ForSec News Roundup

Final GSD post of the weekend. 

Strategies of a world-class computer security incident response team - Help Net Security - Carson Zimmerman presents “…ten fundamental qualities of an effective CSIRT that cut across elements of people, process, and technology.” Run-time is just over 33 min.

ProcDOT - Visual Malware Analysis - SANS Computer Forensics and Incident Response blog. Christian Wojner introduces it thusly…“It correlates Procmon logfiles and PCAPs to an interactively investigateable graph. Besides that ProcDOT is now also capable of animating the whole infection evolution based on a timeline of activities. This feature lets you even quickly find out which server or which requests were responsible that specific data/code got on the underlying system, by which process it was written, how often, who injected what, which autostart registry key was set, what happened when, and so forth ...” Get it via ProcDOT - CERT.at

From the ProcDOT project page:

Screenshot

Instruction-Media

The User Interface
Tutorial-Video 1: The User Interface
Tutorial-Video 2: The Graph
Tutorial-Video 3: Analysis (Part 1)
Tutorial-Video 4: Analysis (Part 2): The Timeline

Over at the ISC Diary blog, Mark Baggett has been posting a great series of articles examining the tug-and-pull between those in IT/Sec who advocate a full OS wipe/reload after a malware infection and those who say “save-time-and-clean-it” by removing the malware infection, but not reimage the system. There still seems to be some kind of mysterious desire by staff to possibly prove what a clever IT person we are by digging an infection out of a system rather than just recovering the user’s data, wiping the system, then restoring it from a clean image and putting the data back. Maybe we all want to be a hero. However, as Mark’s posts show, if not done properly and effectively, the malware may remain persistently hidden but functional and you may be back before you know it (and the rest of your data secrets lifted or network exploited). These posts are a good guide and gut-check for how challenging these threats can play hide-and-seek. Familiarity with these techniques might be your last line of defense if your shop doesn’t have a fast-n-hard policy of recover/wipe/restore remediation.

• Wipe the drive! Stealthy Malware Persistence Mechanism - Part 1 - ISC Diary blog
• Wipe the drive! Stealthy Malware Persistence - Part 2 - ISC Diary blog
• Wipe the drive! Stealthy Malware Persistence - Part 3 - ISC Diary blog
• Wipe the drive! Stealthy Malware Persistence - Part 4 - ISC Diary blog

Tracking Down Persistence Mechanisms - Journey Into Incident Response blog - Not to be outdone, Corey Harrell does a great companion-piece to the ISC Diary blog posts above.  Corey details how he uses Microsoft Autoruns utility in that process.

From one of the comments there, we jump over to Finding Evil: Automating Autoruns Analysis post over in the trustedsignal blog from Dave Hull.

And then in spot-on timing within the ForSec community, Mark Woan at woanware releases a new utility called autorunner. 

“Autorunner is based upon the AutoRuns tool by the Sysinternals/Microsoft gurus. It is designed to perform automated Authenticode.aspx) checking for binaries designed to auto-start on a host. Its primary purpose is to aid forensic investigations.

“…autorunner is designed to work around all of these issues. It will check against all user profiles associated with the host. It will parse out LNK files to the actual binary (one level down). It allows the user to specify multiple drive mappings, so that if the forensic image contains multiple partitions you can map the original drives to mounted drives on the forensic workstation.

“The application should be used against a forensic image that has been mounted using whatever method you desire.”

Securely wiping an SSD - TinyApps blog - Getting back to the drive-wiping thought, this quick-post reminds us of some of the hazards of attempting to sanitize a SSD device. Some might think using a SSD device to hold image captures might be a good idea but if you do, be sure it is one you can truly “zero-out” and sanitize before porting your image over to it! Does anyone use SSD devices yet for that purpose? What other challenges (cost aside) would this present. Are there any benefits to a SSD over a HDD for storing or capturing disk images?

Placing the Suspect Behind the Keyboard – NEW BOOK! - Windows Forensic Environment - Congratulations to Brett Shavers for his new book! It’s been added to my Amazon.com wish-list queue for triggering once my next Amazon.com gift certificate ship comes into port.

Tool Time - The Hacker Factor Blog - A great post in the theme of “know your tools” before you trust the results they provide. One of the gem finds in Dr. Neal Krawetz’s post is his link to the National Institute of Standards and Technologies (NIST) and National Institute of Justice (NIJ) 2012 Computer Forensics Tool Testing Handbook from their computer forensic tool testing program. It’s got 173 pages of goodness to review. The latest publications can be found on this Topical Collection: Computer Forensic Tool Testing Publication Database | National Institute of Justice.

4:mag Issue #1 - Forensic 4cast. A very nice and slick digital publication debuts. This edition covers topics in iOS device/application data & malware, starting out in the digital forensics field, and hard-drive secrets.

The students over at the Champlain College Computer & Digital Forensics department have been busy working on papers addressing Private Browsing. Expect more in this series:

• Private Browsing Forensics: Introduction - (PDF Link) Private Browsing Forensics: Introduction
• Private Browsing Part 2 - (PDF Link) Private Browsing Part 2

RegRipper Ripper (3R) and the list of reg keys covered by RR plugins - hexacorn bog.

RegRipper Consolidation - Windows Incident Response blog. Harlan and crew have been super-busy trying to clean house and tie up some loose ends in the RegRipper landscape. This new effort should help make “one-stop-shopping” and development support for RegRipper and plug-ins much easier. Additionally, Harlan has been working hard on the blog to post additional background information on some of myriad (Cory referred to 280+ in his post) RegRipper plug-ins.

Forensic 4cast Awards 2013 – Meet the Nominees - Forensic 4cast. Voting is now open. You can place your votes here.

Encrypted Disk Detector Version 2 - SANS Computer Forensics and Incident Response blog - Chad Tilbury announces and introduces a new version that is out. Get it here over at Magnet Forensics.

What is "up to date anti-virus software"? - ISC Diary.Great post and great discussions in the comments.

Case Leads: LivingSocial Hack, New Cyber Warriors, analyzeMFT update and more... - SANS Computer Forensics and Incident Response blog

Cheers!

--Claus Valca.