@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon leanpub libtsk libvshadow linux linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #149: PFIC Day 2 Notes

Hello Reader,
           Here are my notes from Day 2 of PFIC, this is the last of these posts as I didn't attend the day 3 session in depth as snow was falling and clients were calling. I'll be updating these posts with the slides from the relevant lectures so you can see those as well.

Day 2 - PFIC Notes

8:00am Session - Ira Winkler ' The Cyber Jungle'

Ira is very personable, I like his show as well as him
Two good stories so far, the first promoting infragard (Ira is the president of his local infragard) the other involving credit card fraud.

Why does the media ask dumb questions on tv? The guest gives them dumb questions to ask

Executives don't want to disclose and notify, this is something I also have found

Crypto Locker story time

pointing out fud about crypto locker thats out there, bad media report showing a technical person saying that firewalls, service packs and good passwords could have prevented crypto locker.

another good story, this one about a reporters experience with some attorneys

Reporters are under pressure to get multiple stories a day. This can hurt parties who can't handle the media well and be able to provide and answer questions quickly.

An interesting story about how ankle bracelets are being removed and being used to commit crimes in las vegas. Then placing their bracelet back on when they get back to their house. The bracelets are not being monitored actively and the process is broken.

Downtown streetlights in las vegas will be able to monitor audio in the future. In the near future the officers will be able to monitor this audio via iOS apps on their phones. Ira is wondering if anyone properly securing this channel, applying ISO 27k or another security standard, to prevent non LEO from listening.

Make sure to listen to cyberjungleradio.com for his weekly podcast. Link to site: http://thecyberjungle.com/index.php

10:00am session Python for web application security testing

This is a talk on writing python code for web app testing rather than popular tools.

Recommends head first programming to learn python

Showing how to build a buffer overflow script in python
All of these scripts and example app is on a dropbox shared folder for those that want to try this at home.

This isn't your normal DFIR presentation, very infosec focused. The audience seems interested though so that's good.

Showing how web apps store data and failed logins from buffer overflow attempts within a user authentication form. this is not a python tutorial but rather a show of whats capable and what it leaves behind.

Edited some code and talked about what things effect and change.

Moved on to XSS attacks
Talking about the python function htmlspecialchars to prevent xss

Moving on to how to use python to do testing and getting over common hurdles. First hurdle is basic auth

don't store credentials within code, retrieve it via prompts to the user on execution

All functions covered so far as built in python libs.
He is now going into Scapy which is a 'full featured library for preforming network operations'. Packet capture/manipulation/creation/replay lib

Live demonstration of capture, reviewing and replaying traffic with scapy
Showing the built in fuzzer within scapy
Showing how to spoof the traffic in your fuzzing with scapy

Ending now and discussing the benefits of python. Not saying not to use off the shelf tools but if you want to be able to be successful and understand more getting lower level with python directly will allow you to be more versatile.

10:30am Session - Me!

It was amazing!
It was wonderful!
Offers of free coffee were given!
I'm writing this before my session but this is how I want it to go.
In reality it went well but i had live demos fail as they are apt to do, event excel was crashing on me. Luckily I added in pre-generated results to move things forward

11:30am Session - Jake Williams IaaS forensics

IaaS is the acronym that represents most of the cloud virtualized systems we talk about, infrastructure as a service
Get a Incident Response plan and make sure it contains what to do for both your internal and externally hosted assets
You are stuck trusting the hypervisor at some base level
In a commercially hosted cloud you don't have access to the hypervisor (amazon) if you are a privately hosted cloud (your own esx server) you do have access to the hypervisor.
You need to validate that the hypervisor has not been compromised
If the hypervisor has been tampered with you need to collect additional evidence.
Jake has found an esx server where the hypervisor was compromised and thus can no longer say it doesn't happen. If the hypervisor is compromised then the attacker can control physical memory outside of the guest os and guest os artifacts.
There are hypervisor logs that you should be collecting.
This is not typical though, but you should grab the logs to be sure
The vm-support command will output a tgz file with the log and vm inventories that you need
USB over IP devices are seperately logged by the hypervisor versus USB devices physically plugged in
Don't use shared admin accounts if you want easy attribution of admin actions
Introspection isn't easily detected by the attacker and can be normally used to collect data outside of the attackers view
Inband (non hypervisor based actions) are bad because bad guys can easily detect your response effort
You can't do out of band actions on public clouds (amazon) as they don't give you hypervisor access ,so your stuck with traditional live response
Making full disk images of cloud hosts is typically difficult as your bandwidth to the site is your bottleneck.
Amazon and hopefully soon rackspace will write your data to a physical disk and mail it to you
You supply the drive and cables, they charge you $80 per disk, they will accept a shipping label so you can get it via fedex
Accounting records will be provided but they don't do Chain of Custody
The amazon feature mention called 'bulk export' is not meant as a forensic/ir service
A good alternative is to spin up a forensic/ir virtual instance so you can keep the data within the cloud and speed your investigation
Have a dongle restricted software you want to run in the cloud? Use USB over IP
The hardest part of dealing with hosted/cloud hosted systems is making sure the tech is going to follow your procedures and not shut down the system or kill the vm instance
Snapshots are great, memory is better
Public cloud (amazon, etc..) don't allow you to request physical memory out of band from the hypervisor
Public cloud snapshots are disk states but not memory states
If you capture the memory to a network share, make sure you lock down who can access them or else you may have non authorized personnel accessing secrets
You can still do CoC yourself, f-response is a great imaging solution for cloud hosts
If you get compromised public providers like amazon limit their liability in case of a compromise from their end to a refund of that months fees
If you don't want to use f-response FAU is another good tool to use for live cloud imaging, but make sure to put it over an encrypted tunnel
Protect your memory dumps, possibly encrypt them
Out of band imaging is still the best option
HP has internal resources that can out of band image a HP hosted cloud server
The issue is with imaging logical disks in non Vmware clouds is that tools often can't find the end of disk and keep writing forever
test your tools in your cloud for your IR plan to find out which ones fail silently
Hypervisor imaging is as simple as snapshotting

1:30pm Session - Memory forensics with Chad Tilbury

I should have go into this session but I was too busy talking to people through lunch. I did see the end and recognized a subset of slides from For 508 but he ended it with a nice preview of Mac and Linux memory forensics.

2:30pm Session - Recovering your costs in ediscovery

Quote from a judge on the fair housing center of southwest michigan v Hunt where the judge chastised a party for turning the litigation into a e-discovery workshop.
Nice review of which ESI costs can be recoverable, this is good information for me to advise my clients when they are not aware this exists.
If you want to recover costs you have to show detail and provide affidavits that explain why it was necessary and how  the costs break down.
Don't be vague on invoices and document your work if you want your costs to be recoverable for your client in the event they prevail
Moore v Weinstein - Prevailing party received $36,196, of which e-discovery service provider made up $22,000 of and asking for $40,000
In house work done within parties firm need to have reasonable costs and the work done must justify the rate desired to applied
A fun sidebar about thor and shield and whether working with thor would show the government endorsing a religion.
Interesting, court rulings have come out stating that native productions of documents are not recoverable costs
No cost for hosting, courts still compare data hosting to warehouses holding paper - non recoverable costs
Forensic costs within ediscovery is recoverable, forensic investigation fees of an expert witness are also recoverable separately
 Second 'geek break' discussion on how wills would effect 12 regenerations of dr who

Post a Comment


Author Name

Contact Form


Email *

Message *

Powered by Blogger.