Friday, April 02, 2010

New stuff

The first ever Sleuth Kit and Open Source Digital Forensics Conference is coming up in June, 2010, and I'll be one of the speakers, joining Brian Carrier, Jamie Butler, Dario Forte, Rob Joyce and Simson Garfinkel. I'll be talking about creating timelines using TSK and other open source tools.

Timelines and Last Access Times

Many examiners make use of file last access times during an examination, to some degree. Most examiners are also aware that MS has a Registry value called NtfsDisableLastAccessUpdate which can be used to disable updating of last access times on files, and that it's enabled (i.e., set to 1) by default beginning with Windows Vista. However, that doesn't mean that these values are never changed...take a look at the links in the Resource section, and consider doing some testing of your own.

Windows XP - explanation of fsutil, including disablelastaccess behavior
DigFor explanation - when 'disabled' doesn't entirely mean disabled
MS KB 299648 - Description of NTFS date and time stamps
Jones Dykstra and Assoc. article

Over on the SANS ISC blog, Pedro Bueno posted a link to some tools he uses and wanted to share with others. There's some interesting tools there, one of which is WinAPIOverride32. If you're doing malware analysis, these look like some very interesting and useful tools.

If you're doing any sort of malware analysis and encounter obfuscated JavaScript, check out JSUnpack.

GrandStream Dream Updates
Claus is back to posting again, and has a heavy version available. Rather than re-hashing what Claus has posted here, I'd recommend that you take a look...trying to summarize what he's done simply won't do it justice. Yes, Claus has pulled together links from other blogs, but sometimes it's good to see a bunch of like posts grouped together.

One of the things that Claus mentioned that I hadn't seen before is StreamArmor, a tool for locating NTFS alternate data streams, that goes beyond your normal "here's an ADS" approach. StreamArmor looks for malicious streams, skipping over "normal" streams so as not to overwhelm the analyst. This has benefits...if you're familiar with how ADSs work. I can see something like this being used when an acquired image is mounted (SmartMount, ImDisk, P2 eXplorer, etc.) and scanned with AV/anti-spyware tools...just hit it with StreamArmor while it's mounted.

Didier Stevens has been posting a lot lately on proof-of-concepts for getting malware on systems by embedding it into PDF documents. If you didn't already have a reason to search TIF and email attachment directories for PDF documents, then reading through his posts should make you realize why you need to make it part of your analysis process.

No comments: