Bios Password

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Sunday, April 28, 2013

ForSec News Roundup

Posted on 4:04 PM by Unknown

Final GSD post of the weekend. 

Strategies of a world-class computer security incident response team - Help Net Security - Carson Zimmerman presents “…ten fundamental qualities of an effective CSIRT that cut across elements of people, process, and technology.” Run-time is just over 33 min.

ProcDOT - Visual Malware Analysis - SANS Computer Forensics and Incident Response blog. Christian Wojner introduces it thusly…“It correlates Procmon logfiles and PCAPs to an interactively investigateable graph. Besides that ProcDOT is now also capable of animating the whole infection evolution based on a timeline of activities. This feature lets you even quickly find out which server or which requests were responsible that specific data/code got on the underlying system, by which process it was written, how often, who injected what, which autostart registry key was set, what happened when, and so forth ...” Get it via ProcDOT - CERT.at

From the ProcDOT project page:

Screenshot

3crmye3k.ddd

Instruction-Media

The User Interface
Tutorial-Video 1: The User Interface
Tutorial-Video 2: The Graph
Tutorial-Video 3: Analysis (Part 1)
Tutorial-Video 4: Analysis (Part 2): The Timeline

Over at the ISC Diary blog, Mark Baggett has been posting a great series of articles examining the tug-and-pull between those in IT/Sec who advocate a full OS wipe/reload after a malware infection and those who say “save-time-and-clean-it” by removing the malware infection, but not reimage the system. There still seems to be some kind of mysterious desire by staff to possibly prove what a clever IT person we are by digging an infection out of a system rather than just recovering the user’s data, wiping the system, then restoring it from a clean image and putting the data back. Maybe we all want to be a hero. However, as Mark’s posts show, if not done properly and effectively, the malware may remain persistently hidden but functional and you may be back before you know it (and the rest of your data secrets lifted or network exploited). These posts are a good guide and gut-check for how challenging these threats can play hide-and-seek. Familiarity with these techniques might be your last line of defense if your shop doesn’t have a fast-n-hard policy of recover/wipe/restore remediation.

  • Wipe the drive! Stealthy Malware Persistence Mechanism - Part 1 - ISC Diary blog
  • Wipe the drive! Stealthy Malware Persistence - Part 2 - ISC Diary blog
  • Wipe the drive! Stealthy Malware Persistence - Part 3 - ISC Diary blog
  • Wipe the drive! Stealthy Malware Persistence - Part 4 - ISC Diary blog

Tracking Down Persistence Mechanisms - Journey Into Incident Response blog - Not to be outdone, Corey Harrell does a great companion-piece to the ISC Diary blog posts above.  Corey details how he uses Microsoft Autoruns utility in that process.

From one of the comments there, we jump over to Finding Evil: Automating Autoruns Analysis post over in the trustedsignal blog from Dave Hull.

And then in spot-on timing within the ForSec community, Mark Woan at woanware releases a new utility called autorunner. 

“Autorunner is based upon the AutoRuns tool by the Sysinternals/Microsoft gurus. It is designed to perform automated Authenticode.aspx) checking for binaries designed to auto-start on a host. Its primary purpose is to aid forensic investigations.

“…autorunner is designed to work around all of these issues. It will check against all user profiles associated with the host. It will parse out LNK files to the actual binary (one level down). It allows the user to specify multiple drive mappings, so that if the forensic image contains multiple partitions you can map the original drives to mounted drives on the forensic workstation.

“The application should be used against a forensic image that has been mounted using whatever method you desire.”

Securely wiping an SSD - TinyApps blog - Getting back to the drive-wiping thought, this quick-post reminds us of some of the hazards of attempting to sanitize a SSD device. Some might think using a SSD device to hold image captures might be a good idea but if you do, be sure it is one you can truly “zero-out” and sanitize before porting your image over to it! Does anyone use SSD devices yet for that purpose? What other challenges (cost aside) would this present. Are there any benefits to a SSD over a HDD for storing or capturing disk images?

Placing the Suspect Behind the Keyboard – NEW BOOK! - Windows Forensic Environment - Congratulations to Brett Shavers for his new book! It’s been added to my Amazon.com wish-list queue for triggering once my next Amazon.com gift certificate ship comes into port.

Tool Time - The Hacker Factor Blog - A great post in the theme of “know your tools” before you trust the results they provide. One of the gem finds in Dr. Neal Krawetz’s post is his link to the National Institute of Standards and Technologies (NIST) and National Institute of Justice (NIJ) 2012 Computer Forensics Tool Testing Handbook from their computer forensic tool testing program. It’s got 173 pages of goodness to review. The latest publications can be found on this Topical Collection: Computer Forensic Tool Testing Publication Database | National Institute of Justice.

4:mag Issue #1 - Forensic 4cast. A very nice and slick digital publication debuts. This edition covers topics in iOS device/application data & malware, starting out in the digital forensics field, and hard-drive secrets.

The students over at the Champlain College Computer & Digital Forensics department have been busy working on papers addressing Private Browsing. Expect more in this series:

  • Private Browsing Forensics: Introduction - (PDF Link) Private Browsing Forensics: Introduction
  • Private Browsing Part 2 - (PDF Link) Private Browsing Part 2

RegRipper Ripper (3R) and the list of reg keys covered by RR plugins - hexacorn bog.

RegRipper Consolidation - Windows Incident Response blog. Harlan and crew have been super-busy trying to clean house and tie up some loose ends in the RegRipper landscape. This new effort should help make “one-stop-shopping” and development support for RegRipper and plug-ins much easier. Additionally, Harlan has been working hard on the blog to post additional background information on some of myriad (Cory referred to 280+ in his post) RegRipper plug-ins.

Forensic 4cast Awards 2013 – Meet the Nominees - Forensic 4cast. Voting is now open. You can place your votes here.

Encrypted Disk Detector Version 2 - SANS Computer Forensics and Incident Response blog - Chad Tilbury announces and introduces a new version that is out. Get it here over at Magnet Forensics.

What is "up to date anti-virus software"? - ISC Diary.Great post and great discussions in the comments.

Case Leads: LivingSocial Hack, New Cyber Warriors, analyzeMFT update and more... - SANS Computer Forensics and Incident Response blog

Cheers!

--Claus Valca.

Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in anti-virus software, books, forensics, iOS, Link Fest, malware tools, networking, NFAT, security, utilities, viruses, Win FE | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Finally! Time to Post! New material list
    After a recent text from my bro reminding me it has been since March since I’ve done a blog post, I was finally able to clear the schedule a...
  • Oscar watch Linkpost
    Alvis and Lavie are watching the Oscars tonight and I’m along for the ride. I wasn’t able to come even close to getting out some of the pos...
  • New Year’s Day - First Post 2011
    Same day I came out with my first post after a long drought, I fell upon this article Blogging Seems To Have Peaked, Says Pew Report over a...
  • Utility Gumbo
    There’s a lot in this pot.  Probably something everyone can find to enjoy. I’m serving it up tonight out of the back of the truck on the s...
  • iodd : Multi-boot madness!
    Like many computer technicians and responders, I seem to always have at hand a collection of bootable media; CD’s, DVD’s, USB-HDD’s, flash m...
  • Ubuntu 13.10 Upgrade - Lessons Learned & VIDMA utility found
    A few weeks ago a new release of Ubuntu came out. Naturally that meant it was update time! I have been getting pretty good at this now so ...
  • Interesting Malware in Email Attempt - URL Scanner Links
    Last weekend I spent some time with extended family helping confirm for them that their on-line email account got hacked and had been used t...
  • Windows 8 Linkage: A Bit Behind the Ball
    CC attribution: behind the eight ball by Ed Schipul on flickr . OK. Confession time. I’m more than a bit exhausted this weekend. Besides a...
  • Lego MiniFig Extravaganza
    picture clipped from Wired’s clip from Gizmodo clip… Thanks in no small part to the Windows 7 RC release, XPM mode research, and a big “l...
  • This Week in Security and Forensics: Beware the cake!
    Cube Party! image used with permission from John Walker at "rockpapershotgun.com" Yeah, the cake is a Portal thing.  Let’s d...

Categories

  • Active Directory
  • anti-virus software
  • Apple
  • architecture
  • art
  • AVG
  • Blogger
  • blogging
  • books
  • boot-cd's
  • browsers
  • cars
  • cell-phones
  • cheat sheets
  • Chrome/Chromium
  • command-line interface
  • cooking
  • crafts
  • crazy
  • curmudgeon
  • DHC
  • Dr. Who
  • E-P1
  • Education
  • family
  • Firefox
  • firewalls
  • For the Gentleman
  • forensics
  • Gmail
  • Google
  • graphics
  • hacks
  • hardware
  • humor
  • hurricanes
  • imagex
  • Internet Explorer
  • iOS
  • iPhone
  • iPod
  • iTunes
  • Kindle
  • Learning
  • Link Fest
  • Linux
  • malware tools
  • Microsoft
  • movies
  • music
  • networking
  • NewsFox
  • NFAT
  • Nook
  • Opera
  • organization
  • PDF's
  • photography
  • politics
  • PowerShell
  • recipes
  • Remote Support
  • RSS
  • science
  • Scripting
  • search engines
  • security
  • Shuttle SFF
  • software
  • Texana
  • Thunderbird
  • troubleshooting
  • TrueCrypt
  • tutorials
  • utilities
  • VBscript
  • video
  • Virtual PC
  • virtualization
  • viruses
  • Vista
  • Vista mods
  • wallpapers
  • Win FE
  • Win PE
  • Win RE
  • Windows 7
  • Windows 8
  • Windows Home Server
  • Windows Live Writer
  • Windows Phone
  • writing
  • XP
  • XP mods
  • Xplico

Blog Archive

  • ▼  2013 (83)
    • ►  November (8)
    • ►  October (8)
    • ►  September (14)
    • ►  August (6)
    • ►  July (10)
    • ►  June (10)
    • ▼  April (11)
      • ForSec News Roundup
      • ForSec LiveCD bits
      • Browsers Browsers Everywhere!
      • Lindi Ortega - Guilty Musical Pleasure of the week
      • News around the Water Cooler for Sysadmins
      • Network fun and news
      • Flash/Java Updating
      • Recent Utility Updates
      • Ubuntu 13.04 (Raring Ringtail) Upgrade..a bit fast...
      • Drives…
      • It just has to be bigger on the inside…
    • ►  March (6)
    • ►  February (7)
    • ►  January (3)
  • ►  2012 (96)
    • ►  December (8)
    • ►  November (4)
    • ►  October (9)
    • ►  September (8)
    • ►  August (12)
    • ►  July (4)
    • ►  June (3)
    • ►  May (7)
    • ►  April (13)
    • ►  March (3)
    • ►  February (5)
    • ►  January (20)
  • ►  2011 (41)
    • ►  December (8)
    • ►  November (7)
    • ►  September (4)
    • ►  August (4)
    • ►  July (2)
    • ►  June (6)
    • ►  March (5)
    • ►  February (1)
    • ►  January (4)
  • ►  2010 (69)
    • ►  December (1)
    • ►  October (3)
    • ►  September (2)
    • ►  August (13)
    • ►  July (17)
    • ►  June (3)
    • ►  May (3)
    • ►  April (3)
    • ►  March (11)
    • ►  February (1)
    • ►  January (12)
  • ►  2009 (177)
    • ►  December (20)
    • ►  November (11)
    • ►  October (7)
    • ►  September (7)
    • ►  August (21)
    • ►  July (17)
    • ►  June (7)
    • ►  May (18)
    • ►  April (9)
    • ►  March (17)
    • ►  February (23)
    • ►  January (20)
  • ►  2008 (35)
    • ►  December (23)
    • ►  November (12)
Powered by Blogger.

About Me

Unknown
View my complete profile