Sunday, July 1, 2012

SANS DFIR Summit 2012 - Thoughts & Links

Well, this past week we wrapped up the SANS 2012 DFIR Summit in Austin, TX.  I think it's safe to say that a great time was had by all.  What was truly incredible was the time so many of us got to spend together in the week leading up to the Summit, while going through the wonderful training that SANS made available.

I got to see some people I haven't seen in a year (or more), as well as meet some in person that I've only known online.  And for the first time, I got to experience one of Harlan Carvey's presentations in person.  I'm not sure everyone's brains were awake enough quite yet for his keynote on day 2 of the Summit, but it really was a great talk, and he made some great points about things to consider when performing registry analysis on Win7.

Anyway, back to the point of all this.  I started out the Summit by eating at Stubbs BBQ with a dozen or so folks on my first day there, Wednesday the 20th.  Among these were Tom Yarrish, J. Michael Roberts and his wife Jennifer, Mike Pilkington, Jeremy Berger, and Alejandro Perez.  I recommended the serrano cheese spinach from having eaten at Stubbs once before, and it seemed to go over very well, which was good (I think everyone at my table ordered it); it could have gone so wrong.  ;D

As it turned out, my time there closed out the same; a very large group of us went to Stubbs for dinner on the last day of the Summit, and we had more good food and good times, with the likes of Cindy Murphy, Jen Krueger Favour, Kristinn Gudjonnson, and Shelly Giesbrecht.  I was scheduled to stay overnight and leave Thursday morning, but went ahead and left early to get back home and deal with the hail damage we sustained right before Summit.  That's a whole story in itself!

In between, we had a great opening keynote by Cindy Murphy, where she didn't talk about DFIR at all.  What?!  Might sound strange, but she did a great job, and we got to see Lee Whitfield with a parasol on an elephant.  No photo editing/alteration was involved, of course; that's just how Lee rolls...

Alissa Torres (Stay Outside Your Lane), Jeff Hamm (Carve Records Not Files), Chris Pogue (Sniper Forensics v3), and Hal Pomeranz (TrueCrypt Artifacts and Analysis) had just a few of the awesome presentations I attended.  Having two tracks made choosing difficult at times, unfortunately.  :(  In addition, Paul Henry did a SANS at Nite presentation on setting up a VMWare server on Mac Minis, and we had an awesome time at the SANS 360 Lightning Talks.  This was followed by an after-hours event sponsored by 21CT.  21CT, AccessData, VisibleRisk, JADsoftware, and Cellebrite all had a vendor presence at the Summit.

Also, SANS posted on twitter that all the presentations are available here.

I had the incredible honor of speaking at this year's Summit, and was able to close out the event by speaking at the end of the 2nd day.  Hopefully I "brought it!"  My talk was titled "Exfiltration Forensics in the Age of the Cloud" and was based on the idea of looking into host-side artifacts created by the client applications of cloud-based sync/backup services - namely Dropbox, SpiderOak, TeamDrive, ADrive, Carbonite and Mozy.  Dropbox was updating my work from last year, and the others were expanding on that base.  The idea was to show the risk that these services bring to a business (both internal and external), the types of artifacts that these applications introduce to a system, and what might be left behind after an uninstall.

I had a "cheatsheet" type of handout at my talk, which gave an overview of these artifacts.  I'm making that available online, along with a couple other spreadsheets, and a PDF of my presentation.  For the preso, I've included the notes along with the slides, so that there's a little more context for the bare bones of the slides.  Below is a download link to the 7zip archive.  It is encrypted, so please contact me for the passphrase.  I apologize for the inconvenience, but the reason is two-fold.  One, it gives me some idea who's interested in my research, and two (more importantly), it helps protect against the unscrupulous web scrapers that repost others' content as their own (which I've had happen before, unfortunately).

As a final note, I will be posting some of this over at ForensicArtifacts as a general resource for the larger community.  If you haven't been to ForensicArtifacts, you should check it out - it's a great community-driven site that hosts various artifacts and IOCs, and is a wonderful way to contribute without having to create an entire blog post.

Filename:   Cloud_Forensics_Research_Public.7z
Download:  https://www.box.com/s/a5b5c5b2f11f86f24c91
Hash:  a95ff597d1508db810df3a48a3313a4e (md5),   cd703fc9c60d599d53f2a9758cc49770c57ed069 (sha1)

PS: Since it's been several years, and much of the info has lost some usefulness (and just simplify, since people are still asking), here is the pass:  gcs^6k-'mhRy{dzC=)">+fVvtA!2*P

Friday, May 11, 2012

SANS DFIRSummit 2012 - Austin TX

The SANS #DFIRSummit in June is almost here, and those of us who are involved have been asked to share a little bit about what's going on. First, I'll give you the pertinent (aka, dull and boring) info, then move on to the juicy stuff.

Who: SANS (throwing the party)
What: 5th Annual Forensics and Incident Response Summit (aka, #DFIRSummit)
When: Tuesday, 26 June and Wednesday, 27 June, 2012 (ie, next month)
Where: Omni Hotel Downtown Austin
Why: Because it's a great event - networking, learning, good times (aka, DFIR "heaven on earth")
How: A lot of work by SANS, some generous sponsors, and incredible speakers (just can't be beat)

There's another "who" and that's the speakers. Detailed bios, and event schedule are on the website, but here's a quick breakdown:
Keynotes by Detective Cindy Murphy, Madison Police Department and Harlan Carvey, Chief Forensics Scientist at Applied Security, Inc. Probably everyone knows Harlan from his books, and because of regripper, so he won't need much in the way of introduction. Cindy may not be as well known, so if her name doesn't ring a bell, look her up - she's heavily involved in CDFS, and has done some incredible pioneering work in the field of digital forensics.

The speakers over two days, in two separate tracks (last year there was only one track) are:
- Windows 8 Forensic Artifacts - Kenneth Johnson
- Analysis and Correlation of Macintosh Logs – Sarah Edwards
- Practical Use of Cryptographic Hashes in Forensic Investigations - Pär Österberg Medina
- Reasons Not to “Stay in Your Lane” as a Digital Forensics Examiner – Alissa Torres
- Digital Forensics for IaaS Cloud Computing – Josiah Dykstra
- Carve for Records (Not Files) – Jeff Hamm
- Android Memory Acquisition and Analysis with DMD and Volatility – Joe Sylve
- Sniper Forensics v3: Hunt – Christopher Pogue
- Decade of Aggression – Christopher Witter
- Passwords are Everywhere – Hal Pomeranz
- Recovering Digital Evidence in a Cloud Computing Paradigm – Jad Saliba
- Anti-Incident Response – Nick Harbour
- Automating File Analysis - Pär Österberg Medina
- Mac Memory Analysis with Volatility – Andrew Case
- Digital Dumpster Diving – Lee Reiber
- When Macs Get Hacked - Sarah Edwards
- Evidence is Data: Your Secret Advantage – Jon Stewart
- Taking Registry Analysis to the Next Level – Elizabeth Schweinsberg
- Tales from the Crypt: TrueCrypt Analysis - Hal Pomeranz
- Security Cameras: The Corporate DFIR Too of the Future – Mike Viscuso
- Exfiltration Forensics in the Age of The Cloud – Frank McClain

But wait, there's more! Looks like 21CT is sponsoring several events, including some spectacular after-hours venues; there are lunch & learns (reduces per diem expenses for the budget-conscious), a breakfast, Forensic4Cast Awards, and SANS360 (a little over half-way down the page, just before the "NetWars" section). SANS360 is a lightning talk event, where each speaker has just 6 minutes (360 seconds) to present their topic. In that line-up we have: Andrew Case, Kenneth Johnson, Cindy Murphy, Harlan Carvey, Hal Pomeranz, Kristinn Gudjonsson (extra points if you can pronounce his name properly), Corey Harrell, Melia Kelley, Tim Ray, Alissa Torres, and David Nides.

Now back in the speakers list, you might have noticed a familiar name (they saved the best for last), and I thought I'd give you all a little overview of what my talk is about. As you all probably know, I spent a lot of time last year researching the footprint of Dropbox, the popular file-sync service. This came out as a multi-part kind of thing, with some initial research posted on the SANS blog, a more detailed article published on ForensicFocus, a post or two here, and some artifacts over on ForensicArtifacts. Links to all of those are here. I'd been thinking about that for a while, because I had used that service myself, and saw how easily it could be abused - especially in smaller organizations - for people to steal data. We're used to folks using thumb drives or webmail to get docs out, but what if they just kept them in a directory on their computer, and that directory was sync'd to the cloud and possibly other computers (or mobile devices) outside of the company's control?

Last summer I moved out of the consulting realm and into a corporate investigative setting. Thinking about how attackers exfiltrate data got me to thinking that these types of services could potentially be exploited that way as well as used by insiders. And smaller orgs don't tend to have all the fancy monitoring and locked-down systems/networks that larger ones might (data loss prevention, application layer firewalls, deep packet inspection, reverse proxies with blocked websites, yada yada yada). So if users have local admin rights, and nothing on the network is stopping certain types of traffic, then what's to stop them from using things like Dropbox, Carbonite, and so on?

So anyway, I started over with Dropbox (applications change over time, right?) (Note: Yes, it did change), and have added several others. I wanted to give forensicators an idea of what kinds of artifacts to look for on these types of applications. The preso won't be as detailed as my prior Dropbox work (I might be talking for two days if that were the case!), and I'm not delving into things like prefetch, jump lists, user assist, and so on. I think those are areas we all know to look; I wanted to give a starting point specific to some of these apps, and hopefully get everyone's minds churning.

 At a high level, I'll be touching on things like:
- File locations/application signature
- Files of note (databases, logs, etc)
- Residue after uninstall (files, folders, etc)
- Network connections
- Traffic signature (from packet capture)

 I'm really looking forward to this event, and not just because I'm a speaker. I think it'll be an awesome time, and a great opportunity to get out and mix it up with the community at large. There's no other event quite like this!

 If you haven't registered yet, but are going to, please feel free (read: be encouraged to do so) to use the discount code "PrimeLending10" to save 10% off the registration fee. SANS has given each speaker a discount code to share, this year, and that one's mine (obviously, right?). And yes, I get a "li'l somethin'" if enough people use it. :)

I think that's about it. Like I said, I'm looking forward to it, and I hope to see many of you there!

Happy Forensicating!

Tuesday, April 3, 2012

A Few Worthwhile Updates

Okay, so I just need to post a couple (or maybe a few) quick updates. These are important, at least to me. :)

First up is ... wait for it ... wait for it ...

Forensic4cast Awards! There are some great folks in here, all very well-deserving. I'm not about to tell you who to vote for, as political discussions can be touchy. Oh wait, this isn't politics, so I guess I'll go ahead and get dirty. ;)

Not really, except to say, vote for log2timeline in the "Computer Forensic Software Tool of the Year" section. L2T's a great tool that I use on a regular basis, probably every case I work. Hands down, it's just awesome!

If for whatever reason (maybe you don't like perl) you can't bring yourself to vote for L2T, then there's another offering I can support. That's Registry Decoder, in the same category. RD is another great utility (in python, for you perl-haters) that can do for the Windows registry what L2T does for the file-system - parses the heck out of it! This bad boy is also proving extremely useful to me.

Yes, it's true, I'm in a quandary, a conflict, a conundrum. Now, where's my lucky coin?

Now that I'm all neurotic aboaut the choices to be made, I'll move on to the next part. Oh, but first ... GO VOTE!

My next topic is ForensicArtifacts. This is a community-driven site that has a very catchy name: ForensicArtifacts.com. What, you've never heard of it?! Well, shame on me if I haven't mentioned it before. ;-(

Taken from the About page, here's a description of the site:

"ForensicArtifacts.com was built to become a repository for useful information forensic examiners may need to reference during the course of their analysis. Requests for artifacts of system files, programs, and malware are very common to see on computer forensic mailing lists and forums. This site strives to take the place of those requests and become a one-stop shop when it comes to forensic artifacts.

This site was designed for the digital forensic community, but it also relies on the community to become stronger. Please consider submitting any artifacts you have documented that may be of use to other examiners. As an added incentive, Rob Lee and SANS have graciously offered up a SANS Lethal Forensicator Coin for anyone submitting six or more artifacts or IOCs in any given year. For more details on this, please read here
."

This is important, because we need more community involvement. A site like this only benefits the community if the community uses it. And if you're using it, you should be contributing to it. I don't want to sound all legalistic, but you should contribute. This doesn't just mean to send in artifacts; you can post links, follow @4n6artifacts on twitter and retweet, and recently we've even talked about having a "suggestions box" so people can submit ideas for artifacts, and anyone who's interested (and has time) can do some research to share with the community.

When it boils down to the crux of the biscuit (just mixing up various metaphors), ForensicArtifacts needs you! Only you can provide artifacts. It's low pressure, no time-table, do it as you can, just write it up and submit in the easy-to-follow form. It doesn't get much better than that! Basically, if you've found something in your work or research, even if it's perhaps incomplete, submit it.

We need your artifacts. We need your IOCs. And by "we" I mean the community as a whole, not just this site. When we all share the fruits of our labors, we all benefit. Pitch in! Recycle your artifacts and IOCs; it's good for the environment, and you get to make a difference!

Thanks!

Monday, March 12, 2012

I'm Goin' to Disneyland - Again!

Or ... What a year, what a year!

Not really Disneyland, but rather SANS DFIR Summit 2012 in Austin, TX. But let me back up and explain a wee bit first.

Last year this time I was working along at a small forensic consultancy as a senior analyst. I was able to get approval to attend FOR563 (Mobile Device Forensics) at the SANS Summit in Austin, but wouldn't be able to attend the Summit itself. Bummer, but the training was more valuable for the business in the long run. Anyway, in May that job disappeared on me, as such things happen on occasion. More bummer.

The DFIR community came around me with support, job opportunities, and in fact a way was made for me to attend the Summit directly (which I blogged about last year). No bummer there! I was able to meet a lot of great folks, see old friends, make new ones, network, and have a great time. I got a lot out of the event, and now I get to give back.

So in the interim, I've landed a corporate gig, which vastly increases my time at home with family, scheduling consistency, and so on. I have a good boss and it's a great gig all the way around.

But, to get around to the "giving back" part... I have been blessed with the opportunity to share the fruits of my research at the Summit this year, as I've been accepted as a speaker there. It's an incredible honor, and obviously very exciting! For those who might be concerned, I have no intention of making use of the term, "APT," unless I need to throw people off. :D

So here's the other thing. If you sign up at the link provided above, and use the discount code below, you'll get 10% off the Summit registration fee. No joke, it's for real! Act now, SANS expects this event to sell out quickly!

Discount Code: PrimeLending10

Hope to see you there!

PS: Just a quick update regarding the 10% discount. SANS is offering this through the speakers. They did not explain *why* in any great detail, although it seems obvious to me they want to increase attendance and think this will help. And perhaps whoever gets the most signups using their code, will be given a Ferrari. Or a SANS-branded thumb drive. Really, I'd like the Ferrari. ;)

Monday, February 13, 2012

The Case for ... Investigating

Lee Whitfield posted on his corporate blog earlier today about reasons not to bring cyber investigations for litigation (specifically forensics and eDiscovery) in-house, in response to this article making a case for the opposite. I replied on twitter, and was promptly lambasted by Kyle Maxwell for not blogging about it instead. You know how it is, twitter just doesn't provide a good platform for detailed response, and Kyle seemed to feel that sending several tweets was inappropriate. If it went any further, I think he would've called me old and feable. Again. :( So here's my detailed post.

I think (hope) that my perspective is somewhat unique, as I have been on both sides of the fence - in consulting and corporate roles. I've spent a lot of time scoping these types of matters, talked with GCs, OCs, IT, InfoSec, and eDiscovery folks. Full disclosure, I worked for several years at the consulting firm where Lee now works (although I've never had the pleasure of working with him), and in my current corporate position I'm responsible for building out the in-house programs. Lee's company focuses on reducing datasets so that eDiscovery costs are lower. That service is nowhere near the eDisco costs, but it ain't free either. ;) I was brought on where I am now specifically because they wanted the internal capabilities, having dealt with the difficulties of not having that kind of expertise in-house, and the tremendous cost of paying outside consultants and vendors.

In the original article, which was based primarily on an interview with Greg Thompson of Scotiabank, the essence of Thompson's argument is that it's totally worth it. He stated that they can easily spent $2000/day with an external vendor, compared to internal costs of $800/day. That's a pretty obvious ROI. My guess is that they're talking about an all-in-one vendor that collects, processes, and produces the data, with reductions coming only from deduping and deNISTing, and that probably occurs only after loading in the eDisco software.

Lee has a three-point rebuttal that centers on: Cost, Impartiality, and Skill set (not Skil saw, that's very different). Lee's company is not an eDisco processor, they're a forensic shop whose bread and butter is large-scale collection and data reduction for litigation. No, I'm not selling them, but as I said, I used to work there, so I'm very familiar. Because of the culling process they employ, data sets can be significantly reduced compared to what was collected, with associated lowering of eDiscovery processing costs.

My basic response to Lee was, "It depends." Trying to expound on that in twitter is pretty much fail, so I'll attempt to do so here. Basically, you've got a "party line" on either side. No, I'm not talking about the old phone system where you could pick up your home receiver and hear your neighbors' conversation. I'm talking about the territorial/turf war approach. In general terms. The consultants say if you're not out-sourcing, you're not doing it right and risk sanctions. The corporate folks say that they don't need somebody coming in "administering" their network and charging money for something they can do just fine. From my experience on both sides of the fence, here's how I think it breaks down.

Cost:
In a nutshell, Lee points to the salary of the kind of experienced expertise you'll need, software/hardware, training, and certifications. That's true, it's not cheap to get that kind of personnel. There's a couple things with this though, that I think bear more discussion. As with any such position (even in consulting), it's probably not a dedicated role, so the actual percentage of salary that applies to the forensics/eDisco work is not anywhere close to the six figures Lee mentions. Anyone in IT (much less InfoSec) is going to require ongoing training and certifications, and any employer that places value on professional development will support that anyway. So that only leaves us with hardware/software, which up front may be a sizable layout in cost, but will pay for itself very rapidly. How so? Well, a single case with 30 or more custodians could quickly cost over $100K. If you have one or more of those per year, your internal programs are covered. ROI's easy there.

Impartiality:
This may - in my opinion - be the best argument, up to a point. The corporation is paying the internal resource's paycheck, so those individuals have to support the corporate position, right? Not a bad assumption, but the same can apply to a consultant firm - they're paid by some organization to act in support of that org; if they don't give "good" results, they're out, right? So that knife cuts both ways, I think. But to the original point, I think it comes down to ethics of the investigator, just as with any case; we have an ethical, professional, and moral responsibility to do what is right, no matter what. Since the core of our work is based on facts in evidence, this shouldn't be an issue (at least not theoretically, but again, that cuts both ways). I think in most cases, an internal investigation is acceptable; there may be times that is different, and those should be addressed accordingly. The company - and its investigators - need to be able to determine when it may not be appropriate for the investigation to be handled internally. I know Kyle has mentioned having to deal with that where he works.

Skill set:
I'm a little confused on this one, to be honest. Lee says that most in-house investigators come from security or investigative backgrounds, discusses that network forensics has little to do with host forensics or eDiscovery, then goes on to say that while having "IT" staff involved, they shouldn't necessarily collect data themselves, as that could stomp on its evidential value. Okay, that's a long sentence, and a paraphrase of several combined. My confusion comes in from his starting out talking about computer security, network security, investigation background, and network forensics, then pointing out that IT staff aren't trained to know about file system changes, timestamps, and so on (all the yummy metadata stuff that forensics thrives on). I don't disagree with the latter, but I don't see the correlation with the former. The former is more the Incident Response (IR) type, it seems, and in my experience those folks are rather well versed and cognizant of maintaining evidence integrity (such as all that yummy metadata) and chain of custody. Pure IT folks - sysadmins and such - not so much; that's not to place blame, it's just not their area of expertise.

So here's my summary:
If your company is under regular litigation - large or small - and perhaps if you have regular threats to your intellectual property (thinking internal threats here, not external), it may well be a wise move to look at developing in-house capabilities. You need to really take some time to determine your internal needs and requirements, and remember these matters are about more than just email (systems, network, database, etc), and you must have a good grasp on your environment variables. You need to determine how much of the process you want internal - you may still want to outsource final production and hosting, for instance. Make sure you get the right expertise, and be aware that there will be an up-front cost (ongoing costs for software, hardware, training and certifications are minor in comparison). But the savings can be significant, and it is possible to come out ahead, if you compare against the money you would have been spending with outside vendors. ROI, the language of C-levels... :) Bottom line is, be informed, and make intelligent choices - don't just take action based on what either "side" is telling you.

I do think it may not be the best decision to try to convert your IT staff. In years of dealing with IT departments, and knowing how those personnel tend to think/approach these matters, your up front difficulties and costs are much higher, and you have a much steeper "learning curve," if you will. It pays to get someone who already knows how to do the work, has solid experience, and I would even add, has provided expert testimony in court. That is the bottom line for this field, whether one - and one's work - stands up well in court. But do be careful, as not all consultants are suited for corporate life; it's a different style of work, and you need someone for the long-term, not short-term, or your ROI decreases. You also don't want a "push button" forensics person, but someone who truly understands what's going on behind the scenes; they're going to be able to provide better development and support for your internal programs.

Let's face it folks, litigation isn't going away, nor is electronically stored information (ESI). Thus, ESI will have to be produced in litigation, and in comes eDiscovery. Orgs large or small feel the sting of the associated costs (which seem to be rather unreasonable at times), and - just being realistic - people are going to look for ways to bring it in-house. Sometimes that's just not feasible, and in those cases I think it's important to look for help in pre-culling to reduce costs. But for many organizations, having an internal program makes perfect sense and is not a mistake - when approached carefully and done right.

Okay, I think that's about it. No tech stuff this time, sorry to disappoint those who might've hoped otherwise.

Wednesday, January 18, 2012

Forensic4cast 2012 - Kristinn Gudjonsson & log2timeline

Okay, folks, it's that time of year again. Yes, it's time for the Forensic4cast awards. Eric Huber beat me to it, which could cost me my fanboy status. However, I gave a link to the Awards, so maybe that'll help. :)

Anyway, here's the point: Nominate Kristinn Gudjonsson and log2timeline. For what, though? Well, I'm with Eric on this - Kristinn for Examiner of the Year, and l2t for Forensic Software of the Year. The software wasn't initially developed this year, we all know that, but it has been under constant development, and I think that counts. Anyway, he didn't get the recognition he deserves last year (IMO), so let's get all the l2t fans together and get him in there!

First thing is to nominate, then remember to vote! Be sure to nominate and vote for others as well. There are several categories, so have at 'em. Best Organization (CDFS), Best Blog [cough]this one[/cough], Best Article [cough]Dropbox Forensics[/cough], and so on. Jokes aside, I think the CDFS has a good chance to make a difference in our field, and its leaders have been working very hard to do just that. Be a part, get involved, and also - nominate and vote!

That's all for now.

Update - Just to add another worthwhile one into the mix, even though it is (gasp, aargh) in the same category... RegistryDecoder by Andrew Case and Lodovico Marziale at Digital Forensic Solutions. I've used RegDecoder, and I like it. Easy to use, very useful, does a great job automating registry parsing from an image, multiple extracted files, mounted image set, etc. It will even run against a live system, although I haven't used it that way. You can do keyword searches, build a timeline, and much more. So that should go for Forensic Software of the Year as well. I hate to have to suggest a competitor to l2t, but RD's very good as well. And, competition makes us all better, right?

PS: While you're at it, go vote for RegDecoder on Toolsmith, open until 31 Jan 2012!