Tuesday, August 02, 2011

Updates and Links

Meetup
Just a reminder to everyone who wasn't able to make it to any of the big conferences going on in New Orleans or Las Vegas this week (or if you returned in time)...the NoVA Forensics Meetup for Aug 2011 will be Wed, 3 Aug, starting at 7pm. 

Be sure to check out the NoVA Forensics Meetup page to see what's going on.

Remember, anyone can come, and you don't need to be part of a group or anything.  There are no fees or anything like that.

All Things Open Source
Sergio Hernando posted some Perl code for performing Chrome forensics, specifically processing the history file via Perl.  For me, it's not so much that Sergio wrote this in Perl, because I can follow instructions and get Python or whatever else installed...no, what I like about this is that not only did Sergio take the time to explain what he was doing, but he shows it through an open-source mechanism.

I really like solutions to DFIR problems that use free or open-source tools, because in most cases, they also don't add so many layers of abstraction that ultimately, all you really know that went on was, "I pushed a button."  Solutions such as what Sergio has provided give us more than just that abstract view into what was done...in this case, it's more along the lines of "...I accessed this SQLite database because it contained this information, and this is what was found/determined, in the context of this other data over here...".

The script can be found at Sergio's Google Code site.

Also, be sure to take a look at Sergio's blog post on using Perl to parse the Firefox Download Manager database.

Techniques
For those of you who weren't able to make it to any of the conferences going about this time of the year (OMFW/DFRWS, BlackHat, etc.), looking out across the landscape of presentations, there were definitely some very interesting topics and titles.  While actually being at the conference affords you the opportunity to experience the flavor of the moment, and to mingle with others in the community, many of the conferences do provide copies of the presentations after the conference, and there's always supporting information available from additional sources.

For example, take this presentation on document exploitation attacks...this sounds like a very interesting presentation.  However, there's also some other information available, as well...for example, take a look at this post from the Cisco Security blog; I found this to be a very interesting open-source solution for extracting EXEs from (in this case, MS Word) documents.  Let's also not forget the Didier Stevens has done considerable work on detecting and extracting suspicious elements from PDF documents.

RegRipper
Speaking of open source and techniques, Corey Harrell put together a great post on how he uses RegRipper to gather information about the operating system he's analyzing.  This is a great use of the tool, and another great example of how an analyst can use the tools that are available to get the job done.

Volatility
For those of you who many not have known, the Open Memory Forensic Workshop (OMFW) was held recently, just prior to DFRWS in New Orleans.  Perhaps one of the most exciting things to come out of the conference (for those of us who couldn't attend) is Volatility 2.0! If you notice, under Downloads, there's a standalone Win32 executable available.

Volatility is one of the best of the open source projects out there.  Not only is the framework absolutely amazing, providing the capability to analyze Windows physical memory in ways that aren't available anywhere else, but it's also a shining example of how a small community of dedicated folks can come together and make this into the project that it is.  If you have any questions at all, start by checking out the Wiki, and if you do use this framework, consider contributing back to the project.

3 comments:

Daniel said...

I'm kind of new in the area but I'm trying to make it to more infosec meetups. What's the topic for the NoVA Forensics Meetup tomorrow?

H. Carvey said...

http://windowsir.blogspot.com/2011/07/updates.html

Daniel said...

looks great, thanks!