Sunday, April 11, 2010

Links...and whatnot

Security Ripcord
Don posted recently on his experiences attending the Rob Lee's SANS SEC 508 course. Don has some very interesting insights, so take a look. Read what he says carefully, and think about it before reacting based on your initial impression. Don's an experienced responder that I have the honor of knowing, and the pleasure of having worked with...he's "been there and done that", likely in more ways than you can imagine. Many times when we read something from someone else, we'll apply the words to our own personal context, rather than the context of the when you read what Don's said, take a few minutes to think about what he's saying.

One example is Don's statement regarding the court room vs. the data center. To be honest, I think he's absolutely right. For far too long, what could possibly go on in the court room has been a primary driver for response, when that shouldn't be the case. I've seen far too many times where someone has said, "I won't do live response until it's accepted by the courts." Okay, fine.

Another one that I see a lot is the statement, "...a competent defense counsel could ask this question and spread doubt in the mind of the jury." Ugh. Really. I saw on a list recently where someone made that statement with respect using MD5 hashes to validate data integrity, and how a defense attorney could bring up "MD5 rainbow tables". Again...ugh. There are more issues with this than I want to go into here, but the point is that you cannot let what you think might happen in court deter you from doing what you can, and what's right.

DFI Newsletter
I subscribe to the DFI Newsletter, and I found a couple of interesting items in the one I received on Fri, 9 April. Specifically, one of my blog posts appear in the In The Blogs section. Okay, that was pretty cool!

Also, there was a link to an FCW article by Ben Bain regarding how Bill Bratton "said local police departments have been behind the curve for most of their history in tackling computer-related crime and cybersecurity" and that "it's a resource issue."

I know a couple of folks who have assisted local LE in their area, and that seems to be something of a beneficial relationship, particular for LE.

File System Tunneling
Okay, this is a new one on me...I ran across this concept on a list recently, and thought I'd look into it a bit. In short, it seems that there's long been functionality built into NTFS that allows, under specific conditions and for a short period of time (default is 15 seconds) for file metadata (specifically, the file creation time) to be reused. In short, if a file with a specific name is deleted, and then another file with the same name created in that directory within 15 seconds, the first file's metadata will be reused. Fortunately (note the sarcasm...), this functionality can be extended or disabled.

Okay, so what does this mean to forensic analysts? Under most conditions, probably not a lot. But this is definitely something to be aware of and understand. I mean, under normal circumstances, time stamps are hard enough to keep up with...add into that tunneling, anti-forensics, and the fact that on Vista and above, updating of last access times is disabled.

More than anything else, this really illustrates how important it is, when considering potential issues or asking questions about systems, to identify things like the OS, the version (i.e., XP vs. Win7), the file system, etc.

MS KB 172190
MS KB 299648
Daniel Schneller's thoughts
Old New Thing blog post
MSDN: File Times

The eEvidence what's new site was updated a bit ago. Christina is always able to find some very interesting resources, so take some time to browse through what's there. Sometimes there's case studies, sometimes some really academic stuff, but there's always something interesting.

Matthieu has released the MoonSol Windows Memory Toolkit, with a free community edition. Check it out.


Anonymous said...

Hello Dear,
file system tunneling capabilities to enable compatibility with programs that rely on file systems being able to hold onto file meta-info for a short period of time. This occurs after deletion or renaming and re-introducing a new directory entry with that meta-info.
For getting more information about on this topicClick Here

AlExAnDeRrRrR said...

thanks very much this is agood post

Karl Levinson said...

Harlan, I couldn't agree with you more about court room vs. server room.

Usually the customer isn't the court but the organization that's been impacted. The customer should have an interest in knowing what likely might have happened... not knowing just what can be proven to a hostile attorney beyond a reasonable doubt. They also may have a SOC or CSIRC behind them waiting anxiously for info as fast as they can get it, which often means live system info.

There's no reason why you can't produce two sets of data... one for the organization and first responders, and one with evidentiary value. Most likely the latter won't even be used.

We need to redefine the term "forensics" (or replace it with a new term) so that it doesn't always conjure up for people a scenario where the hard drive is seized and you get data back too late to help defend the organization.

H. Carvey said...

There's no reason why you can't produce two sets of data... one for the organization and first responders, and one with evidentiary value. Most likely the latter won't even be used.

Why wouldn't the one acquired for the organization...even a live of evidentiary value?