I wanted to thank two people in particular for their contributions to the DFIR field during 2014. Both have exemplified the best in information sharing, not just in providing technical content but also in providing content that pushes the field toward better analysis processes.
Corey's most recent blog post continues his research into process hollowing, incorporating what he's found with respect to the Poweliks malware. If you haven't taken a good look at his blog post and incorporated this into your analysis process yet, you should strongly consider doing so very soon.
Maria's post on time stomping was, as always, very insightful. Maria doesn't blog often but when she does, there's always some great content. I was glad to see her extend the rudimentary testing I'd done and blogged about, particularly because very recently, I'd seen an example of what she'd blogged about during an engagement I was working on.
Maria's also been getting a lot of mileage out of her Google cookies presentation, which I saw at the OSDFCon this year. If you haven't looked at the content of her presentation, you really should. In the words of Hamlet, "There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy", and I'm sure Maria was saying, "There are more things in a Windows image than are dreamt of in your timeline."
Tying both Corey and Maria's contributions together, I was doing some analysis recently regarding a particular malware variant that wrote it's files to one location, copied them to another, time stomped those files, and injected itself into the svchost.exe process. This variant utilized the keystroke logging capability of the malware, and the keystroke log file was re-stomped after each successive update. It was kind of like an early nerd Christmas gift to see what two well respected members of the community had talked about right there, in the wild. In the words of one of my favorite characters, "Fascinating."
The year would not be complete without a huge THANK YOU to the Volatility folks for all they do, from the framework, to the book, to the training class. 2014 saw me not only attending the course, but also receiving a copy of the book.
On the whole, it might be fair to refer to 2014 (maybe just the latter half) as the "Year of the Shellbag Research". Eric Zimmerman (Shellbag Explorer), Willi Ballenthin, Dan Pullega, and Joachim Metz should be recognized for the work they've been putting into analyzing and documenting shellbags. To learn more about what Eric and others have done to further the parsing and analysis of shellbags, be sure to check out David Cowen's Forensic Lunch podcasts (28 Nov, 12 Dec).
Speaking of David Cowen, I still think that TriForce is a great example of the outcome of research in the field of forensic analysis. Seriously. I don't always use things like the USN change journal in my analysis...sometimes, quite simply, it's not applicable...but when I have incorporated into a timeline (by choice...), the data has proved to be extremely valuable and illuminating.
There are many others who have made significant contributions to the DFIR field over the past year, and I'm sure I'm not going to get to every one of them, but here are a few...
Ken Johnson has updated his file history research.
Basis Technology - Autopsy 3.1
Didier Stevens - FileScanner
Foxton Software - Free Tools
James Habben - Firefox cache and index parsers
Part of what I do puts me in the position of tracking a bad guy's lateral movement between systems, so I'm always interested in seeing what other analysts may be seeing. I ran across a couple of posts on the RSA blog that discussed confirming Remote Desktop Connections (part 1, part 2). I'm glad to see someone use RegRipper, but I was more than a little surprised that other artifacts associated with the use of RDP (either to or from a system) weren't mentioned, such as RemoteConnectionManager Windows Event Log records, and JumpLists (as described in this July, 2013 blog post).
One of the things that I have found...interesting...over time is the number of new sources of artifacts that get added to the Windows operating system with each new iteration. It's pretty fascinating, really, and something that DFIR analysts should really take advantage of, particularly when we no longer have to rely on a single artifact (a login record in the Security Event Log) as an indicator, but can instead look to clusters of artifacts that serve to provide an indication of activity. This is particularly valuable when some of the artifacts within the cluster are not available...the remaining artifacts still serve as reliable indicators.
Finally, as the year draws to a close, here's an update on the WRA 2/e Contest. To date (in over 2 months) there has been only a single submission. I had hoped that the contest would be much better received (no coding required), but alas, it was not to be the case.