As the world of information technology grows in size and complexity, sectors within the IT industry become more and more specialized. Within IT, information security used to be considered niche. Nowadays, saying that your're an infosec professional positions you as somewhat of a generalist. After all, within the infosec field there are several specialization areas, including compliance, pen testing, application security. Even within the area of digital forensics and incident response, many sub-fields have emerged, as discussed in this post.
↧
"The Many Fields of Digital Forensics and Incident Response"
↧
"FOR526 (Memory Forensics) Course Updates - Live at DFIRCON!"
Alissa Torres and Jake Williams recently updated the material in FOR526 just in time for DFIRCON. Previously, FOR526 focused largely on malware investigations. However, this new revision places new emphasis on misuse/criminal investigations and those investigations where malware may not have been used. We see a lot of those cases now, where by the time we're called to investigate, the attackers are just using VPN creds, no need for malware. Sure, we still cover finding malware, but we find that this revision makes the subject of memory forensics more applicable to a broader range of DFIR professionals.Is memory forensics a forensics discipline all its own? Not really. You're unlikely to work an entire case using only memory artifacts (although you will learn how). To be a true ...
↧
↧
"APT Memory and Malware Challenge Solution"
APT Memory & Malware Challenge AnswersThe memory image contains real APT malware launched against a test system. Your job? Find it.The object of our challenge is simple: Download the memory image and attempt to answer the 5 questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 3 of the 5 questions will be entered into a drawing to win a FREE Simulcast seat at DFIRCON Monterey this March. The contest ends on January 31st, 2014 and we will announce the winner on February 3rd, 2014. Good luck!If you are interested in learning more about Memory Analysis and how it can help you out in your investigations read all about the updated and new FOR526: Memory Forensics. DOWNLOAD LINK ...
↧
"Weekly Computer Forensics Hangouts with David Cowen"
David Cowen's weekly "forensic lunch" video hangouts bring together digital forensics and incident response practitioners. Tune in to join the discussion and catch up on the latest industry happenings.
↧
"Dealing with ASLR When Analyzing Malware on Windows 8.1"
If you're migrating your malware lab from Windows XP, watch out for the forced ASLR feature of the operating system, especially when using Windows 8.1. ASLR is good for security, but it complicates malware analysis efforts. IDA Pro, OllyDbg, UPX and other tools could get confused. Here is how to get around these issues.
↧
↧
"Is OllyDbg Version 2 Ready for Malware Analysis?"
Many malware reverse-engineers consider OllyDbg a valuable part of their toolkit. The latest version 1 release of this powerful debugger has been showing its age. Fortunately, version 2.01 seems to be sufficiently mature to start displacing its predecessor as part of the malware analysis workflow. Here's what you can expect when starting to experiment with OllyDbg version 2.01.
↧
"Tools for Analyzing Static Properties of Suspicious Files on Windows"
Examining static properties of suspicious files is a good starting point for malware analysis. This effort allows you to perform an initial assessment of the file without even infecting a lab system or studying its code. Let's take a look at several free Windows tools that are useful for extracting such meta data from potentially-malicious executables.
↧
"SANS DFIR SUMMIT Agenda and Specials Annoucement"
Digital Forensics & Incident Response Summit & Training | AGENDA LINE-UP POSTED!Pre-Summit Course Dates: June 3-8, 2014Summit Dates: - June 9-10, 2014Event Information: http://dfir.to/DFIRSummit14Summit Agenda: http://dfir.to/DFIRSummit14-AgendaTwitter Hashtag: #DFIRSummitThe Digital Forensics and Incident Response (DFIR) Summit & Training event combines hands-on DFIR classroom training with trending DFIR summit speakers together into ONE premier event. One of the few DFIR-only training events on the SANS calendar! Join the most innovative minds in the industry to tackle advanced DFIR issues.DFIR Summit — AGENDA ANNOUNCED!Announcing the SANS DFIR Summit 2014 Lineup!Reverse Engineering Mac Malware ...
↧
"Updates to FOR610 Malware Analysis Course Debuting in April in Orlando"
SANS FOR610 malware analysis course was refreshed to incorporate the latest Windows tools for examining malicious software. Starting with the April 2014 event in Orlando, conference students will receive a toolkit based on a pre-built Windows 8.1 virtual machine. This toolkit supplements the Linux-based REMnux virtual machine that has been a staple of malware analysts' arsenal of utilities. The update also introduces several new malware analysis tools, samples and techniques.
↧
↧
"Stream-based Memory Analysis Case Study "
Based on FOR526 Memory Forensics In Depth contentI recently worked an investigation that involved anomalous network traffic occurring inside a customer's network between a handful of workstations and the internal DNS server. I was given memory images collected by the customer from two of the offending systems. Following the memory analysis methodology we teach in FOR526, I was able to "rule out"* malicious code running on these systems. In addition to doing memory structure-based analysis, I parsed the image with a stream-based data carving tool, Bulk Extractor. This impressive free open-source ...
↧
"DFIR Summit Specials -- Till End of March! #dfir #dfirsummit"
Remember starting March 17 2014, use these codes:+ Summit Only Promotion — Summit for $495. Register with code -> SUMMIT+ Class & Summit Promotion — Summit for $195 with a class. Register with code -> COURSEStay connected via twitter, using hashtag #DFIRsummit, to hear announcements and discussions surrounding the Summit.Register Now! -http://dfir.to/DFIRSummit14
↧
"SANS SIFT 3.0 Virtual Machine Released"
SANS Investigate Forensic Toolkit (SIFT) Workstation Version 3.0Download SIFT Workstation VMware Appliance Now - 1.5 GBSIFT Workstation 3.0 OverviewAn international team of forensics experts, led by SANS Faculty Fellow Rob Lee, created the SANS Investigative Forensic Toolkit ...
↧
"Faster SIFT 3.0 Download and Install #DFIR #SIFT3"
Having trouble downloading new SIFT 3.0? We are experiencing heavy traffic currently. Try bootstrap install option.Download and install.http://releases.ubuntu.com/12.04/ubuntu-12.04.4-desktop-amd64.isoOpen terminalType:wget --quiet -O - https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh | sudo sh -s -- -i -s -yThere will be a couple of times it will ask you a few questions. Easy to answer.Takes about 20 minutes to install from bootstrap.This is the same version that was installed in the VM and will probably be quicker for you to setup.Finally, this shows off our new packaging manager -- when new releases come out -- when ...
↧
↧
"SANS #DFIR Polo Shirt - Online Ordering"
Now available for online ordering - the SANS DFIR Polo. Up until recently this shirt was only handed out at special events like DFIRCON or the DFIRSUMMIT, but now you can get your very own shirt via the SANS Store. Click here to order one now ->http://dfir.to/DFIRPOLO
↧
"Finding Evil on Windows Systems - SANS DFIR Poster Release"
Adding to our ever growing number of Posters and Cheat Sheets for DFIR, we are proud to announce the availability of a brand new SANS DFIR Poster "Finding Evil" created by SANS Instructors Mike Pilkington and Rob Lee.This poster was released with the SANSFIRE 2014 Catalog you might already have one. If you did not receive a poster with the catalog or would like another copy here is a way to get one. For a limited time, we have set up a website whereanyonecan easily order one to use in their hunt to "Find Evil."Get the "Find Evil Poster" Here
↧
"The Importance of Command and Control Analysis for Incident Response"
Understanding how malicious software implements command and control (C2) is critical to incident response. Malware authors could use C2 to execute commands on the compromised system, obtain the status of the infection, commandeer numerous hosts to form a bot network, etc. This article explains how malware performs C2 functions and clarifies how this information can aid responders in detecting, analyzing, and remediating malware incidents.
↧
"Signature Detection with CrowdResponse"
CrowdResponse is a free tool written by Robin Keir from CrowdStrike. Robin has a long history of developing excellent tools for the community including SuperScan, BinText, Fpipe, and CrowdInspect. The goal of CrowdResponse is to provide a lightweight solution for incident responders to perform signature detection and triage data collection. It supports all modern Windows platforms up to Server 2012 and is command-line based making it easy to deploy at scale. Version 1.0 focuses on signature detection, with a powerful YARA scanning engine. It ships with a very detailed user manual but since only a few actually read such things, I thought it would be interesting to show the tool in action.Running YARA ScansYARA, or Yet Another Regex Analyzer, has become one of the leading tools for describing and detecting malware. A YARA rule consists of a series of ...
↧
↧
"HeartBleed Links, Simulcast, etc."
At SANS 2014 last night, I gave a quick briefing on the HeartBleed vulnerability that impacts the security of the Internet. I wanted to post a few links in the interim (until the webcast itself is published, which I'm told will be by 3PM EDT).The slides are available here.I have built a server in the cloud that exposes the vulnerability. You can access the server at https://heartbleed.csr-group.com until it gets taken down by the hosting provider (which seems inevitable). However, if your management needs to see this in action, please feel free to use the server to demonstrate the vulnerability.Additionally, I took a packet capture that exposes the vulnerability. This is suitable for testing your IDS signatures against. Hopefully you find this useful as well. The packet capture can be ...
↧
"#FOR526 #MemoryForensics Course - Special Deal for Online Training and Capital City in July"
FOR526 - 10% Off for vLive (Online Live Training)orCapital City in July. Use code = m3mory[caption id="attachment_64698" align="aligncenter" width="715" caption="Memory Forensics"][/caption]FOR526 - 10% Off forvLive(Online Live Training)orCapital City in July. Use code = m3mory
↧
"Managing and Exploring Malware Samples with Viper"
Keeping track of all the samples on your plate can become cumbersome and at times, next to impossible; that's where projects like Viper come in. Viper is "a framework to store, classify and investigate binary files." The following article, contributed by David Westcott, explains how to get started with this tool.
↧