Monday, August 24, 2009

Papers, Tools, and Such

If you do any work at all with network traffic captures (ie, .pcap files), you should take a look at Claus's Network Capture Tools and Utilities post. I mentioned several of the tools listed in Claus's post in Chapter 9 of Windows Forensic Analysis 2/e, and some of those tools have been updated. If you want to try the tools out but don't have any "interesting" traffic available, check out sites like this or this.

I didn't attend DFRWS this year, but I did see this very interesting paper about the CyberForensics TimeLab (CFTL) by Jens Olsson and Martin Boldt. CFTL is a "computer forensic timeline visualization tool", with the engine developed in Perl (yes!) and a C#/.NET GUI frontend. According to the paper, timestamped data is automatically extracted from an acquired image via processing with filters, and then stored in an XML format, which is then made available to the analyst via the frontend. CFTL appears to take a similar approach to ex-tip, in that filters extract timestamped data from various file formats. Taking the similarities a step further, CFTL also appears to parse Registry hive files only for keys and LastWrite times. From just reading the paper, the similarities end there, as CFTL uses an automated approach to extracting information from an acquired image, making in-processing and development of the XML file a fairly straightforward process.

I applaud the efforts of the authors, as this is just the kind of work we need to see within the computer forensic analysis community. Without this kind of work, we wouldn't move forward. However, I have a couple of thoughts with respect to this sort of approach to timeline creation and analysis. First, the context available from a timeline is derived from contents of the events themselves, not in a bar chart or histogram showing the numbers or frequencies of events within a given time period. For example, automatic software updates can lead to a great deal of file system and Registry activity, and any malicious activity during that timeframe will be hidden. Also, the LastWrite time for the ubiquitous Run key isn't nearly as relevant to an examination as the values contained in the key.

Second, I have heard analysts say time and time again that when developing a timeline, most analysts want everything, all of the available data, and that data reduction will be performed later. With respect to the Registry, I tend to disagree, as in most cases, the timestamps embedded within Registry data provide greater context than the key's LastWrite time. I tend to agree that if you don't really know and understand what you have available to you within an image acquired from a Windows system, go ahead and grab everything that's available. I also believe that if you do know what you have available to you and what data you can use, you can take an interative approach to building your timeline for analysis. I've done this myself, and I've found it to be much faster and more accurate than dumping all of the Registry key LastWrite times into a timeline and trying to make heads-or-tails of what happened.

From Spanagel Hall out at NPS in Monterey, CA (my alma mater) comes a very interesting master's thesis from Greg Roussas titled "Vizualization of Client-Side Web Browsing and Email Activity". This approach reminds me of the Analyst's Notebook, and I can see how this sort of approach would be

A bit of computer trivia...Gary Kildall once had an office in Spanagel Hall. I used to walk by it almost every day.

I caught this ComputerWorld article about NZ police releasing a virtualized environment tool for evidence. One thing about the article that concerned me was this statement:

Digital forensic examiners faced with a complex inquiry can spend weeks delving into a computer to find the traces of evidence required for a successful prosecution, Police say.

Ouch! Really? Weeks? Why? On the commercial consulting side, a "complex inquiry" would be broken down into discrete goals and steps, each of which would be provided an answer, or something along the lines of "...could not be determined conclusively...", along with the reason why. But really...weeks? Anyway, in the end, the new tool sounds as if it's LiveView with a web interface...but hey, if it helps LE put bad guys in jail, so be it. Personally, I think that there's a lot being missed using something like this, but I do see how it can be a very useful tool.

Finally, IronGeek posted the video for a class he gave on anti-forensics. The video itself is quite long (just over 3 hrs), so you might want to grab the slides and check out the links in the page. There's some pretty interesting (re: challenging) stuff presented in the links alone (I haven't watched the video yet...).

No comments: