Thursday, November 03, 2011

Stuffy Updates

We had about 15 or so folks show up for last night's NoVA Forensics Meetup.  I gave a presentation on malware characteristics, and the slides are posted to the NoVA4n6Meetup Yahoo group, if you want to take a look.  Sorry about posting them the day of the meetup...I'm trying to get slides posted beforehand so that folks can get them and have them available.

One of the things I'd like to develop is interest in the meetup, and get more folks interested in showing up on a regular basis, because this really helps us develop a sense of community.  Now, one of the things I've heard from folks is that the location isn't good for them, and I understand that...not everyone can make it.  However, I do think that we likely have enough folks from the local area to come by on a regular basis, as well as folks who are willing to attend when they can.  The alternative to the location issue is that instead of saying that the drive is too far, start a meetup in your local area.  Seriously.  The idea it develop a sense of community, which we don't get with "...I can't make it to the meetup because it's too far..."; starting a local meetup increases the community, rather than divide it.

I've also received some comments regarding what folks are looking for with respect to content.  I like some of the ideas that have been brought up, such as having something a bit more interactive.  However, I'd also like to see more of a community approach to this sort of person can't be expected to do everything; that's not "community".  I really think that there as some good ideas out there, and if we have more folks interested in attending the meetups and actually showing up, then we can get the folks who want to know more about something in the same room as others who know more about that subject and may be willing to give a presentation.

Next month (7 Dec), we're going to be blessed with a presentation on mobile forensics from Sam Brothers.  In order to bring more folks in, Cory Altheide suggested that we have a Google Plus (G+) hangout, so I'm going to look at bringing a laptop for that purpose, and also see about live tweeting during the presentation (and getting others to do so).

Finally, we confirmed that adult beverages are permitted at the ReverseSpace site, as long as everyone polices their containers.  There didn't seem to be any interest this month in meeting for a pre-meetup warm-up at a nearby pub, so maybe for next month's meetup, some folks would consider bringing something to share.  I know from experience what Sam likes, so maybe we can make the event just a bit more entertaining for everyone. 

A couple of things to think about regarding the future of the meetups and the NoVA forensics community.  First, I've talked to the ReverseSpace folks about the possibility of holding a mini forensics-con at their facility.

Second, what would be the interest in forensic challenges?  We could use online facilities and resources to post not only the challenges, but also the results, and folks could then get together to discuss tools and techniques used.  The great thing about having these available online is that folks who may not be able to make it to the meetups can also participate.

Finally, the last thing I wanted to bring up regarding the meetups is this...what are some thoughts folks have regarding available online resources for the meetups?  I set up the Yahoo group, and I post meetup reminders to that group, as well as the Win4n6 group, to my blog, LinkedIn acct, and Twitter.  After the Oct meetup, two LinkedIn groups were set up for the meetup.  Even so, I just saw a tweet today where someone said that they just found out about the meetups via my blog.  I'd like to hear some thoughts on how to get the word out, as well as get things posted (slide decks, challenges, reminders, announcements) and available in a way that folks will actually get the information.  What I don't want to do is have so many facilities that no one knows what to use or where to go.

Memory Analysis
Melissa's got another post up on the SketchyMoose blog regarding Using Volatility: Suspicious Process.  She's posted a couple of videos that she put together that are well worth watching.  You may need to turn up the volume a bit (I did)...if you want to view the videos in a larger window, check out the SketchyMoose channel on YouTube.

Something I like about Melissa's post is that she's included reference material at the end of the post, linking to further information on some of what she discussed in the videos.

While we're on the topic of memory analysis, Greg Hoglund posted to the Fast Horizon blog; his topic was Detecting APT Attackers in Memory with Digital DNA.  Yes, the post is vendor-specific, but it does provide some insight into what you can expect to see from these types of attackers.

Attack Vectors/Intel Gathering
When investigating an incident or issue, analysts are often asked to determine how the bad guy got in or how the infection occurred.  Greg's post (mentioned above) refers to a threat that often starts with a spear phishing attack, which is based on open source intelligence gathering.  The folks over at Open Source Research have posted on real-world pen-testing attack vectors, and believe me, it really is that easy.  Back in '98-'99 when I was doing this kind of work myself, we'd use open source intel collection (which is a fancy way of saying we used Lycos and DogPile...the pre-Google stuff...searches) to start collecting information.

I think that if folks really started to look around, they'd be pretty surprised at what's out there.  Starting at the company executive management site will give you some names to start with, and from there you can use that information and the company name itself to search for things like speaker bios, social networking profiles, etc.  As suggested in one of the comments to the post, you can also check for metadata in documents available via the corporate site (also consider checking P2P networking might be surprised at what you find...).

Documents aren't the only sources of information...keep in mind that images also contain metadata.

Intel Collection During Analysis
Funny how writing this post is progressing this section of the post leads to another.  As I mentioned, during analysis we're often asked to determine how a system became compromised in the first place..."how did it happen?", where "it" is often a malware infection or someone having obtained unauthorized access to the system.  However, there are often times when it is important to gather intelligence during analysis, such as determining the user's movements and activities.  One way of doing this to see which WAPs the system (if it's a laptop) had connected to...another way to determine a user's movements is through smart phone backups.  I recently posted some tools to the FOSS page for this blog that might help with that.

In addition, you can use Registry analysis to determine if a smart phone had been connected to the system, even if a management (iPhone and iTunes, BB and the BB Desktop Manager) application hadn't been used.  From there you may find pictures or videos that are named based on the convention used by that device, and still contain metadata that points to such a device.  In cases such as this, the "intelligence" may be that the individual had access to a device that had not been confiscated or collected during the execution of a search warrant. 

I recently commented on Mandiant's OpenIOC site, and what's available there.  One of the things that they're sharing via this site is example IOCs, such as this one.  There are a couple of things that I like about this is that the author of the IOC added some excellent comments that give insight into what they found.  I know a lot of folks out there in the DFIR community like that sort of thing...they like to see what other analysts saw, how they found it, tools and techniques used, etc.  So this is a great resource for that sort of thing.

The IOCs are also clear enough that I can write a plugin for my forensic scanner that looks for the same thing.  The scanner is intended for acquired images and systems accessed via F-Response, and doesn't require visibility into memory.  However, the IOCs listed at the OpenIOC site have enough disk-based information in them (file system, Registry, etc.) that it's fairly easy to create a plugin to look for those same items.


Unknown said...

Have you considered doing a UStream event, rather than a Google+ hangout? I thought Google+ was limited to 10 people per hangout. If you did UStream you'd be open to a wider audience, and you could tweet from within the UStream page.

H. Carvey said...


No, I hadn't considered that. I'll have to see how well that works with a webcam and having to move the camera around...but that might work. That's assuming, of course, that we'd need more than 10 connections... ;-)

Chad Tilbury said...

I love the idea of including the ability to import OpenIOC signatures into your Forensic Scanner. The consistency of the XML tags (e.g. "FileItem/Filename" and "RegistryItem/Path") in OpenIOC should allow the ability to import virtually any set of IOCs once the import framework is developed. +1 for this feature!