Monday, November 01, 2010

Thoughts on Analysis, Information Sharing, and Presentations

Since June of this year, I've attended a couple of conferences, not only presenting but also attending several presentations. As with any conference, presentations tend to vary with the background and experience of the author. By experience, I don't so much mean with the experience the author has in the topic they're presenting on, but more so with developing presentations specific to the audience, public speaking, etc.

One of the questions I ask myself when both creating and giving a presentation, as well as attending one, is "how is this immediately valuable and useful to me?" Often times, we attend a presentation that may have some great information, but the question then becomes, okay, but how to I use this? How do I most quickly/immediately turn this information around and use it on a case or examination?

I'm sure that a lot of other folks feel the same way, particularly after having talked about this very subject after a presentation or discussion. I've also seen this enough to add this sort of approach to my books, starting with WFA 2/e and progressing even more so into Windows Registry Forensics. With a lot of what's going on in our community, it's vitally important that analysts be able to get up from a presentation or talk, and be able to put what they've learned in a technical presentation or lab into practice. If that isn't the case...what's the point?

This is critically important when you're talking about analysis techniques, which is particularly where we need to innovate. Data is always going to be data, and it's always going to be there. There's been discussion about triaging systems, due in part to the massive increases in storage and the amount of time it takes to acquire and analyze all of that (especially acquire). So whether you're talking about browser forensics or

Innovation in Analysis
How many folks out there use RegRipper? How about using RegRipper for malware detection or analysis? Seriously.

Bear with me on probably wouldn't occur to most folks to use something like RegRipper for malware detection, looking into an acquired image, or a system accessed via F-Response. However, I (and others) have used this approach time and again to our benefit.

Consider Conficker. Microsoft cites five variants. In each case, when the next variant first came on the scene, the executable file was not detected by most commercial AV tools. However, there were some consistencies across the malware family, including not just artifacts (ie, disabling system functionality) but also in the persistence mechanism.

I had the distinct honor of reviewing on of the chapters for the new book, The Malware Analyst's Cookbook, and in that chapter, the use of RegRipper was discussed. MHL and his co-authors had written several plugins for use in their work (included in the book) and to be honest, they were innovative.

Okay, so you're probably looking at this so far and thinking, yeah, but that's for malware you know about. Okay, sure, I can go with that. But here's the deal...while you may not have seen all malware, or at least a great deal of it, but what are the chances that within a large group or community of forensic and malware analysts, a LOT of malware has been seen and analyzed? Of those, their artifacts and persistence mechanisms will likely have been identified (Zeus, or ZBot falls into this category) and be worthy of a plugin.

Consider malware based on PoisonIvy. Yes, it's polymorphic, which for most of us, is going to mean that AV scanners are going to have minimal effect in detecting this stuff. However, keep in mind the four characteristics of malware...the persistence mechanism is an example of Jesse Kornblum's "rootkit paradox"; in short, most malware will want to run, but will also want to remain persistent. As it turns out, PoisonIvy isn't the only malware that uses the Registry Installed Components as the persistence mechanism.

Institutional Knowledge
How many of us use the institutional knowledge developed on previous cases/engagements on any new analysis that comes in? Most of us are going to raise our hands and say, "I do that all the time."

Now, how many of us make use of the institutional knowledge developed by other analysts, such as other team members?

Tools like RegRipper (and pretty much any tool that has some level of extensibility, including EnCase and ProDiscover) provide for sharing of institutional knowledge, but only insofar as that institutional knowledge is documented.

So What?
I'm sad to say that not all of us will ever see everything, particularly when it comes to IR and digital forensics analysis. For myself, I know that I haven't seen everything...I've seen some things several times, I've been on engagements that never where, but I haven't seen everything. Expand this to include any 5, 10, 50, or 500 analysts you want, and while it may seem that across all of us, we've seen a lot, the question then much of that have we shared with others, or each other.

The issues the community faces are not going away. Increases in things like storage space, sophistication and proliferation of malware and compromises/intrusions, AV scanners becoming less and less of a reliable resource, to name a few. I think that most of us are familiar with these issues. So what do we do about all these?

Ovie's on a roll...don't miss the new CyberSpeak podcast! Ovie has an interview regarding triaging about timely! ;-)


Anonymous said...

Nice post Harlan. I recently made a comment on a list server to a fella that wanted a recommendation the "best scanner" for malware. I recommended "Reg Ripper" for this analysis. Needless to say, this fella was quite confused by my response and shot the idea down to some extent. Poor fella, doesn't realize what he's missing. Keep up the great work.

H. Carvey said...

Was that the CCE list? If it was, I saw the same thing...and I did try to see what had turned the poster off to RegRipper.

Thanks for your comment.

Shanna said...

In my environment, if I'm turning to RegRipper for malware analysis, it's usually a post mortem exam. If the machine is up and I'm trying to clean it, I'm usually working with autoruns/autorunsc and other tools from Sysinternals.

But whatever the tool, I agree that it is incredibly important to understand how malware uses the Registry to gain a foothold and know what signs to look for. If one learns to recognize anomalies, then the techniques you describe *aren't* just for the malware we know about.

From reading forums and such, it's a little surprising to me how many examiners seem to rely solely on some combo of AV scanners to decide if a system is clean.

I just got my copy of the Cookbook last night. It looks like a fun book!

H. Carvey said...



FYI...RegRipper works very well over F-Response.

I'm still waiting on my copy of the Cookbook... ;-(

Anonymous said...

One of the best books I've ever read was The Tao of Network Security Monitoring. It showed how much fun analyzing communication could be. Now The Malware Analyst's Cookbook is doing the same thing for malware. Both books show many free tools and techniques that can be used to detect incidents. I wouldn't be surprised if Windows Registry Forensics was another eye opener for me. :)

H. Carvey said...

...much like WFA 2/e...

Anonymous said...

Was that the CCE list? Byes it was the CCE List.

newinforensics said...

I could not agree more with your comments. Five years ago - it was turn off, image and analyze. Today it's acquire RAM, acquire volatile data, identify key areas to image/acquire and image using F-Response. Wow, keeping up with change :)

Earlier today I was mentioning to a colleague that I tend to START my analysis with RegRipper, and a rough timeline analysis based on the facts provided by the investigator. Both these techniques give me a visual snapshot of what has occurred on the system, and in the end, save me time on my analysis. I've even been known to virtually boot at the start of my investigation (MIP/FTKImager and VFC) to gain the benefit of visualizing the system, programs and their individual settings. I realize this may sound strange to some.

ps...I've heard from at least two attendees who heard Chris P at Sector. Darn, sounds like it was even better than the Forensic Summit in DC :) You're onto something Chris!!

...another anxious reader awaiting his Cookbook.

H. Carvey said...

I'm glad you liked Chris's presentation...have you said that to him?

...another anxious reader awaiting his Cookbook.

Who's? Chris is writing a cookbook?

newinforensics said...
This comment has been removed by the author.
newinforensics said...

Sure person, and in my blog.

Re: Cookbook...I was writing in third person referring to myself..I'm awaiting my copy of Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code from Amazon.