Saturday, March 15, 2014

Presenting DFIR, Shakespeare Style - DFIR Summit 2014

I have been given the opportunity to speak at the SANS DFIR Summit in Austin this year, on a topic that I think is very important.  That is, whether there is value in focusing on one discipline within the DFIR realm - not only from a skillset perspective, but also during investigations.

You can read more about the Summit on the SANS website, but here's a quick overview of my talk (titled To Silo, or Not to Silo: That is The Question):

Have you ever heard someone say they do network forensics and don't need a host computer to know what happened (or vice versa)? Or an incident handler analyzing RAM make a comment about disk imaging being unnecessary and outdated? Unfortunately, these types of mindsets are problematic because they are limiting - to the investigator, to the evidence, and to our profession.

These limitations show themselves through incomplete analysis and inaccurate conclusions. If the limitation is real, tangible – for instance if firewall logs are the only available evidence – then we make the most of what we have. Otherwise, incident response should be based on all of the information available to us as investigators – firewall logs, packet captures, system alerts, RAM, filesystems, malicious executables, and so forth. If these are available, but are ignored or overlooked, analysts are missing out on potentially valuable information. When that happens, the conclusions drawn and recommendations made will be incomplete or just plain wrong. In the words of Hamlet, "Ay, there's the rub."

In this presentation, the audience will be taken through several different real-world scenarios dealing with potentially infected systems, where pieces of evidence are available from some of our "competing" disciplines. Background on each system will be given, to include how it showed up on the radar as potentially compromised; again, this stresses the point that we don't know what happened until we examine all of the available evidence. With each system, different types of evidence or DFIR disciplines are available to help with analysis; these examples will show how each - by itself - falls short in painting the full picture of what happened, and will illustrate our inability to draw concrete conclusions without all the pieces of the puzzle.  Without being exhaustive, this presentation will demonstrate the importance of having knowledge, skills, and abilities in multiple DFIR disciplines, and how looking for additional evidence sources can help us perform more accurate analysis and reach more accurate conclusions.

PS:  SANS has a $1000 discount when using the code "SUMMIT" - this is available from March 17th - March 31st.  More info available here.

Monday, December 23, 2013

Check Your Hash at the Door

A friend recently asked if I would post about using md5deep; he was trying to figure out how to use it to compare against the NSRL hash library and was having some difficulties.  Well, maybe it's stretching to say he asked if I would.  He asked for some help in figuring it out, and at the end of it all, I offered to post some stuff; he said it might be useful.  So if I put a PR spin on it, I was specifically asked, because of my great and wondrous knowledge.  How's that?  :)


Oh, and if you're wondering at my use of the term "friend," you can always substitute "person who pretends not to hate me as much as others do" if that makes you feel better.  I know some of you don't think it's possible that I actually have friends, so I feel I have to give you a way out...

Anyhow, to be honest, I've not ever used md5deep for that specific purpose.  I've always used something like FTK or EnCase.  I know, I know, don't be hatin'.  I do a lot with command line tools, and prefer them in many - if not most - cases, but there are some instances where (completely dependent on the scenario), a GUI is just easier and/or the better option.  And for what I've done with the NSRL hash libraries, those tools were what was called for (there was more than just deNISTing at hand).  

That said, the way I've used md5deep should still accommodate comparing against the NSRL hashes, with just a little bit of tweaking.  I've always used it to compare and verify files being copied from various data sources (typically network shares), when using a copy application that couldn't do so.  So in that scenario, it works out something like this:

We want recursion, possibly a progress/status indicator, and an output file that can be used as the input file for hash comparison.

Hash the source like:

user> md5deep -re "g:\loose_PST_files" > f:\psthash.txt

Hash the destination (and compare to hash of source):

user> md5deep -renx f:\psthash.txt "f:\loose_PST_files" > f:\psterrorhash.txt

This breaks down as follows:
    -r = recursion
    -e = progress/status
    -n = displays names of files not matching the input file
    -x = negative hash matching; reports files not in the input file 
    g:  is the mapped or local source drive
    f:  is the destination drive
  
Order for source is:  > # the flags have to be combined together (ie, -re) or it errors.  It will automatically output to stdout, so we have to redirect to logfile; this gives filename and hash value only (other format cannot be read properly for use as input file).

Order for destination is:  >   # the error log immediately follows the flag as the first variable; this is read and compared against the hashes of the destination.  Any errors in the comparison (whether the file is there but shouldn't be, or isn't there but should be) will output to the error log.  The size of the log should be 0 KB when all is done, and (obviously) empty - thus showing there were no errors/mismatches. 

These were notes I made in the past, and I think were most recently updated with version 3.4.  The tool is now on 4.3, so I don't know if the following has changed, but ... as noted above, the md5deep comparison (input) file had to have hash value and filename only, or could not be properly read.  I couldn't find anything in the documentation to say one way or the other, but it's possible that the NSRL lists might be problematic, even though md5deep is only looking at the hash and not the filename/location.  I did have occasion recently to verify the integrity of some evidence migrated to new storage, and ran md5deep in the manner above; it worked great.  The only thing I'll note is that if you do want the progress indicator, it WILL slow down the process; use with discretion.  You have been warned.

There were a couple posts related to using NSRLSrvr and NSRLLookup that showed up on the radar.  The first I passed along, and the second my friend found on his own; apparently it was helpful.  I don't know the first author, but Patrick puts out some good stuff on Sysforensics.  If you don't keep tabs on his blog, you should.  So without further ado, here they are, and they should work just fine to use md5deep to compare against NSRL.



And this wouldn't be complete if I didn't mention the NSRLookup service from Kyrus Tech:

Have fun and happy hunting (or, uh, happy hashing)!

Monday, December 16, 2013

What's Hash Got To Do With It? (Part 2)


Just a quick follow-up to yesterday's post, as promised.  I decided to do it as a new post rather than an edit/update, figuring it would be easier to track this way.  Not much to it, just a little more info to round things out.

First, I got my hands on the infected PC today, pulled the hard drive, and extracted some files.  I wasn't able get RAM, but I do have hiberfil and pagefile to work with, along with the user profile and registry hives, but that's not the point here.  (I will note, however, that unless I can find evidence of the malware's activities in hiberfil or pagefile, I'm still - to an extent - surmising how it spawned msiexec.exe in the first place.)  I found three separate executables under the user profile, as created by msiexec.exe.  I copied them off into a separate directory and used md5deep to hash the files, so that I could look for them on VT or Malwr.com as well (there, now this is a post about md5deep too!).  Here's what I ended up with (my own formatting):

26e57bde90b43cf6dae6fd5731954c61msevaxlgn.exe  
26e57bde90b43cf6dae6fd5731954c61mssuhin.exe
26e57bde90b43cf6dae6fd5731954c61msyaam.exe

Did you notice that?  All hashed the same.  Okay, maybe that's expected, or not too unexpected at least.  But did anyone note the hash value from yesterday, for the initial executable (from inside the zip)?  Well, in case not, here it is again (in the same format):

26e57bde90b43cf6dae6fd5731954c61order_jd4320480293.exe

See that?  Yes, that's right - another md5 match, and I doubt it's due to collisions.  :-)  So basically, the original malware spawns msiexec.exe, creates a new executable(s) that is (or are) identical to the original (except for the name); the original is deleted, and the show goes on.  I don't know about you, but that's not what I commonly see from malware.

Now for a few more tidbits...

A little header info from a network capture:
POST /se/gate.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0
Content-Length: 74
Host: finley.su

IP Addresses, as seen by the C2 blocking device:


Now, I mentioned before that there was a .ru TLD involved, and here that is:



Haven't looked at that traffic yet, and it never made it to the device that blocked the C2 traffic, as it had already been blocked for other reasons.  And of course, until I examine the pcaps, I won't know what that traffic was (still might not - since it was blocked, it will be a one-side conversation).

Last of all, a screenshot of the offending email (note some inconsistencies outlined in red):


SupportAmazonyu?  AmazonStoreIdecoa?  I could get it with "Amazon," but what's with the other stuff?  And the order numbers don't match up anywhere.  And finally, it says, "Well let ..." rather than "We'll let ..."

Well, I guess you can't patch users!  At least not without regression testing first.  ;-)

I think that's it for now; if I do come up with anything else that looks interesting or useful, I'll post another update.  Aside from that, I told a friend I'd post about some specific uses for md5deep; we'll see how that works out, but hopefully it will be coming soon.

Happy Hunting!


Sunday, December 15, 2013

What's Hash Got To Do With It?

Well, because that's how we're going to kick off this little story.  Without further ado, here ya go:  26E57BDE90B43CF6DAE6FD5731954C61

Before we go too far into that, however, I need to take a step back.  It's been a long time since my last post.  Too long indeed (my job makes it difficult, to say the least), so let's not dwell on that, shall we?  With that out of the way, I'll give just a quick back story on the above-referenced md5 hash value.  Last week, on Wednesday and Thursday, I came across this malicious gem.  Well, I think it was the same both times.  From a network perspective, it was behaving the same - reaching out to the same C2 channels, attempting to post the same type of encrypted data (based on format, appearance of cipher-text, etc.).  However, as it turns out there wasn't an appropriate endpoint sensor on the first box, to be able to pull back more relevant info.

That fact is important as we go on - that unless you have evidence across different DFIR disciplines (host and network, with all their subsets), you really can't say for certain what is occurring.  You can postulate, and may very well be correct, but without RAM, RE, timeline and other host data, and various points of NSM (network security monitoring) such as FW logs, IDS/IPS, netflow, you're left at least somewhat in the dark.  Anyhow, from a network perspective, these two appeared to be the same, and fortunately there was an endpoint sensor on the second box; I got to have some fun, and thought I'd share.

As it turns out, the infections originated not from some stealthy drive-by or infected website, but via an executable inside a zip file sent along with an "Amazon" email to personal email accounts.  In the case of the second one, the user had received two previous ones that were ignored and deleted; the third was just too much and curiosity won out.  User opens zip file.  Oops #1.  User double-clicks executable.  Oops #2.  At that point it's all over but the tears, and the malware has its fun.  The positive side was that - finally - I got to have some fun too!

Now, I didn't know all that at first.  All I knew was that C2 traffic to finley.su had been blocked.  That was the same domain as the previous day, so my interest was piqued.  The system that blocked didn't have any info about the malware, just knew that the traffic was bad, so that was no help.  I went in to my sensor logs from that box, and found the application reaching out to finley.su was msiexec.exe, from the c:\windows\system32 directory.  Ooh, now that's not right.  The parent process for msiexec.exe was order_jd4320480293.exe.  Now that's not good either.  And it was running from inside a zip under the user's temp directory, with a parent of explorer.exe.  Alright, that's not unexpected, especially at this point.

I was able to pull a copy of the binary for order_jd4320480293.exe that the sensor had pushed to my analysis server, and saw that it had 9 hits by hash on Virus Total, so I went to check that out.  There were indeed 9 engines that detected it; one from the 11th, and eight from the 12th.  Most had generic names as yet; the most relevant one appeared to be from McAfee, which had it as a ZBot variant.  Searching on that lead me to Malwr.com, where the binary had apparently been uploaded and analyzed already.  As a side note, the next morning VT had 14 detections, and is now up to 23 (What's funny is that some of the vendors I submitted a sample to, now say they detected it back then.  Hmm, really?).  Since there's some RE type info on VT and Malwr, I won't try to go into that; I'll give you some reference links to go enjoy that.  I will, however, give a quick rundown of what I saw.  I will probably come back and add some IP addresses for the finley.su domain, as well as a .ru TLD I saw from the endpoint, so watch for an update.

So here's the quick high-level rundown:
*  User downloads zip from fake Amazon email, opens, and runs order_jd4320480293.exe
*  Malware executes, and order_jd4320480293.exe spawns (loads) msiexec.exe from c:\windows\system32 as a child process 
*  Child process msiexec.exe creates a new executable under the user profile, named (one example) msyaam.exe or msevaxlgn.exe (another example)
*  Child process msiexec.exe adds a runkey for the new executable, in the user hive, under Software\Microsoft\WindowsNT\Current Version\Load
*  Child process msiexec.exe deletes original executable, order_jd4320480293.exe

Along in there somewhere, msiexec.exe packages up some data (probably credentials), encrypts, and tries to ship it out to remote servers.  Unsuccessfully.  Defense in depth... ;-)

Well, that's it for now.  Given the info available elsewhere about this malware, I probably won't post anything about its actions on the system, unless I see a very different  approach take place.  But I will look to post some IPs and perhaps some other tidbits that might be helpful from an IOC perspective.  Other than that, here are some links:


Happy Hunting!

Sunday, March 3, 2013

Getting Your Feet Wet / Joining the Conversation

Well, I've been "working" on this post for quite some time now, and just haven't ever wrapped it up.  Bah.  To show how long I've been "working" on it, I came up with the idea before Richard Bejtlich posted on the Mandiant blog about InfoSec career building and before Chris Pogue posted about his job change (and where he hinted at the possibility of a "Sniper Forensics" book - bring it, Chris!), or about careers (his 2nd post on this topic).

Part of this comes from a comment that Hal Pomeranz made a while back.  He said (general paraphrase) that there's no better use for social media than to help others.  In context, he was talking about InfoSec jobs.  Hal's a guy that I highly respect, and since I've witnessed - first hand - his willingness to put his money where his mouth is (so to speak) in this area, I take it to heart.  By the way, he has an excellent series on working for yourself over on his blog (keyword: consulting).

A number of great folks have posted career-focused info, including those above, and it's more recently entered my radar as I'm in more of a position to help others.  I don't have the "street creds" they do, but I wanted to offer up a few things I've put together.  As I moved late last year into managing our InfoSec group, as well as heading up the IR team, I've had the opportunity to mentor a couple of newcomers to our field, and I put this together in part for them, to give them some additional resources.  I highly agree with what others have said, that putting yourself out there is important - blogging, tweeting, mailing lists - just talking and sharing with others.  I won't go into that in any depth, as I think it's been very well-covered elsewhere; I'll just re-emphasize that it's important.  I've seen it myself, where potential employers check out blogs, activity on email lists, and so on; it definitely makes a difference, because hiring someone in this field revolves around having confidence that they KNOW what they're doing, and can DO the work.

So with that said, if you're new to InfoSec (security, forensics, incident response, auditing, etc) here are some resources that can help you start to get more comfortable and plugged in to the community.  And it IS a community, more so than many other fields I've seen. 

Mailing lists:
Dragon News Bytes
PaulDotCom
Win4n6

Websites:
DFIR Online - this is an excellent resource, and also hosts the monthly "DFIR Online"
PaulDotCom - yes, it's showing up again  :-)
SecurityFocus
Darknet
CommandLineKungFu – this is just awesome and hilarious too
HolisticInfoSec - Russ has some great tool writeups
KrebsOnSecurity - Great resource on cybercrime
Team Cymru
US Cert
SANS Reading Room
Internet Storm Center
Jesse Kornblum
Lenny Zeltser
SANS Computer Forensics
ForensicArtifacts
A Fistful of Dongles
Hacking Exposed

Books:
The Basics of Information Security
Hackers Beware – older, but very good info
Network Security Bible – another one by Dr. Eric Cole
DFWOST
Hacking Exposed - any of the "Hacking Exposed" series
WFAT - any of Harlan Carvey's books
Practical Packet Analysis
Violent Python
I’ve found great deals on books at Half-Price Books, which can make a big difference.  Some of the older ones, you might be able to find at the library as well.

Twitter:
I really recommend you get on twitter if you’re not.  Have a profile that’s focused on what you’re interested in, and follow people in that field.  It can be a great source of information, as well as connections when you need to know something.  Here are just a few folks that may be good to start with:
Johannes Ullrich
Josh Wright
Lance Spitzner
Russ McRee
Wesley McGrew
Doug Burks
Christiaan Beek
Eric Cole
Brian Krebs
Mike Cloppert
Richard Bejtlich
David Cowen
Didier Stevens
Lenny Zeltser
Hal Pomeranz
Chad Tilbury
SANS Forensics
Rob Lee
Andrew Case
See who they're talking to, and start branching out with who you follow.  Don't be afraid to join a conversation, ask questions, and share your experiences.  There are also quite a few active DFIR types on Google+, and there have been some good conversations happen there (at more than 140 characters a pop), as well as some hangouts.

Hope you find it helpful.

PS:  I have been advised by Counsel to at least mention that this list of resources is by no means exhaustive, nor intended to be.  In addition, they are in no particular order, nor intended to be any sort of status qualifier, and I'm not getting paid in any way for these references (aka, name dropping).  They are just some of the resources I find helpful, and wanted to share.  If you , your site, your book, or your list are not mentioned, that doesn't mean I don't follow, read, etc (see the whole "not exhaustive list" piece).  There are several hundred folks I follow on twitter, over a hundred blogs, dozens of books, and websites galore where I gather info while on this journey.  Quite simply, too many to mention.  Thanks to you all for being available and sharing with the community! 

Sunday, July 1, 2012

SANS DFIR Summit 2012 - Thoughts & Links

Well, this past week we wrapped up the SANS 2012 DFIR Summit in Austin, TX.  I think it's safe to say that a great time was had by all.  What was truly incredible was the time so many of us got to spend together in the week leading up to the Summit, while going through the wonderful training that SANS made available.

I got to see some people I haven't seen in a year (or more), as well as meet some in person that I've only known online.  And for the first time, I got to experience one of Harlan Carvey's presentations in person.  I'm not sure everyone's brains were awake enough quite yet for his keynote on day 2 of the Summit, but it really was a great talk, and he made some great points about things to consider when performing registry analysis on Win7.

Anyway, back to the point of all this.  I started out the Summit by eating at Stubbs BBQ with a dozen or so folks on my first day there, Wednesday the 20th.  Among these were Tom Yarrish, J. Michael Roberts and his wife Jennifer, Mike Pilkington, Jeremy Berger, and Alejandro Perez.  I recommended the serrano cheese spinach from having eaten at Stubbs once before, and it seemed to go over very well, which was good (I think everyone at my table ordered it); it could have gone so wrong.  ;D

As it turned out, my time there closed out the same; a very large group of us went to Stubbs for dinner on the last day of the Summit, and we had more good food and good times, with the likes of Cindy Murphy, Jen Krueger Favour, Kristinn Gudjonnson, and Shelly Giesbrecht.  I was scheduled to stay overnight and leave Thursday morning, but went ahead and left early to get back home and deal with the hail damage we sustained right before Summit.  That's a whole story in itself!

In between, we had a great opening keynote by Cindy Murphy, where she didn't talk about DFIR at all.  What?!  Might sound strange, but she did a great job, and we got to see Lee Whitfield with a parasol on an elephant.  No photo editing/alteration was involved, of course; that's just how Lee rolls...

Alissa Torres (Stay Outside Your Lane), Jeff Hamm (Carve Records Not Files), Chris Pogue (Sniper Forensics v3), and Hal Pomeranz (TrueCrypt Artifacts and Analysis) had just a few of the awesome presentations I attended.  Having two tracks made choosing difficult at times, unfortunately.  :(  In addition, Paul Henry did a SANS at Nite presentation on setting up a VMWare server on Mac Minis, and we had an awesome time at the SANS 360 Lightning Talks.  This was followed by an after-hours event sponsored by 21CT.  21CT, AccessData, VisibleRisk, JADsoftware, and Cellebrite all had a vendor presence at the Summit.

Also, SANS posted on twitter that all the presentations are available here.

I had the incredible honor of speaking at this year's Summit, and was able to close out the event by speaking at the end of the 2nd day.  Hopefully I "brought it!"  My talk was titled "Exfiltration Forensics in the Age of the Cloud" and was based on the idea of looking into host-side artifacts created by the client applications of cloud-based sync/backup services - namely Dropbox, SpiderOak, TeamDrive, ADrive, Carbonite and Mozy.  Dropbox was updating my work from last year, and the others were expanding on that base.  The idea was to show the risk that these services bring to a business (both internal and external), the types of artifacts that these applications introduce to a system, and what might be left behind after an uninstall.

I had a "cheatsheet" type of handout at my talk, which gave an overview of these artifacts.  I'm making that available online, along with a couple other spreadsheets, and a PDF of my presentation.  For the preso, I've included the notes along with the slides, so that there's a little more context for the bare bones of the slides.  Below is a download link to the 7zip archive.  It is encrypted, so please contact me for the passphrase.  I apologize for the inconvenience, but the reason is two-fold.  One, it gives me some idea who's interested in my research, and two (more importantly), it helps protect against the unscrupulous web scrapers that repost others' content as their own (which I've had happen before, unfortunately).

As a final note, I will be posting some of this over at ForensicArtifacts as a general resource for the larger community.  If you haven't been to ForensicArtifacts, you should check it out - it's a great community-driven site that hosts various artifacts and IOCs, and is a wonderful way to contribute without having to create an entire blog post.

Filename:   Cloud_Forensics_Research_Public.7z
Download:  https://www.box.com/s/a5b5c5b2f11f86f24c91
Hash:  a95ff597d1508db810df3a48a3313a4e (md5),   cd703fc9c60d599d53f2a9758cc49770c57ed069 (sha1)

PS:  I also have plans to expand this research and write up an article/paper on my findings, so keep tuned for more info...

PPS:   Rather than have everyone post email addies, it might be easier to DM me.

Friday, May 11, 2012

SANS DFIRSummit 2012 - Austin TX

The SANS #DFIRSummit in June is almost here, and those of us who are involved have been asked to share a little bit about what's going on. First, I'll give you the pertinent (aka, dull and boring) info, then move on to the juicy stuff.

Who: SANS (throwing the party)
What: 5th Annual Forensics and Incident Response Summit (aka, #DFIRSummit)
When: Tuesday, 26 June and Wednesday, 27 June, 2012 (ie, next month)
Where: Omni Hotel Downtown Austin
Why: Because it's a great event - networking, learning, good times (aka, DFIR "heaven on earth")
How: A lot of work by SANS, some generous sponsors, and incredible speakers (just can't be beat)

There's another "who" and that's the speakers. Detailed bios, and event schedule are on the website, but here's a quick breakdown:
Keynotes by Detective Cindy Murphy, Madison Police Department and Harlan Carvey, Chief Forensics Scientist at Applied Security, Inc. Probably everyone knows Harlan from his books, and because of regripper, so he won't need much in the way of introduction. Cindy may not be as well known, so if her name doesn't ring a bell, look her up - she's heavily involved in CDFS, and has done some incredible pioneering work in the field of digital forensics.

The speakers over two days, in two separate tracks (last year there was only one track) are:
- Windows 8 Forensic Artifacts - Kenneth Johnson
- Analysis and Correlation of Macintosh Logs – Sarah Edwards
- Practical Use of Cryptographic Hashes in Forensic Investigations - Pär Österberg Medina
- Reasons Not to “Stay in Your Lane” as a Digital Forensics Examiner – Alissa Torres
- Digital Forensics for IaaS Cloud Computing – Josiah Dykstra
- Carve for Records (Not Files) – Jeff Hamm
- Android Memory Acquisition and Analysis with DMD and Volatility – Joe Sylve
- Sniper Forensics v3: Hunt – Christopher Pogue
- Decade of Aggression – Christopher Witter
- Passwords are Everywhere – Hal Pomeranz
- Recovering Digital Evidence in a Cloud Computing Paradigm – Jad Saliba
- Anti-Incident Response – Nick Harbour
- Automating File Analysis - Pär Österberg Medina
- Mac Memory Analysis with Volatility – Andrew Case
- Digital Dumpster Diving – Lee Reiber
- When Macs Get Hacked - Sarah Edwards
- Evidence is Data: Your Secret Advantage – Jon Stewart
- Taking Registry Analysis to the Next Level – Elizabeth Schweinsberg
- Tales from the Crypt: TrueCrypt Analysis - Hal Pomeranz
- Security Cameras: The Corporate DFIR Too of the Future – Mike Viscuso
- Exfiltration Forensics in the Age of The Cloud – Frank McClain

But wait, there's more! Looks like 21CT is sponsoring several events, including some spectacular after-hours venues; there are lunch & learns (reduces per diem expenses for the budget-conscious), a breakfast, Forensic4Cast Awards, and SANS360 (a little over half-way down the page, just before the "NetWars" section). SANS360 is a lightning talk event, where each speaker has just 6 minutes (360 seconds) to present their topic. In that line-up we have: Andrew Case, Kenneth Johnson, Cindy Murphy, Harlan Carvey, Hal Pomeranz, Kristinn Gudjonsson (extra points if you can pronounce his name properly), Corey Harrell, Melia Kelley, Tim Ray, Alissa Torres, and David Nides.

Now back in the speakers list, you might have noticed a familiar name (they saved the best for last), and I thought I'd give you all a little overview of what my talk is about. As you all probably know, I spent a lot of time last year researching the footprint of Dropbox, the popular file-sync service. This came out as a multi-part kind of thing, with some initial research posted on the SANS blog, a more detailed article published on ForensicFocus, a post or two here, and some artifacts over on ForensicArtifacts. Links to all of those are here. I'd been thinking about that for a while, because I had used that service myself, and saw how easily it could be abused - especially in smaller organizations - for people to steal data. We're used to folks using thumb drives or webmail to get docs out, but what if they just kept them in a directory on their computer, and that directory was sync'd to the cloud and possibly other computers (or mobile devices) outside of the company's control?

Last summer I moved out of the consulting realm and into a corporate investigative setting. Thinking about how attackers exfiltrate data got me to thinking that these types of services could potentially be exploited that way as well as used by insiders. And smaller orgs don't tend to have all the fancy monitoring and locked-down systems/networks that larger ones might (data loss prevention, application layer firewalls, deep packet inspection, reverse proxies with blocked websites, yada yada yada). So if users have local admin rights, and nothing on the network is stopping certain types of traffic, then what's to stop them from using things like Dropbox, Carbonite, and so on?

So anyway, I started over with Dropbox (applications change over time, right?) (Note: Yes, it did change), and have added several others. I wanted to give forensicators an idea of what kinds of artifacts to look for on these types of applications. The preso won't be as detailed as my prior Dropbox work (I might be talking for two days if that were the case!), and I'm not delving into things like prefetch, jump lists, user assist, and so on. I think those are areas we all know to look; I wanted to give a starting point specific to some of these apps, and hopefully get everyone's minds churning.

 At a high level, I'll be touching on things like:
- File locations/application signature
- Files of note (databases, logs, etc)
- Residue after uninstall (files, folders, etc)
- Network connections
- Traffic signature (from packet capture)

 I'm really looking forward to this event, and not just because I'm a speaker. I think it'll be an awesome time, and a great opportunity to get out and mix it up with the community at large. There's no other event quite like this!

 If you haven't registered yet, but are going to, please feel free (read: be encouraged to do so) to use the discount code "PrimeLending10" to save 10% off the registration fee. SANS has given each speaker a discount code to share, this year, and that one's mine (obviously, right?). And yes, I get a "li'l somethin'" if enough people use it. :)

I think that's about it. Like I said, I'm looking forward to it, and I hope to see many of you there!

Happy Forensicating!