Daily Blog #149: PFIC Day 2 Notes

PFIC Day 2 Notes by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
           Here are my notes from Day 2 of PFIC, this is the last of these posts as I didn't attend the day 3 session in depth as snow was falling and clients were calling. I'll be updating these posts with the slides from the relevant lectures so you can see those as well.

Day 2 - PFIC Notes

8:00am Session - Ira Winkler ' The Cyber Jungle'

Ira is very personable, I like his show as well as him
Two good stories so far, the first promoting infragard (Ira is the president of his local infragard) the other involving credit card fraud.

Why does the media ask dumb questions on tv? The guest gives them dumb questions to ask

Executives don't want to disclose and notify, this is something I also have found

Crypto Locker story time

pointing out fud about crypto locker thats out there, bad media report showing a technical person saying that firewalls, service packs and good passwords could have prevented crypto locker.

another good story, this one about a reporters experience with some attorneys

Reporters are under pressure to get multiple stories a day. This can hurt parties who can't handle the media well and be able to provide and answer questions quickly.

An interesting story about how ankle bracelets are being removed and being used to commit crimes in las vegas. Then placing their bracelet back on when they get back to their house. The bracelets are not being monitored actively and the process is broken.

Downtown streetlights in las vegas will be able to monitor audio in the future. In the near future the officers will be able to monitor this audio via iOS apps on their phones. Ira is wondering if anyone properly securing this channel, applying ISO 27k or another security standard, to prevent non LEO from listening.

Make sure to listen to cyberjungleradio.com for his weekly podcast. Link to site: http://thecyberjungle.com/index.php

10:00am session Python for web application security testing


This is a talk on writing python code for web app testing rather than popular tools.

Recommends head first programming to learn python

Showing how to build a buffer overflow script in python
All of these scripts and example app is on a dropbox shared folder for those that want to try this at home.

This isn't your normal DFIR presentation, very infosec focused. The audience seems interested though so that's good.



Showing how web apps store data and failed logins from buffer overflow attempts within a user authentication form. this is not a python tutorial but rather a show of whats capable and what it leaves behind.

Edited some code and talked about what things effect and change.

Moved on to XSS attacks.

Talking about the python function htmlspecialchars to prevent xss

Moving on to how to use python to do testing and getting over common hurdles. 

First hurdle is basic auth, don't store credentials within code, retrieve it via prompts to the user on execution.

All functions covered so far as built in python libs.
He is now going into Scapy which is a 'full featured library for preforming network operations'. Packet capture/manipulation/creation/replay lib


Live demonstration of capture, reviewing and replaying traffic with scapy.
Showing the built in fuzzer within scapy.
Showing how to spoof the traffic in your fuzzing with scapy.

Ending now and discussing the benefits of python. Not saying not to use off the shelf tools but if you want to be able to be successful and understand more getting lower level with python directly will allow you to be more versatile.

10:30am Session - Me!

It was amazing!

It was wonderful!

Offers of free coffee were given!

I'm writing this before my session but this is how I want it to go.

In reality it went well but i had live demos fail as they are apt to do, event excel was crashing on me. Luckily I added in pre-generated results to move things forward.

11:30am Session - Jake Williams IaaS forensics


IaaS is the acronym that represents most of the cloud virtualized systems we talk about, infrastructure as a service.

Get a Incident Response plan and make sure it contains what to do for both your internal and externally hosted assets.

You are stuck trusting the hypervisor at some base level
In a commercially hosted cloud you don't have access to the hypervisor (amazon) if you are a privately hosted cloud (your own esx server) you do have access to the hypervisor.
You need to validate that the hypervisor has not been compromised.

If the hypervisor has been tampered with you need to collect additional evidence.

Jake has found an esx server where the hypervisor was compromised and thus can no longer say it doesn't happen. If the hypervisor is compromised then the attacker can control physical memory outside of the guest os and guest os artifacts.

There are hypervisor logs that you should be collecting.
This is not typical though, but you should grab the logs to be sure. 

The vm-support command will output a tgz file with the log and vm inventories that you need
USB over IP devices are seperately logged by the hypervisor versus USB devices physically plugged in.

Don't use shared admin accounts if you want easy attribution of admin actions.

Introspection isn't easily detected by the attacker and can be normally used to collect data outside of the attackers view.

Inband (non hypervisor based actions) are bad because bad guys can easily detect your response effort.

You can't do out of band actions on public clouds (amazon) as they don't give you hypervisor access ,so your stuck with traditional live response.

Making full disk images of cloud hosts is typically difficult as your bandwidth to the site is your bottleneck.

Amazon and hopefully soon rackspace will write your data to a physical disk and mail it to you.

You supply the drive and cables, they charge you $80 per disk, they will accept a shipping label so you can get it via fedex.

Accounting records will be provided but they don't do Chain of Custody.The amazon feature mention called 'bulk export' is not meant as a forensic/ir service.

A good alternative is to spin up a forensic/ir virtual instance so you can keep the data within the cloud and speed your investigation

Have a dongle restricted software you want to run in the cloud? 


Use USB over IP
The hardest part of dealing with hosted/cloud hosted systems is making sure the tech is going to follow your procedures and not shut down the system or kill the vm instance.

Snapshots are great, memory is better.

Public cloud (amazon, etc..) don't allow you to request physical memory out of band from the hypervisor
Public cloud snapshots are disk states but not memory states.

If you capture the memory to a network share, make sure you lock down who can access them or else you may have non authorized personnel accessing secrets.

You can still do CoC yourself, f-response is a great imaging solution for cloud hosts.

If you get compromised public providers like amazon limit their liability in case of a compromise from their end to a refund of that months fees.

If you don't want to use f-response FAU is another good tool to use for live cloud imaging, but make sure to put it over an encrypted tunnel Protect your memory dumps, possibly encrypt them Out of band imaging is still the best option.

HP has internal resources that can out of band image a HP hosted cloud server The issue is with imaging logical disks in non Vmware clouds is that tools often can't find the end of disk and keep writing forever test your tools in your cloud for your IR plan to find out which ones fail silently Hypervisor imaging is as simple as snapshotting.

1:30pm Session - Memory forensics with Chad Tilbury


I should have go into this session but I was too busy talking to people through lunch. I did see the end and recognized a subset of slides from For 508 but he ended it with a nice preview of Mac and Linux memory forensics.

2:30pm Session - Recovering your costs in ediscovery


Quote from a judge on the fair housing center of southwest michigan v Hunt where the judge chastised a party for turning the litigation into a e-discovery workshop.
Nice review of which ESI costs can be recoverable, this is good information for me to advise my clients when they are not aware this exists.

If you want to recover costs you have to show detail and provide affidavits that explain why it was necessary and how  the costs break down.

Don't be vague on invoices and document your work if you want your costs to be recoverable for your client in the event they prevail.

Moore v Weinstein - Prevailing party received $36,196, of which e-discovery service provider made up $22,000 of and asking for $40,000.

In house work done within parties firm need to have reasonable costs and the work done must justify the rate desired to applied.

A fun sidebar about thor and shield and whether working with thor would show the government endorsing a religion.
Interesting, court rulings have come out stating that native productions of documents are not recoverable costs.

No cost for hosting, courts still compare data hosting to warehouses holding paper - non recoverable costs
Forensic costs within ediscovery is recoverable, forensic investigation fees of an expert witness are also recoverable separately. 

Second 'geek break' discussion on how wills would effect 12 regenerations of Dr. Who. 

Also Read: Daily Blog #148

Post a Comment