John McCash recently posted an interesting article to the SANS Forensic blog on decoding the binary Scheduled Task .job file format (John's article referred to tasks created using at.exe).
Based on John's article, I wrote a Perl script that parses the binary structure of the .job file header, and also gets some of the variable data that follows the header. For right now, I've got a number of the header fields translated and extracted, and I've been testing against a couple of .job files I've created on my own system; the output appears as follows:
C:\Perl\forensics>jobparse.pl d:\cases\apple.job
Command : :C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task
Status : Task is disabled
Last Run Date: Thu Jul 16 16:21:00 2009 Exit Code : 0x0
So, this is a good start. I've had engagements where analysis of the Scheduled Tasks log file proved to be critical, so I can see how being able to get details from the .job file might also be important. Also, as John pointed out, information about the binary structure of .job files may assist you if you find indications of deleted .job files in unallocated space. If you get a hit and are able to backtrack a bit, you may find enough information in unallocated space to be able to decipher the header fields.
As a side note, I did find some minor issues with how the MS documentation identifies some of the fields in the structures; for example, the documentation shows a total of 9 2-byte fields for the UUID, but UUIDs are defined as being 128-bits long (ie, 8 bytes); this threw my initial parsing code off by 2 bytes. Interestingly enough, this applies to Windows XP systems, and the last run time for the job is maintained in the header as a 128-bit wide field; here I was thinking that the new date format was only part of Vista and Windows 7! Eesh!
Addendum: Interesting thought...the timestamps (and other data) embedded in .job files are updated when the task is run; therefore, this information can be used to provide indications of activity that modifies file MAC times, such as AV scanning, searches, or AF tactics...
Showing posts with label Job. Show all posts
Showing posts with label Job. Show all posts
Wednesday, September 16, 2009
Monday, June 02, 2008
Job Openings
Okay, I'm going to take a slight divergence from the normal content of this blog to reach out to all of you, my loyal readers...according to Google Analytics, both of you. =D
Anyway, as you may or may not know, by day I am an incident analyst for the IBM ISS Emergency Response Services (ERS) team...and we're looking to expand. By that I mean add qualified members to our team. And not just here in the US, but also in Australia, AsiaPac, Japan, and EMEA.
So you're probably wondering what we do...good question. In short, we respond to incidents on an emergency basis. The basic idea is that we get a call, from a current (or soon-to-be) customer and we triage the incident and deploy the necessary assets. Each team member has a jump kit of equipment, both hardware and software (plus our tools of our own choosing), and we arrive on-site to assist the customer in resolving the incident, through incident management, data collection and analysis, and pretty much whatever else we need to do. In many cases, we collect data and return to the lab to perform analysis.
We also do Visa PCI forensic audits, as well. In addition, we have subscription customers that we service, as well, with on-site visits, training, CSIRP development, mock incidents, etc.
Of course, there's all the other stuff that goes along with this kind of work...report writing, keeping track of expenses and billable hours. I guess a lot of that is to be expected, but I thought I'd mention it anyway.
So what we're looking for is someone with experience in incident response (beyond just running an AV scanner, or just wiping the drive...), volatile data collection and analysis, forensic acquisition and analysis, documentation and justification of activities, reporting, and customer interface. All of these things are important in what we do.
If you think that this is something you'd be interested in, please feel free to send me a copy of your resume here or here.
Finally, this is NOT a sub-contractor opportunity...this is a full-time employment position.
Anyway, as you may or may not know, by day I am an incident analyst for the IBM ISS Emergency Response Services (ERS) team...and we're looking to expand. By that I mean add qualified members to our team. And not just here in the US, but also in Australia, AsiaPac, Japan, and EMEA.
So you're probably wondering what we do...good question. In short, we respond to incidents on an emergency basis. The basic idea is that we get a call, from a current (or soon-to-be) customer and we triage the incident and deploy the necessary assets. Each team member has a jump kit of equipment, both hardware and software (plus our tools of our own choosing), and we arrive on-site to assist the customer in resolving the incident, through incident management, data collection and analysis, and pretty much whatever else we need to do. In many cases, we collect data and return to the lab to perform analysis.
We also do Visa PCI forensic audits, as well. In addition, we have subscription customers that we service, as well, with on-site visits, training, CSIRP development, mock incidents, etc.
Of course, there's all the other stuff that goes along with this kind of work...report writing, keeping track of expenses and billable hours. I guess a lot of that is to be expected, but I thought I'd mention it anyway.
So what we're looking for is someone with experience in incident response (beyond just running an AV scanner, or just wiping the drive...), volatile data collection and analysis, forensic acquisition and analysis, documentation and justification of activities, reporting, and customer interface. All of these things are important in what we do.
If you think that this is something you'd be interested in, please feel free to send me a copy of your resume here or here.
Finally, this is NOT a sub-contractor opportunity...this is a full-time employment position.
Subscribe to:
Posts (Atom)