Monday, November 13, 2006

Trends in Digital Forensics, and news

I ran across a Dr. Dobbs article of the same name as the title of this post...very interesting. The subtitle is Are "live" investigations are the trend we are heading towards?

An interesting quote from the article:
Thus the new trend in digital forensics is to to use the corporate network to immediately respond to incidents.

Hhhhmmm...this sounds pretty definitive.

My thoughts on the article are two-fold. First, I have to this, in fact, the trend (or at least a coming trend that we're seeing more of)? Are IT and IR teams using tools like those mentioned in the article (Encase, Wetstone's LiveWire - I have to wonder why the author doesn't mention ProDiscover) to perform incident response via the network? If so, how effective are these efforts?

Overall, the author discusses "live investigations" (which is cool, because my next book covers that, in part) but I have to wonder how much this is being done, and how effective it is.

Now for the "news"...there's a new CyberSpeak podcast out, I just downloaded it and still have to listen to it. I took a look at the show notes (which have moved) and saw that Jesse Kornblum is again being interviewed. Very cool. One of the news items I picked up from the show notes was about a guy in the UK who took over young girls' computers and extorted them into sending him dirty pictures of themselves. The scary thing about the article isn't things like this:

...used some of the most advanced computer programmes seen by police to hack into their PCs...

One of the youngsters said his level of expertise and his power over her PC reminded her of the cult science fiction film Matrix.

Well, okay...I take it back...maybe those excerpts do represent some scary things about the article..."scary" in the sense that an email-borne Trojan of some kind is equated to level of technology seen in the Matrix. Or maybe it's the fact that according to the article, these kids actually fell prey to this guy and sent the pictures, rather than notifying their parents.

Okay, I'm off to listen to the show...


Bill Ethridge said...

I don't see alot of it going on, mostly I see the IT guys trying to isolate the "hit" machine from the network, and still waiting on the IR guy to come along and image. Any memory dumps and captures I've come in behind didn't take place over the network. But I think a lot of this is due to the fact that the threat isn't being seen real time to start with.

As for ProDiscover, I've been doing forensics for a long time, and I've only come to hear about it and finally use it in the past year. So far, I'd have to say it's an undiscovered (pun intended) jewel. Can't wait to be able to afford a better version.


H. Carvey said...


Thanks for the comment.

In my experience, the IT guys will either reload the OS and not report the incident, or take the system offline and power it off, *then* call someone about responding. Usually when I respond and interview them about what their goals are regarding the system and the incident, I have to be up-front and honest with them...some (if not all) of their questions could have been addressed had they either collected volatile data, or not shut the machine down.

Can't wait to be able to afford a better version.

What? Afford a better version of what?


Bill Ethridge said...

Sorry; sometimes what seems very apparent when you write something isn't when someone reads it.

A better version of PD. Right now I just own Windows version. Maybe Investigator is in next years budget.


Anonymous said...

It's a battle we are winning in my arena, as my team works closely with the initial responders and helpdesk. It has been a battle. For the longest time my team was relegated to "host forensics" which the "network investigation" team insisted meant they had first dibs on the machines. Trouble was they had no ability to conduct network traffic analysis, and they never managed to gather volatile data before pulling the plugs and bringing us the machines. Finally, we had a matter involving LE, and the incompetence to the "network" team became very evident. They are gone now, and their very names are words of shame and derision.

We have many ways of collecting volatile data. We have scripts we can run that gather the data through a number of tools. We also have Pro Discover and some others of that ilk. I like a little redundancy in the capturing process in case some piece of intruder or malignant code blocks or takes over an API.

One tool that I haven't seen mentioned much is WinHex's CAPTURE program. It is very good. I run it in my scripts to capture memory dumps.