Pages

Saturday, July 11, 2009

SANS Forensic Summit

I spent all day last Tuesday in downtown DC attending the SANS Forensic Summit...it was totally awesome and well worth every second I was there.

First, a HUGE thank you to Rob Lee for setting the Summit up and inviting me and all of the other speakers, and an only slightly-smaller thank you to all of the folks who attended and made the Summit the success that it was!

Now on to the Summit itself...

Presentations
Richard
Richard Bejtlich gave the keynote address which was very entertaining. Richard is a dynamic and informative speaker, and has some very well thought-out and articulated views, and he's definitely someone worth listening to, even if you don't necessarily agree with everything he says. Unlike Ken Bradley, I don't work for Richard, so I can say anything I want! ;-) Seriously, though...Richard is truly one of the thought leaders in the industry, and definitely someone worth listening to.

Kris Harms
Kris had some great things to say as an incident responder for Mandiant. As a responder, for me, it's great to see other folks in the industry, listen to their presentations, and talk to them about what they're doing, and how they're addressing those problems that we all run into. Many times you'll pick up things that you didn't know, and other times you'll get validation regarding some of the things you're doing when you get a chance to see how others are addressing those same challenges. Kris and the Mandiant crew have a great deal of experience with APT, or advanced persistent threat, so if you get a chance to pick Kris's brain on the subject, do it.

Jamie and Peter
Jamie and Peter, both also from Mandiant, had some great things to talk about with respect to memory analysis, with a specific focus on malware detection. If you haven't really looked at it, you should definitely consider looking at Memoryze and AuditViewer.

Brendan
Brendan's presentation on analyzing Windows Registry hives extracted from a memory dump was a great piece of work! My (top)hat's off to Brendan on the work he's done to extend the work put into tools such as Volatility and RegRipper. Who knew you could grab a memory dump from XP, and the using open source tools, extract the password hashes which you can then crack using your tool-of-choice?

Panels
The panels are a summit/conference format that Rob uses to great effect. I first encountered this sort of technique at Aaron's OMFW last year, and Rob has included it at the Summit. Several folks from a particular field (I was on the IR panel) each give short presentations, and then the floor is opened for questions which Rob filters so that things keep moving. This is a great way to do two things; first, to really push through some varying views in a short period of time, and second, to open up discussions that continue between individuals later, during breaks or even over email after the summit is over.

PodCast
Ovie and Bret were nice enough to invite me, as well as Rob Lee, Ken Bradley, and Jesse Kornblum to take part in the live recording of the CyberSpeak podcast, which was a LOT of fun...as I'm sure you'll be able to tell when you listen to it.

Hey, don't listen just to me...Chris and Matt have posted their impressions of the Summit, as well.

Tips
One of the things I picked up from Kris Harm's talk was a great tip on a means for doing differential analysis of volatile data. Most of use are familiar with the use of pslist to get process information, and how to analyze the information that we receive. I tend to combine that information with the output of tlist, as well as other tools (netstat, etc.) to develop an overall picture of what was happening on the system. What I picked up from Kris is that grep()'ing through the output of handle.exe, you can look for "pid:", which provides you with yet another means of locating processes. The same technique can be used for malware detection, by looking for mutants/mutexes (mentioned by both Kris, and his cohort over at Mandiant, Peter Silberman) using something called the "least frequency of occurrence" (thanks, Peter!).

No comments:

Post a Comment