gone!

Speaking of shadows, I'm finding as many as 35 shadow volumes on systems with larger (~500GB) drives. When I can target my exam, I've found it handy to use the old VM and review Previous Versions of the system volume. If you can narrow your focus, it goes rather quickly, or at least more quickly that imaging 35 volumes :-).