Dear like-minded people,I'm very proud to announce that our (CERT.at - CERT Austria) latest contribution to the malware analysis community is finally available as open beta.It's called ProcDOT - I already gave a preview of the alpha version some months ago at SANS Forensics Summit in Prague - and it is an absolute must have tool for everyone's lab, at least in my humble opinion ;-)It correlates Procmon logfiles and PCAPs to an interactively investigateable graph. Besides that ProcDOT is now also capable of animating the whole infection evolution based on a timeline of activities. This feature lets you even quickly find out which server or which requests were responsible that specific data/code got on the underlying system, by which process it was written, how often, who injected what, which autostart registry key was set, what happened when, and so forth ...ProcDOT's approach of correlating Procmon logs and PCAPs to a directed animateable graph has ...
↧
"ProcDOT - Visual Malware Analysis"
↧
"Caseleads: South Korea Attack Forensics; Google Glass Brings Discoverable Evidence To Litigation; The Post Data Breach Boom; Fighting Insider Fraudsters"
Mark this date: On March 20th 2013, the non-technical managers may finally start to understand what a digital forensics professional actually does. With the massive cyber attacks on South Korean banks, media outlets, and ISPs, the role of forensicators is put front and center. The attack(s) resulted in widespread ATM outages, online banking and mobile banking offline, and tens of thousands of PCs wiped of all their data. At minimum, non-technical decision makers should finally start to understand that cyber attackers are not targeting "someone else." The attacks in South Korea had an impact on the bottom line of many South Korean firms. Since many of the same strategies for information security and incident response are used by most westernized nations, many experts agree that the attacks in South Korea are a warning sign of what could happen in the United States. We have analytical coverage of the South Korean attacks, with stories and drill downs that go beyond the ...
↧
↧
"Save 15% during \"SANS Online Training Month\" - Favorite #DFIR Courses listed"
Save 15% during "SANS Online Training Month"Receive a 15% discount on all OnDemand courses when you register and pay by April 10, 2013.To take advantage of this offer, enter the following discount code at checkout:0314_SAVE15Register for OnDemandAll Currently Available OnDemand Courses Qualify for this Offer:FOR408: Computer Forensic Investigations - Windows In-DepthFOR508: Advanced Computer Forensic Analysis and Incident Response
↧
"SANS #DFIR Windows Memory Forensics Training (FOR526) \u0096 Malware can hide, but it must run."
SANS Windows Memory Forensics Training (FOR526) — Knocks it out of the park!Jesse Kornblum and Alissa Torres just finished up their first official course dedicated to Windows Memory Forensics at the SANS Institute at SANS2013 in Orlando. The course teaches key techniques used by actual practioners in the field who use it in their jobs daily -- using memory forensics to find evil and doing a great job at it. The key to this course is that like all SANS training it is not tool dependent but teaches the fundamentals that each analyst should know when responding to incidents with these skills.
↧
"Cloud Forensics with F-Response"
Like many great inventions, the idea behind F-Response is so simple and elegant it is hard not to punish yourself for not thinking of it. Using the iSCSI protocol to provide read-only mounting of remote devices opens up a wealth of options for those of us working in geographically dispersed environments. I have used it for everything from remote imaging to fast forensic triage to live memory analysis. F-Response is vendor-neutral and tool independent, essentially opening up a network pipe to remote devices and allowing the freedom of using nearly any tool in your kit. The product is so good, I really wouldn't blame them for just sitting back and counting their money. Luckily, counting money gets boring fast, so instead the folks at F-Response have kept innovating and adding value. Their latest additions are new "Connector" tools: Database, Cloud, and Email.Now is the time to start planning how to acquire forensic copies of all that data your organization is pushing ...
↧
↧
"Installing the REMnux Virtual Appliance for Malware Analysis"
REMnux is a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. Here is how to install the REMnux virtual appliance using common virtualization tools, such as VMware and VirtualBox, thanks to the Open Virtualization Format (OVF/OVA).
↧
"Digital Forensics Case Leads: New REMnux, Registry tools and more APT1 analysis"
This week in Case Leads we have a great new update to REMnux, two new tools for registry analysis and be sure to vote for the Forensic 4cast Awards right after you hop over to the new REM community on Stack Exchange.If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it tocaseleads@sans.org.Tools:REMnux, the linux distro designed for malware reverse-engineering, has been updated to version 4 and it's now distributed as a VMware virtual appliance, a bootable ISO and as an OVA virtual appliance. An overview of the appliance installation was covered on this blog a couple of days ago, and SANS is hosting a webcast to go over what's new in ...
↧
"Windows Memory Analysis In-Depth - Discount Code = WINDEX = 10% Off #DFIR"
Memory analysis skills are one of the most in-demand skills for digital forensics, incident response, and malware analysts today. SANS is introducing a brand new 5-day class dedicated to Windows Memory Forensics. The hands-on course, written by memory forensics pioneer Jesse Kornblum, is incredibly comprehensive and a crucial course for any investigator who is analyzing intrusions.SANS is offering a 10% discount off the FOR526 course for the following events: Discount Code: WINDEXSecurity West 2013 - San Diego, CA - May 9-13 - http://www.sans.org/info/128955
↧
"Encrypted Disk Detector Version 2"
Last year I covered the free Encrypted Disk Detector (EDD) tool and challenged the community to help crowdsource its development [link]. Thank you to all that took part in the experiment. Magnet Forensics announced today that Encrypted Disk Detector version 2 is available [get it here].Survey ResultsIn addition to encouraging additional development of EDD, a side benefit of the project was to get an idea of the most popular disk encryption products being deployed. Figure 1 provides the survey results, with Checkpoint Full Disk Encryption, Symantec Endpoint Encryption, and Sophos (formerly Utimaco) Safeguard rounding out the top three. I think many of us could ...
↧
↧
"Case Leads: LivingSocial Hack, New Cyber Warriors, analyzeMFT update and more..."
This week in Case Leads we have a few software updates and some good reads along with the LivingSocial site being hacked and the US serviceacademiesramping up efforts to groom new cyber warriors.If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it tocaseleads@sans.org.Tools:David Kovar has updated his analyzeMFT python script. It now reports the MFT record correctly and has improved bodyfile support. You can read more about the updates here and download the latest release.Magnet Forensics has updated their Encrypted Disk Detector. They have added more support for other disk encryption as well as improved support for the disk encryption they already supported. You can read more about it ...
↧
"Automating Static Malware Analysis With MASTIFF"
MASTIFF is an open source framework for automating static malware analysis. This tool, created by Tyler Hudak, determines the type of file that is being analyzed and then applies only the static analysis techniques that are appropriate for that file type. MASTIFF offers a useful way for performing triage on a large set of suspicious files.
↧
"Case Leads: Zero Day Trading, Decrypting iPhones, Calculating AppID's for Jumplists and more."
This week in Case Leads we have articles on Zero Day exploit trading and buying hacking tools, requesting Apple to decrypt iPhones, a guide to attending conferences on a budget, calculating AppID's for jumplists and a few updated tools.If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it tocaseleads@sans.org.Tools:Oxygen Software has updated its flagship mobile forensic product,Oxygen Forensic Suite 2013, adding the ability to view and analyze aggregated contact information through multiple acquired devices. The new release also includes an enhanced search algorithm, allowing investigators to execute complex searches in background without slowing down overall performance. You can read ...
↧
"Tools for Examining XOR Obfuscation for Malware Analysis"
There are numerous ways of concealing sensitive data and code within malicious files and programs. Fortunately, attackers use one particular XOR-based technique very frequently, because offers sufficient protection and is simple to implement. Here's a look at several tools for deobfuscating XOR-encoded data during static malware analysis.
↧
↧
"SANS EU #DFIR Summit in Prague - Call for Speakers - Now Open"
The 4th annual Forensics and Incident Response Summit EU will take place on October 6-13 in Prague, one of the most historical European cities, in the context of theSANS Forensics Pragueconference, the biggest Incident Response and Digital Forensics event in Europe to date. The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response.In addition, we encourage you to take every opportunity to make the most of this event from attending the Summit to registering for one or more of the post-summit ...
↧
"Digital Forensics Case Leads: First ICS HoneyPot, IEF EnScripts, Android Forensics, Unit 61398 - The APT1 guys, CALEA Act and more... "
In this issue of Case Leads, we will see the first Industrial Control System Honeypot, test some useful IEF EnScripts for EnCase, an article on APT1 hackers resuming their attacks on US targets, What about the CALEA Act, Android Forensics tips and tricks, voice descrambling DIY... Continue reading this week of Case Leads.If you have an item you'd like to contribute toDigital Forensics Case Leads, please send it to caseleads@sans.org.Tools:Fellows at the Honeynet Project has announced the first version (and first of its kind i think) of Conpot. Conpot is an Industrial Control System Honeypot with the goal to collect intelligence about the motives and methods of adversaries targeting ICS systems. By default the honeypot will simulate a Siemens SIMATIC S7-200 with a module that is always available in a real setup to provide network connectivity. This ...
↧
"Getting Your First DFIR Job"
Recently, I spoke to students in a computer forensics class who will be graduating in the spring of 2013 about getting a job in computer forensics after school. We covered interview tips as well as performed mock forensic job interviews when I realized there are some pointers that I could share about the process from a hiring manager's perspective to help candidates better prepare for seeking that first position in computer forensics. While many aspects of getting that first job are common in any field, serious computer forensics professionals do have a mindset, attitude and passion that requires a certain approach when a candidate is looking for their first job in the field.Resume/C.V.:Generally a resume is skimmed and reviewed in about 20-30 seconds which means you need to make sure it is laid out in a way that gets you on the short stack of potential candidates. You want to consider ordering sections by your objectives, education, ...
↧
"Control Panel Forensics: Evidence of Time Manipulation and More\u0085"
The GUI control panel is a long standing feature of Microsoft Windows, facilitating granular changes to a vast collection of system features. It can be disabled via Group Policy but is largely available to most user accounts (administrative permissions are required for some changes). From a forensic perspective, we can audit control panel usage to identify a wide range of user activity:Firewall changes made for unauthorized software (firewall.cpl)User account additions / modifications (nusrmgr.cpl)Turning off System Restore / Volume Shadow Copies (sysdm.cpl)System time changes (timedate.cpl)Interaction with third-party security software appletsWhile identifying individual system modifications is difficult, at a minimum we can show that a user accessed a specific control panel applet at a specific time. Context provided by other artifacts may provide further information. As ...
↧
↧
"Windows Memory Analysis In-Depth - Discount Code = WINDEX = 10% Off #DFIR"
Memory analysis skills are one of the most in-demand skills for digital forensics, incident response, and malware analysts today. SANS is introducing a brand new 5-day class dedicated toWindows Memory Forensics. The hands-on course, written by memory forensics pioneerJesse Kornblum, is incredibly comprehensive and a crucial course for any investigator who is analyzing intrusions.SANS is offering a 10% discount off theFOR526 coursefor the following events: Discount Code:WINDEXSANSFIRE 2013 - Washington, DC - June 17-21-http://www.sans.org/info/128960Network Security ...
↧
"Sneak Preview: FOR572 on PaulDotCom June 12, 2013"
You might have noticed that we recently posted the course description for the upcoming all-new course, FOR572: Advanced Network Forensics and Analysis. FOR572 will go include a lot of tcpdump and Wireshark work, but also goes beyond that, using a "big picture" approach that incorporates evidence and methods covering all kinds of network-based systems and devices. Since every device that handles a network communication can provide a unique and valuable "witness's view" of an incident, these skills are critical to conducting a comprehensive investigation. However, with so many sources and formats of evidence, analysis quickly becomes a challenge. Mo' evidence, mo' problems...Although the ...
↧
"2013 Digital Forensics and Incident Response Summit #DFIR in Austin Texas 8-9 July"
The 2013 Digital Forensics & Incident Response Summit & Training, taking place in Austin, TX is fast approaching.*** SANS is offering a one-time discount for the DFIR Summit & Training to government employees (e.g., federal, state, local, DoD).This offer reduces the Summit registration fee from $1,995 to $795 when purchased in conjunction with a full priced course. The discount is available for a limited time only, on a first come, first served basis. Please register athttps://www.sans.org/registration/register.php?conferenceid=30107with the code DFIRGOV***There is also a 10% off code DFIRWhy should you attend the DFIR Summit ...
↧