Thursday, December 22, 2005

The age of "Nintendo forensics"... coming to a close. Or, rather, it needs to. Looking around, seeing what's going on in the community, and in particular, in the news, I have to think that the days of blindly imaging a system and then running searches for keywords or images are going to be a thing of the past soon.

Windows systems in particular hold a wealth of information. There are areas of systems that are largely unexplored by many forensic analysts, particularly on the law enforcement side of the house. Now, I know that this is in large part due to case loads, staffing, training, and simply time. However, more knowledgeable law enforcement officers (at all levels...local, state, and even federal) as well as more knowledgeable system administrators (and even CIOs) will serve to level the playing field between the good guys and the bad guys.

What am I talking about? I'm talking about the fact that Windows XP and 2003 are becoming more prevalent by the day, and soon Vista will be in production and on the streets. We (the forensic community) can no longer operate from an MS-DOS standpoint.

Don't get me reduction through the use of searches, file hashes, etc., is still extremely useful. However, a search for an ASCII string may turn up very little when searching the Windows Registry. One needs to understand the format of the Registry (even on the binary level) and how the Registry is structured. The same holds true with other file formats...OLE/compound documents (MS Word being the most prevalent example), PE files, Event Log files, INFO2 files, and even shortcuts. Yes, there are tools that can be run to pull information from the files but does the person running the tool understand what's happening "under the hood"?

Now, some of you are going to say, "Hey, I don't need to know how to locate and program the computer systems in my car in order to drive a car.", and I'd say, "You're right." However, what I'm talking about is pulling more comprehensive information from an image of a Windows system, and building a better case. In the face of more sophisticated malware, the expanding use of rootkits, and the increase of publicized anti-forensic techniques, I'm beginning to see how a greater level of knowledge is necessary.


Anonymous said...

I am so much in agreement with you here. I always used to think that computer forensics positions were only available to the people who knew that level of detail about a system, or at least knew some level of detail and knew how to find out about the things they didn't know. Unfortunately, as I'm starting to find out, this always isn't the case. (I know there are people out there with this level of knowledge - but I have not been able to work with them yet)

The problem I have run into is that the forensic investigators where I have worked have things like Encase certification and can follow the SOPs in regards to imaging a computer, etc, but if you ask them how things like the registry work, they'd have no clue.

Do you have any suggestions in regards to this? I know your book and training is definitely a good place to go but what else out there can be used to get this kind of knowledge?

H. Carvey said...

" forensics positions were only available to the people who knew that level of detail about a system, or at least knew some level of detail and knew how to find out about the things they didn't know."

Yeah, like you said, that really doesn't seem to be the case at all.

Do you have any suggestions in regards to this?

Where to go to get more detailed training? To be honest, I really don't know. I have received word that some folks have found some of the available training courses to be beneficial, but after digging into it a bit with them, what these amount to, really, is getting the attendees to actually start looking in places like the Registry, using single keys. For example, having them look at the contents of the HKLM\..\Run key on an imaged system.

Another popular key is the TimeZoneInformation key.

However, as far as really detailed analysis...correlating multiple keys, as well as correlating keys with information found in the file system...well, this isn't being taught...not that I'm aware of.

Keep in mind that vendors will provide what the market asks what that's telling me is that there simply isn't the recognition of this kind of analysis in the marketplace. It's not very often that you'll see someone offering something new and innovative in the general marketplace, b/c that sort of thing doesn't survive (it does do well at BlackHat Training, for example, but that's a completely different audience).

I've been looking at providing something like this. Locating interested people to attend isn't difficult...locating interested people who can pay and actually attend is another thing entirely. Maybe a better approach would be to teach the basic stuff first (competing with everyone else who already does this), and then adding the advanced stuff immediately following.

Thanks for your comments.