Friday, January 20, 2012


DFIROnline Meetup
If you're interested purely in numbers, last night's DFIROnline meetup had, at one point, 97 attendees.  It might've helped that my presentation was addressing malware, and we ended up continuing Cory Altheide's drinking game from last year's OSDFC...every time I mispronounced the word as "mall wear", everyone had to take a drink.  I have to go back and review the tape, but my presentation may have ended up being more like a Ron White concert.  ;-)

My previous blog post includes a link to the slides I used, as well as the malware detection checklist that I mentioned in my presentation. 

There's an excellent write-up at the Digital Forensic Source blog regarding last night's meetup, if you're interested, and you can also search for the "#DFIROnline" hash tag on Twitter to see what comments folks made during the meetup.  I have to say, however, that most of the comments were made online, in chat window 3...

Again, a huge thanks to Mike for setting these up and making the resources available, and thanks to everyone who takes the time out of their evening (or day, depending on where you are) to attend and engage. 

Malware IOCs - Ramnit
Here's an excellent walk-through of creating an IOC for the Ramnit malware.  If you're interested in the OpenIOCs at all, or just want to see how someone would go about creating an IOC, take a look at the post...and be sure to read the first two parts, as well.

If you were on last night's DFIROnline presentation on malware detection within an acquired image, what would the malware characteristics be for Ramnit, based on the IOC?

If you like case studies and discussions of practical analysis techniques, take a look at Rob's post on Digital Forensic SIFTing.  Rob provides some very good walk-thrus regarding how to use log2timeline effectively on several incident types, and this is well worth a look.

A bit ago I ran across something Yogesh had written on parsing IE RecoveryStore files.  As these files are based on the OLE format, and I've recently had some experience writing parsers for files that use this format (Jump Lists, StickyNotes), I thought I'd take a crack at this file, as well.  This is still something I'd like to do...I'm hoping Yogesh will release the specifics of parsing the various streams soon.

Along those lines, John Moan recently commented on a blog post and mentioned that he's written two tools, ParseRS and RipRS.  I haven't had a case yet that involves recovering information about a user's browser activity, but the approach he's taken is very interesting, and I'm sure that John would greatly appreciate it if folks would try the tools out and provide him with some valuable feedback.  I've added the tools to my FOSS Tools page, keeping them persistent in one place.

Case Studies
Speaking of case studies, this is one of the items of interest within the community.  I've known about it for a fact, I've tried to write my books to include case studies, and I also tend to look for similar approaches in other books.  Writing about a tool or technique is dry enough as it is, and the way to engage the reader (using the vehicle of the written word) is to include a case study that describes how the tool or technique was used.

On a number of forums, I see requests for case studies.  Not long ago, a thread was started in a forum that included a request that analysts post case studies; this is nothing new, I've seen it before.  What I haven't seen is those folks then posting case studies themselves.  Now, there are a number of what could be considered case studies online.  In fact, if you go to the FOSS Tools page off of my blog, and scroll down to the "Sample Images" section, you'll see links to several sample images that you can download...several of them have actual scenarios associated with them, as well as solutions.  These can serve as some pretty good case studies.


Andrew Case said...

Do you know of a list of case studies that don't include samples?

H. Carvey said...

No, sorry...but that's kind of my point. Lots of people want to see case studies but few seem willing to provide them.

Mike Wilkinson said...

The recordings of the DFIROnline presentations have been posted here:

Thanks for a great presentation Harlan.

cbentle2 said...

Harlan thanks for posting a link to the Ramnit blog post, hope anyone reading it enjoys it. Feedback is always welcome with regards the published IOC.