Saturday, February 18, 2012

Sharing and Case Studies

There's been some discussion of late in various corners of the DFIR community regarding "sharing" amongst those of us in the community.  Some of it has centered on sharing of threat intelligence and IOCs, and that's sort of spawned off into sharing "case studies".  I ran across a couple of threads on one online forum (like this one...), where an interest in case studies was expressed, but as is usually the case, few are actually stepping forward to provide them.

My hope is that these discussions have formed a crack in the wall of silence, and that some of us can squeeze our fingers into that crack, and with the help of others in the community, pry it apart.

Andrew Case posted an excellent case study on the DFS blog, one that is truly inspiring.  Andrew looked at what he wanted to do and used what was available to him to get it done.

Corey Harrell has posted a number of times to his blog regarding exploit artifacts, and has taken up a series of posts on accessing Volume Shadow Copies.  Corey provided some excellent material which he graciously allowed me to incorporate into chapter 3 of WFAT3e, and he has since taken that several steps further.  While not specifically related to cases Corey has worked, this is some excellent information that is of significant value to anyone who encounters Vista and Win7 systems.

Recently, Melia post on a "case experience" to her blog, where she had to address an issue of sploitation.  I've had similar cases, and I've had issues where such a thing was just part of the case...and I think what Melia's post really points out is that Windows does a great job of illustrating Locard's Exchange Principle; that is, when the user or an application interacts with the operating system, there are very often artifacts of that interaction that survive attempts by the user to cover their tracks.

From a link in Melia's blog post, I found out about the Cheeky4n6Monkey blog, which has some excellent posts, including this one on creating a RegRipper plugin for CCleaner, which actually covers two topic areas: artifacts associated with running CCleaner, and writing a RegRipper plugin.  The author correctly points out that I covered how to write RegRipper plugins in WRF.

There are even more examples available of how analysts have pursued real-world cases.  Take a look at this post to the Mandiant blog by Nick Harbour, from July, 2010.

I know from experience (in the industry, writing books, etc.) that many of us really enjoy reading or hearing case studies, but the fact is that few of us actually share case studies, or just some portion of our experiences (I won't get into the "why"...).  From recent experience, this is disheartening when you go to a conference where many of the presentation titles lead you to believe that case studies or experiences will be shared, but all you get during the presentations, and even out in the common areas between presentations, are blank stares.

No one of us is as smart as all of us.  There are some of us who've seen a lot of things, but no one has seen or done everything.  Sharing what we've seen through presentations and blog posts is a great way for us to learn, without having to have had the actual experiences.


Cheeky4n6Monkey said...

Hi Harlan,

Thank you for referring to my blog in your post. Your blog and books play/have played a major role in developing my DF skills. When struggling to identify future blog/research topics I have found myself asking "What Would Harlan Carvey Do"? ;)
Usually though, you've already researched it/done it/wrote a book/blog on it.
Its pretty cool when my ranting gets read - let alone referred to by people with way more knowledge/experience.

So, Thanks again for all your efforts!

Keydet89 said...

Well, it's clear that you program in Perl, and that you've written at least one RegRipper plugin.

Have you shared that plugin with anyone, beyond posting it in your blog? Have you submitted it to Brett for inclusion in the distro?


Cheeky4n6Monkey said...

TBH I was a bit hesitant to submit it because it was my first attempt (at Perl/at RegRipper plugins).

But now that you mention it, I will try submitting it.

Keydet89 said...

I guess my big question is, did it work for you?

The RR plugins are like IOCs, and can be used by others to obtain data, and then improve upon or modify the plugin as necessary.

Cheeky4n6Monkey said...

The original purpose of the exercise was to familarise myself with writing a RegRipper plugin. So in that sense, it worked for me. The CCleaner aspect was kinda incidental TBH.

I wasn't expecting to submit it as it seemed pretty basic - just printing all of the CCleaner values without researching/documenting what every value signified.
But like you just said, if I put it out there at least other people can research/modify it for their needs.