Friday, November 18, 2011

Good Stuff

Geolocation Information
Chad had an excellent post recently regarding geolocation data; besides mobile devices, Windows systems can potentially contain two sources of geolocation information.  One is the WiFi MAC addresses that you can retrieve from the Registry...once you do, you can use tools like to plot the location of the WAP on a map.  Second, some users back up their smartphones to their desktop, using iTunes or the BlackBerry Desktop may be able to pull geolocation information from these backups, as well.  Check out the FOSS page for some tools that may help you extract that information.

Like most analysts, I like to see or hear what other analysts are seeing, and how they're addressing what they're seeing.

Ryan Washington's CyberJungle interview (episode 238) - Ryan was interviewed about his PFIC 2011 presentation about how forensicators can discover artifacts of anti-forensic attempts.  As with his presentation, Ryan discusses not just hiding from the user, but also how even seasoned pen testers leave tracks on systems, often when they try very hard to be stealthy.

I remember a discussion I had with members of the IBM ISS X-Force a while ago regarding an Excel exploit that allowed them access to a system.  I asked about artifacts, and was told that there were none.  I asked explicitly that if the exploit included sending a malicious Excel file and having the user open it, wouldn't the Excel spreadsheet be an "artifact"?  After all, many a forensicator has nailed down a phishing attack by locating the malicious PDF file in the email attachment archive.

Interestingly, Ryan also mentions digital "pocket litter", which isn't something that many folks who try to hide their activities are really aware of...

Chris Pogue's Pauldotcom interview - episode 267, starts about 56:33 into the video; Chris talks about Sniper Forensics; what it means, where we are now, where we need to go, all with respect to DFIR.  Chris also references some of the same topics that Ryan discussed, and in some cases goes into much more technical detail (re: discussion of MFT attributes).  Chris talks about some of the things that he and his team have seen, including MBR infectors, and memory analysis.

Another cool thing about the interview is that you get to see Chris's office, and hear his cell phone ring tone!

1 comment:

Anonymous said...

I was just thinking today about the same thing Ryan Washington seems to be talking about.

The choice of evading one method of detection usually opens them up to another method of detection. Whether it's overlapping fragments to evade an IDS, packing malware to evade AV software, putting DLLs in the Windows/Fonts folder with a .fon file extension. Unlinking a process from the doubly linked list, etc.

It's like playing a game of Whack-A-Mole. As soon as they evade one form of detection, they have to deal with another. Their evasion is only effective until someone looks at the right data in the right way, at which point they stick out like a sore thumb.