Friday, October 30, 2015

OSDFCon follow-up

I attended Basis Tech's OSDFCon recently...I've attended and presented at this conference in the past...and as has been the case in previous years, this turned out to be a great experience.

OSDFCon isn't so much a DFIR conference as it is a "tools and frameworks" conference, centered around the Autopsy toolkit.  However, the folks who attend this conference are, for the most part, developers and DFIR practitioners.  Many of the attendees are one or the other, while a number are both.  This makes for a very interesting time.

Brian asked me to come by and, along with several other folks, give an update to a previous presentation.  Last year, I talked about some updates I was considering/working on for RegRipper, and this time I gave a quick update on what I was looking at in the coming year.  Based on that, my hope for next year's conference is to have something available to give a presentation, along with a demo, of what I talked about.

I really liked hearing about the new stuff in Volatility 2.5, as well as seeing the plugins that came out of the contest...and congrats to the contest winners!

Something I like about this particular conference is the type of folks that it brings together.  Working on the types of cases I tend to work gives me a sort of myopic view of things, so it's good to meet up with others and hear about the kinds of cases they work, and the challenges they face.

There are a lot of really smart people at this conference, and what I really like to see is frameworks and solutions to DFIR problems being created by DFIR practitioners, even if they are specific to those individual's needs.

Many of the solutions...whether it be Turbinia, or Autopsy, or Willi's tools, or whatever...provide an excellent means for data collection and presentation.  I think we still have a challenge to interpretation.  Sure, we get now get data from an image or from across the enterprise much faster because we've put stuff in the cloud, or we've got a fast, multi-threaded design in our framework, and that's awesome.  But what happens if that data is misunderstood and misinterpreted?  This thought started to gel with me right after I registered for the conference and was talking to Christa about CyberTriage, and then during the conference, I made a comment to that effect to which he responded, "Baby steps."  He's right.  But now that we can get to the data faster, the nex step is to make sure that we're getting the right data, and that it's being interpreted and understood correctly.  Maybe the data interpretation phase is beyond the scope of a conference that's about open source tools...although there may be space for an open source tool that incorporates threat intelligence.  Just sayin'...

Maybe I've just given myself the basis for a presentation next year.  ;-)

Finally, a huge thanks to Brian and his staff for continuing to put on an excellent conference, in both format and content.  In fact, I still believe that this is one of the better conferences available today.  The format is great, requiring speakers to focus on the guts of what they want to convey, and the breaks allow for interaction not only with speakers but with other attendees, as well.

Thursday, October 08, 2015

Threat Intel and Threat Hunting Conferences in 2016

I'm looking for input from the community, with respect to conferences in 2016 that cover DFIR, threat intelligence, and threat hunting.

Members of the team I work with have some pretty significant content that we're looking to share, so I thought I'd reach to the community and see what conferences are out there that folks are looking to (for content) in 2016.

So, if you're looking at conferences in 2016 that cover digital forensics, incident response, as well as targeted threat hunting and response, I'd appreciate hearing about them.


Tuesday, October 06, 2015

Tools, Links - ESEDB, etc.

CapLoader - This looks like an interesting tool...and another one...for carving packets from memory dumps.  I'm not clear as to how this tool differs from the Volatility modules, in particular netscan and Jamaal's ethscan, but it does seem interesting.  If you were curious as to how to install Rekall on Windows systems, see this blog post. - I'm not entirely sure how this Python script differs from RegRipper's plugin, but it does offer an interesting alternative, if you're looking for one.  The output does appear similar to what produces.

MFT Parsers
Mari posted an excellent blog article based on her review of several MFT parsing tools.  One of the key factors to Mari's post is that she understands what it is she's looking at (MFT records), so she's able to evaluate the various tools for her own use, rather than simply running them and not questioning the output.

This is the sort of thing that the DFIR community would benefit from greatly, if more practitioners engaged in it, or if more practitioners responded to it.  Honestly evaluating tools can be of significant benefit to the community, particularly when they're evaluated in light of a particular practitioner's analysis process.  It's even more beneficial if that process is shared, so that others can determine the usefulness of the tools for themselves, and decide if those tools can/should be incorporated into their own analysis process.

Yara is a tool that's been available for some time, and is worth mentioning again.  A while back, Corey Harrell asked a question via social media regarding how to detect the presence of web shells on a system, using only the HTTP access logs.  Shortly thereafter, Aaron Shelmire posted this article to the ThreatStream blog.  In the article, Aaron mentions a couple of methods for detecting web shells using only the HTTP access logs, in accordance with Corey's question, and his suggestions are very valuable.  One method of detection he mentioned, as well, was using a change control and inventory process, or a file system monitoring tool, to detect new pages being added to web directories.  Aaron also mentions that searching for patterns within files can produce false positives, but if you use something like Yara, you can reduce those false positives.  Yara can be used by sysadmins who want to keep ahead of things or those who want to perform hunting, as well as by analysts and responders engaged in DFIR analysis.

An excellent resource for web shell rules can be found here.

ESEDB Databases
Windows systems utilize ESE format databases more and more, and as such, it's imperative that analysts be able to identify the databases, as well as extract data for incorporation into their analysis processes.

An example of an ESE format database includes the IE10+ WebCacheV01.dat web history database. Also, Brent Muir recently posted regarding Windows 10 Cortana Notification Center Forensics.

A note on Brent's post...I have a Windows 10 laptop that was upgraded from Win7; I opened the notification center as he described towards the end of the post.  Even after rebooting the system, the value containing the timestamp does not exist in my NTUSER.DAT.  However, I'm also not running Cortana, as this is an older laptop, so that may have an impact as to whether or not the value gets created.

There's also the Search Index database; reading through the post responses, you can see how the contents of this database can be useful to a forensic analyst.  One of the response lists tools that can be used to parse the database.

So, at this point, that's three databases that use the ESE format, all of which can provide significant value to a forensic analyst.

Parsing Tools
WoanWare ESEDBViewer - deprecated, but still a good visual tool.

libesedb - needs to be compiled for the Windows platform; most of the web sites that I've found that mention the tool don't provide a compiled copy

esentutl - native tool that lets you copy and/or recover an ESEDB file.  While one method of obtaining a copy of an ESEDB file for analysis might be to create a VSC and copy the file in question from the shadow copy, this option might not always be available.  As such, this native tool may be of significant use to an analyst. - It looks as if Jon Glass has updated his Python script for parsing the WebCacheV01.dat file.

Addendum, 7 Oct: I found this post over at Sanderson Forensics this morning...if you're analyzing Windows systems, you want to be sure to read the post and include the tool in your toolkit...