Gearing up for the holidays!

That topic can certainly mean multiple things like, "I am simply getting ready for Christmas" or "I am gathering all my geeky electronics so I can stay connected while out of town" or "I am hoping to get a iPod Video for Christmas." When I started writing it, I was just referring to getting all of our stuff together, but there is a lot of geek stuff that I tend to take with me...PowerBook, iPod, Treo 650, CDs/DVDs and some piece of hardware I am messing around with like a firewall, router, external hard drive or sometimes even a full blown PC. This year will not be overpacked. I have an article to start working on ASAP which will be done on my PowerBook with Virtual PC while listening to my iPod.

Enough of my rambling...it is the Friday before Christmas and campus is dead. Time to go home and work from the comfort of my couch.

Merry Christmas!

Podcasts I Listen To...

I was planning on getting this list out last week but never bothered to sit in front of my desktop to look at the iTunes podcast subscriptions since I post to my blog from my PowerBook. So, here it goes. They are in alphabetical order thanks to iTunes. I will post my opinions and descriptions with each one. Note: This list and the links took quite a while to put together. I hope you find it useful. Disregard misspellings and such because it is late!

• A Day in the Life of an Information Security Investigator
• This is a fun and informative listen. It is based on the Chief's blog. The Chief, aka Security Monkey, talks about his cases as a security investigator, answers questions from his monkey (blog readers) and allows his right-hand man, Scrap, to rant. Definitely one of my favorites.
  
• Ancestor
• This is a podcast novel by Scott Sigler who releases a new chapter/episode every week. Another one of my top favorites. I really look forward to listening every Mon as the story unfolds. If don't mind some blood, gore and explicit language, check it out!
  
• Blue Box: The VoIP Security Podcast
• I had to catch up as I came into listening around the 8th episode. It is a good podcast about VoIP issues, current trends, new products and topics from the VOIPSA mailing list.
• Diggnation
• I enjoy just about every episode. I find myself laughing out loud to while walking around campus or having lunch in the breakroom. Kevin and Alex talk about the top "dug" stories from the site Digg.com. They provide adolescent humor the entire time making me wonder why I like it so much, but I think it just reinforces why I like it so darn much. The comic relief makes it one of my top favorites.
  
• EarthCore: A Podcast Novel
• This is the first podcast novel ever and Scott Sigler did a great job. I was always looking forward to the new episodes. It has ended and even become published because of the huge fan base. You can catch up on all the episodes as they are still online. This ranks in my top favorites. Plenty of blood, gore and explicit language.
  
• ITC: Security
• I keep this in my iTunes list in hopes that good stuff will come around again. There have been three really good ones that I have saved and sometimes relisten too. Most suck. The chick who runs the "security university," or whatever it is called, is a moron and conducts awful interviews. Check out the ones with Ron Gula and Dan Geer. I also have Bruce Schneier's in my list under ITC but can't remember if it was really that good.
• Martin McKeay
• Martin is a CISSP with a pretty good blog. He is focused quite a bit on the Payment Card Industry (PCI) regulations and has some good insight into it. I enjoy his blog and podcast but wish he would fix it so I could subscribe via iTunes. As he gets more into podcasting and decides more on a structure for the shows, I could see this as possibly becoming a favorite.
  
• Mighty Seek: WebAppSecurity
• There have only been a handful of episodes but they were pretty good regarding web application security. The host gets on his soapbox a bit but he has intelligent arguments. I hope to hear more good stuff from this one.
  
• Mommycast.com
• I started listening to a couple of these after I had begun downloading them for my wife. At the time, she was pregnant and I was able to use some of the things I learned from the podcast to immediately help her through the pregnancy. It has been a couple of months since I listened to any of them but keep them around for her and the chance I might be interested again.
  
• Network Computing | Security Channel
• I subscribed to this because it is done by a friend of mine. I have only listened to about 4-5 of them and enjoyed a couple. The ones that include interviews are usually the best ones. If you are of limited time and get bored easily, you might want to pass over this one. I do expect it to get better, but it isn't there yet.
  
• NotParanoia Podcasts
• I'm not sure I have made it through a full episode yet. The hosts are in Australia and England making the sound quality pretty shoddy. I keep it in my list so that one day I will go back and give it another chance. Maybe the newer ones have gotten better. YMMV.
  
• NPR: 7AM ET News Summary
• I am not a world news, or even a local news, nut. If the news doesn't come in a security related e-mail, I don't usually know about it. This is my weak attempt at knowing what is going on in the world.
  
• PaulDotCom Security Weekly
• This is a pretty decent podcast. I do get a little tired of the guys rehashing current security issues but it is fun to listen to their ideas. They tend to be goofy when referring to putting on their White/Gray/Black hats when discussing issues but I have hope that they will continue to refine their podcast.
  
• SABAGsecurity
• This is by two guys that work for McAfee. It is pretty good. They don't evangelize their products as much as you might think. McAfee product coverage is minimal with only talking about new releases or bugs. The rest of the time is spent on a topic of the week or month and current "notable" vulnerabilities. Not a favorite but it has potential.
  
• Security Catalyst
• This is a great podcast. Michael is a Lead CISSP Instructor who speaks and trains professionally. He has good insight into security topics, does not focus on current issues (thankfully) and has grand plans for his podcast. He is currently looking for a co-host and has an "editorial board" to help plan the episodes. Michael certainly puts a lot of time and effort into his podcast. I enjoy this one quite a bit and expect it to become a top favorite.
  
• Security Now!
• Ugh...I'm not sure why I keep this around. Steve Gibson is a smart guy but sometimes sounds like he needs to switch to decaf cause he gets talking so fast that he says the wrong thing. Now, I am sure it is simply because he is overexcited and confuses himself. But then again, maybe the fact the Leo Laporte is a computer security ID10T. Seriously, Leo is security stupid. It hurts me to listen sometimes. I don't think I have ever listened to a full episode out of boredom or disgust. I think I just keep it around for pure masochistic joy.
  
• Systm
• This is a video podcast that I have only watched one episode but plan on going back and watching. I have an iPod Photo so watching it requires me to sit in front of my desktop, which I don't do much anymore since thanks to my PowerBook. This one has some definite potential as long as Kevin Rose doesn't try to act too much like a "hacker."
  

Helix 1.7 is out!

Did you get the message? Neither did I. Helix is an awesome Linux bootable CD for incident response and forensics. On top of being a great bootable CD, it has an excellent Windows incident response side to it. Sort of a Dr Jekyll Mr Hyde type of thing. It is bizarre to me that such a nice update didn't get any fanfare. The Helix site doesn't even state that 1.7 is available. The forum mentions it and the changelog is updated but the page doesn't state the version or an updated file hash.

Some of the highlights of the update include Linux and Windows features. Some of the Linux updates include a 2.6.14 kernel, updated tools like Autopsy, Sleuthkit, Firefox, dcfldd, and new tools like the EnCase Linen Utility, tcpxtract and hfsplus for Mac drives. For Windows, a new GUI, log files saved in PDF, updated tools like WFT, FRED. and new tools such as IRCR, Forensic Server Project and FTK Imager.

Definitely check out Helix when you have time. It is worth your time if you do any sort of Incident Response or Forensics. One beef I have with Helix is the GUI under Windows. I posted a message in the forum to see if Drew would modify Helix's behavior to open a CMD prompt first and then let the user choose to run the GUI if they want. Why? The GUI loads into RAM and could potentially overwrite important evidence. I recommend going straight to a CMD, provide some scripts for imaging memory and local drives and then let users go into a GUI for more in-depth analysis...but that is just my 2 cents. Take for a spin and decide for yourself.

Knowing what's on your box...

Do you know what is running on your boxes? Really...are you sure? I was handling an incident today where a machine was compromised through a unnamed database running that was part of a terminal server application. The whole time I am investigating the compromise I was wondering if they knew the DB was running, and if so, did they think about whether or not it needed to be externally accessible and did they think that maybe it would need to be updated. Heck, maybe they thought the vendor who was using the DB would be responsible and provide updates to it. Beats me. As an incident handler, I don't always get my hands on the boxen that get 0wN3d. I get to provide the network forensic data proving it was compromised so that the system administrator can deal with it appropriately.

On a related note, the first alpha release of Metasploit was released yesterday. It is now based on the Ruby programming language which a friend of mine referred to as being as simple as writing pseudocode. I plan on checking it out as it may be applicable the the private hacking challenge I am working on. The whole point of this paragraph is that I was wondering if the release might have be why we saw the DB get exploited today. I haven't bothered checking all the new sploitz included in the the alpha release, but I can tell you that last year's big release caused a two immediate compromises of servers running the Veritas Backup Exec agent.

That's enough for now. I have to run home to get ready for a party that is an hour and a half away. I know I promised my lists of podcasts today but that will either have to wait until after the party or maybe later this weekend. TGIF!

When to rebuild...

We have this little section in our policy that states a system must be rebuilt after it is compromised. In some situations, the rebuild will be at the discretion of the Information Security Manager. Unfortunately, system administrators like to argue about this or simply ignore it when it comes to malware. I have seen computer support technicians work on a spyware/adware infected box for THREE DAYS before finally giving up and rebuilding. Get a freaking clue people!!! The box could have been rebuilt using Ghost, Microsoft ADS or favorite imaging app in 20 to 60 minutes, yet you wasted 3 days. Holy crap! I seriously wanted to smack some of these people. There are some malware infections that are very simple to alleviate, but others are a real pain and most help desk people are not trained to deal with these types of things. I truly amazes me. I have had things handed to me that were not able to be "cleaned" by the help desk that I solved in 5-10 minutes yet spent the next 30 minutes verifying that it wasn't something more sinister. Rootkits are becoming more prevalent and more malware is using a "rootkit" driver to hide their processes so why not make it easy on yourselves. Spend some time developing a process where you can burn your systems down to a wiped disk, apply and image or slipstreamed OS/app install and be done with it.

Geez...enough ranting. I need to work on my list of updated tools to put on this site but that probably won't happen until next week. I will have my podcast listing up tomorrow.

Crime Scene: What to do with a running system?

Are there any forensic specialists out there that analyze a machine while it is running at the crime scene before pulling the power? Why I am asking? I was sitting in a presentation this morning by a law enforcement officer who is said to be a court certified computer forensic expert. He stated that a machine should have its power cord unplugged upon seizure. Someone asked about dumping memory and his response was that it was saved in swap space and will be intact. I don't want to get into why this is not true, but I am curious how many people do live analysis before taking down a system. There is lots of juicy info available in memory and will be lost as soon as power is gone. Of course, if you have an idiot in front of the keyboard, more harm than good can be done. For a trained forensic specialist, I think they could get important information from the live system, document EXACTLY what they did and it hold up in court. Any thoughts??

CISSP - To Be or Not To Be...

I am seriously considering getting the CISSP. Why? Well, I almost feel like I am missing something by not having it. One of my good friends, whom I respect as a security professional, has had it for a couple of years. There are also two podcasts that I listen to regularly and both individuals are CISSP's. The content of the podcasts are excellent. Specifically, the Security Catalyst is excellent and put on by a CISSP trainer. His insight and topics are very good, much better than most of the podcast and blogs that I read. Of course, that could be a singular instance and not an example of most CISSPs.

I was at a SANS conference last year where I was hanging out with two really sharp fellows when we weren't in the forensics class. We were having sushi and beer when the topic of CISSP came up. They were shocked that I didn't have it yet when I have more advanced certs already. They equated it to a kind of "foot-in-the-door" cert that recruiters look for when scanning applications. I shrugged it off thinking my more technical certs should outweight the CISSP but I am now reconsidering it.

This post is probably more than I want to devote to this topic for now until I talk to a few more friends in the sec biz to get their opinions. There will be a follow-up post about this later along with a post listing all the podcasts I listen to.

Easier & More Efficient Blogging...

I have been wanting to blog more often because I feel like I have lots of interesting things to add to the security world but find going to Blogger to be a small hurdle that prevents me from doing it. That is a truly lame excuse but it has been enough to cause me to search for more efficient blogging methods. I am now testing Flock, a new Open Source web browser designed to "make it easier to blog, publish your photos and share and discover things." If this is successful, you will start seeing daily blogs from me...which may lead me to my eventual goal of developing a podcast.

HOORAY! Mac OS X Update 10.4.3 LOVES Virtual PC 7.02 for Mac

I am usually quick to update the latest security fixes and OS patches but didn't get around to it until this morning. What? You're saying that waiting one day after Apple's 10.4.3 update is still freaking fast...well, in the world of enterprise computing, yes, it is, but I am just an individual. Anyways...I have a point

Since I delved into the world of Apple ownership, I was frustrated by the lack of *real* support for Microsoft's Virtual PC for Mac. It could simply be that people don't use it very much...better yet, security professionals and hackers don't use it very much on Macs. That is probably true because finding solutions to problems with it is far from easy compared to VMware.

I still haven't found the solution to my problem with having full network access to the Virtual Machine while it is in "network sharing" mode (aka NAT). BUT, the update to 10.4.3 fixed the Virtual Switch!! What does this mean? Well, the Virtual Switch lets your Virtual Machine get an IP as if it were on the LAN right next to your host machine. Now, when I boot up my Virtual Machine running FreeBSD 5.4, it gets a private IP address on the UF network just like my PowerBook. This gives me the chance to connect/exploit services on the Virtual Machine and thus bypassing the "network sharing" issue. Thanks, Apple, for fixing this issue!!

Quick Book Review: "Stealing the Network : How to Own an Identity"

I just finished this book on Sun after about a month of trying to get through it. Overall, it was a pretty good book. Because it was written by about 8 different authors, it doesn't flow very well. Now, its predecessor, "Stealing the Network : How to Own a Continent," flowed much better, had just as many authors and was technically superior. I was surprised at the large number of types and grammatical errors. Maybe it was because of them rushing to print? Beats me. It was a pretty good sequel and some of the chapters were genuinely enjoyable. If you haven't read "How to Own a Continent," I highly recommend it. If you have, then consider this one if someone gives you a free copy or you get it cheap used.

What is going on with me? Updates are here!

I thought I should get a little something up here since people do check regularly and I was just prodded by Martin McKeay after commenting on his blog. If you haven't read his blog, check it out.

Work is great! I am really enjoying my new position on the UF Security Team within the University of Florida. Our website is a little weak right now, but we have a Public Relations person that was hired just before me, and it is one of her projects. I hope to assist and provide information on secure OS builds, incident response tools and procedures, possibly even a security blog...but that might not fly.

I have settled in pretty well with my new Apple PowerBook. It has taken some getting used to. Compiling different forensics tools has not been a problem. I did a quick test of MetaSploit Framework 2.5 and it seemed to work fine. Working within Virtual PC is limiting compared to VMware, but I am getting by OK withing snapshots. :-( I was surprised to find that I could install FreeBSD 5.4 in it.

My coworker Jordan and I are working on "Hacking: The Art of Exploitation" with some guidance from our friend Atlas we met last year at a SANS conference. Atlas was first place individual (Ronin) and third place overall in Capture the Flag (CTF) at Defcon 13. It is very cool stuff. Some of the examples work on MacOSX while the rest I have had to SSH into a SUSE 8.0 Linux box. Oddly, the examples don't work on my SUSE 9.3 box, which I think has to do with some sort of kernel setting for exec-shield, but I don't know yet. I am looking forward to getting into working on real executables...like the ones from CTF.

What else? I am DJing again this weekend at a Haunted House in Orange Park. My daughter, Gabriella Skye, is almost 5 months old. I am drinking coffee daily again, more water, less soda.

I think that is about it. I promise to start posting more technical stuff. My goal will be at least once a day during the week depending on if I am in the office of not. Have a great Halloween!!!

My New PowerBook and MS Virtual PC vs Snapshots

I decided to take the plunge and get a new 12" Apple PowerBook when I had the opportunity to choose what to buy after starting my new job. Sarah used to have an iBook when she was teaching and it was definitely fun to play with to see what kind of Unix-fu I could perform on it. Add in my desire to learn more about forensics and incident response for Macs and I couldn't resist the urge. It took almost a week to get feeling productive and efficient with it.

Where am I going with this? Well, I love playing with malware and testing incident response techniques on virtual machines. My first love is VMware but there is no Mac version so I am forced to use MS Virtual PC. Unfortunately, it doesn't do snapshots like VMware...BUMMER! I'm not really a fan of undo disks but it maybe what I am forced to do. One idea was to use a tool like Deep Freeze or ShadowUser to lock the system so that any changes were undone with a reboot which is a bit like a costly version of undo disks. I am going to test each method and see which is the easiest and most efficient. Until I decide, I will be making duplicates of my VPC files, working on the dupe and deleting it after my test.

ADDENDUM: I have settled on Undo Disks. The additional software adds a level of unneeded complexity and that is something I definitely don't desire when doing malware analysis. One feature I found during testing is the ability to carry forward changes during reboots when using Undo Disks. Sometimes it is necessary to reboot during analysis to see how malware will react...nice feature! One thing I did not check was how this affects booting up with Helix and dd'ing the hard drive. That is one more test to check. :-)

FAEDS Presentation

I presented at the Florida Association of Educational Data Systems (FAEDS) for the 3rd year in a row. This year's presentation was based on last years where I went through the stages of incident response and the tools associated with it. Again, I ran over time this year but not as bad as last year, since I tried to fit in the stages of an attack last year. The disappointing part is I didn't get to do my full demonstration of malware analysis in VMware. Oh well, I will either plan better next year (if I get asked back) or ask for two sessions. The presentation is available by clicking on the title of this post. It is a PDF created from PowerPoint 2004 on my new Apple PowerBook. The presentation is a combination of things I have learned through my experience working for the University of Florida, books and blogs I've read and training through the SANS Institute. I hope to start adding in tutorials on malware analysis with videos and screenshots soon.

Memory analysis

I mentioned this in an earlier post about using dd for memory dumping and analyzing it with strings and how Harlan Carvey was blogging about using the MS Debugging Tools. Well....how far do you think I got with the debugging tools? Yep, practically nowhere. The tools weren't intuitive, I'm not a programmer and you have to have the machine preconfigured to make the dump that the debugging tools can read. LAME!

So, where I am going with this? The Digital Forensic Research Workshop (DFRWS.org) held their conference in Aug where they put on a forensic challenge based on memory analysis. Two entries received top showing on their website and each contained custom programmed tools to parse memory. The real question is will they be releasing these tools. Kntlist looks like it might be a commercial tool written by George M. Garner, but the more interesting tool (or possibly easier) is memparser which rips through a memory dump and pulls out process lists and detailed info about individual processes. Check out the DFRWS site and look for the memory challenge results.

So much going on...

I can't believe it has been two months since my last post. Since then, I have started a new job as an IT Security Engineer for the University of Florida Security Team, finished the silver GIAC Certified Forensic Analyst cert, written four articles for Network Computing and Secure Enterprise magazine (one already printed in Aug) and more that I am too tired to remember.

I will be presenting again this year at the Florida Association of Educational Data Systems (FAEDS) this year. My title isn't up yet, but I am planning on, "Windows Incident Response, Forensics and Malware Analysis." That might be a lofty goal since I only have a fifty minute spot. I expect to post more on the presentation topic as it develops. Last year, I tried to do to much, ran over, but people were skipping lunch to hang out and hear more. That was cool, plus the president said to one of our administrators when asking if I could return, "Last year one of the most popular and valuable sessions at our conference was by John Sawyer, an engineer from your organization." More to come...

Time for a server upgrade...

Our server went down for a while Fri. I'm not quite sure how long since Sarah was on it early Fri evening updating photos and I noticed it around 1:15am Sat. It is an old Gateway 450 MHz Pentium II with 256 MB RAM running Suse Linux that probably is either having a power supply problem or I kicked it too many times under my desk. I have considered upgrading it for quite sometime considering there are three fast AMD's sitting next to it. I hate to have to run too many machines simultaneously. Virtualizing it is something that has crossed my mind before since there is a smoking fast dual processor AMD Athlon MP 2000+ & 1800+ machine with 3 gigs of RAM sitting next to me. It is primarily my malware analysis box that is currently in flux as to the OS that will end up on it. I like Suse and Kubuntu. Suse is slick and well-done, plus I like KDE. Suse also is not free and RPMs suck. Kubuntu uses KDE and is Debian-based making software management so much easier than RPMs, but alas, the SMP support is not fabulous and it destroyed the performance of my VMware virtual machines. I downloaded the ISO for Yoper and may try that out after I finish my current NWC review (Red Hat stuff ;). There is a dual mobo with an Athlon MP 1800+ with a gig of RAM that I may be giving Jordan soon. Maybe I can talk him into buying me an Athlon MP 2600+ in exchange so he could then have it with dual 1800+ processors. That is an idea that I might just have to bug him about.

Currently, my desktop is an Athlon 64bit 3200+ with a gig of RAM and there is an Athlon 2600+ with a gig of RAM just sitting next to it unused. Maybe it should become a file and web server...I just don't know. So much power and so little bandwidth used by our sites. That is partly why I was thinking of virtualizing the web server. It provides a layer of security in addition to being able to consolidate server tasks to one powerful machine. Enough rambling about this. I still have yet figured out the true usefulness of the debugging tools I wrote about previously. They are installed, I created a crash dump, opened it to see complaints about symbol issues and have not been able to get much further. Time to sleep since Gabi is finally sleeping. Good night.

Current Incident Response Toolkit

I have finally compiled my latest IR Toolkit list based on the list layout from Scott F. in the ISC diary (mentioned in a previous post below). I carry several CD's with me that are customized bootable CD's. My primary CD is Helix with all of my tools listed below added into the bin folder so they are available from the custom command prompt, Auditor CD, Whoppix CD, and Knoppix CD. I expect to update my toolkit soon to include the MS Debugging Tools once I become more familiar with it. VMware is my testing platform of choice and my backup DVD contains several custom installs of WinXPPro and Win2003Server with different sized OS drives (so dd'ing them doesn't take forever). I need to go back and modify those environments so they can do memory dumps for analysis as mentioned in Harlan Carvey's blog. Note: McAfee is licensed under my employer's contract and Ad-Aware is not freely licensed for academic use.

Adware & Spyware Tools
|-- Ad-Aware SE Personal - 1.06r1
|-- BHO Demon - 2.0.0.22
|-- CWShredder - 2.15
|-- HijackThis - 1.99.1
|-- Microsoft Windows AntiSpyWare - 2/16/2005 Beta
|-- Spybot Search and Destroy - 1.4

Antivirus Tools
|-- McAfee CleanBoot - 1.0
|-- McAfee Stinger - 2.5.4
|-- McAfee VirusScan Enterprise - 8.0i
|-- Microsoft Malware Removal Tool - 1.4

Incident Response ToolKit
|-- DiamondCS CmdLine - 1.0
|-- DiamondCS OpenPorts - 1.0
|-- FoundStone BinText - 3.0
|-- FoundStone Forensic Toolkit - 2.0
|-- FoundStone Fport - 2.0
|-- FoundStone Galleta - 1.0
|-- FoundStone Pasco - 1.0
|-- FoundStone Rifuti - 1.0
|-- FoundStone ScanLine - 1.01
|-- FoundStone ShoWin - 2.0
|-- FoundStone SuperScan - 4.0
|-- Heysoft LADS - 4.0
|-- Inetcat.org NBTScan - 1.5.1
|-- myNetWatchman SecCheck
|-- NetCat - 1.1
|-- NirSoft CurrPorts - 1.05
|-- NirSoft CurrProcess - 1.10
|-- NirSoft StartupRun - 1.22
|-- NTSecurity.nu PMDump - 1.2
|-- SysInternals AccessEnum - 1.2
|-- SysInternals AutoRuns - 7.01
|-- SysInternals Contig - 1.52
|-- SysInternals DiskView - 2.0
|-- SysInternals FileMon 9x,NT,x64,IA64 - 7.0
|-- SysInternals Hex2dec
|-- SysInternals ListDLLs - 2.25
|-- SysInternals Page Defrag - 2.3
|-- SysInternals ProcessExplorer 9x,NT,x64- 9.11
|-- SysInternals PS Tools - 2.15
|-- SysInternals RegMon 9x,NT,x64,IA64 - 7.0
|-- SysInternals Rootkit Revealer - 1.4
|-- SysInternals Sdelete - 1.4
|-- SysInternals ShareEnum - 1.6
|-- SysInternals Sync - 2.2
|-- SysInternals Sigcheck - 1.2
|-- SysInternals Strings - 2.1
|-- SysInternals TCPView - 2.4
|-- Red Cliff Web Historian - 1.1
|-- Sam Spade - 1.14
|-- Tigerteam.se SBD (encrypted netcat) - 1.36
|-- UnxUtils - 04-14-03
|-- Windows Forensic Toolchest (WFT) - 2.0

Security Tools
|-- Ethereal - 0.10.11
|-- Nmap - 3.81
|-- MS Baseline Security Analyzer - 1.2.1
|-- Putty - 0.58
|-- WinDump - 3.8.3 beta
|-- WinPcap - 3.1 beta 4
|-- WinSCP - 3.7.5 beta

MS Debugging Tools vs. DD & Strings

How do you analyze memory (live or dumped)? Most people I know, texts read and classes taken speak of using strings (cli) or bintext (gui) against a dd of memory. Strings will pull out all kinds of interesting information like URLs, IPs, usernames, passwords, parts of files, so on and so forth. Of course, all the information is a pain to sort through thanks to all the non-human readable crap contained within memory. Pmdump (cli) or CurrProcess (gui) are used on live systems to dump running processes letting us see decrypted malware to help determine its intent through strings or running against a slew of virus scanners to see if its core is a variant of something else.

Harlan Carvey has a couple of blog entries about "RAM, memory dumps and debuggers" that raises several issues I hadn't thought of before now. I have tried my hand at Ollydbg and a couple of pieces of malware to learn more about their protection scheme and the underlying goal of the writer but never really knew what I was doing. Now, I have new tools to learn to pick apart malware. The next step is to add them to my custom Helix CD and see what I can break. Also, Harlan (or is it Mr Carvey) linked several MS KB articles about generating full memory dumps, kernel memory dumps and small memory (64K) dumps on command.

I will write more when I get some testing time in. For now, I have to work on a review for NWC. That, and my list too. I will add the MS debugger to that list, now.

Good Tool Listing on ISC

There is a good listing of incident response tools listed during one the daily journals on the Internet Storm Center. The list was done by Scott F. (I don't know who he is) and is organized quite nicely. I like the way the tools are listed and will post my kit shortly in the same manner but with version numbers making it easy to keep track of what I have so checking the tools site can show me quickly if I have the latest version or not. The other thing I like doing that was not touch on is using Helix as my main IR tool. Scott's list includes Helix at the bottom as an "additional CD I keep around for the Unix geek in me." Helix's live IR analysis features ROCK! I have customized the win32 side of Helix with tools the I prefer to use and were not included originally, in addition to updated versions of the tools that have been released since Helix was pressed. And, to top it all off, I ripped out the Unix side of Helix and created a custom WinPE environment which is a little more useful in win32 IR and forensics. What is the ETA on my list??? This week since I will be telecommuting from home in order to help out with my new beautiful daughter, Gabriella Skye Sawyer. The next few weeks of telecommuting will give me the opportunity to catch up on documentation and policy items. Yeah, go ahead and groan as I did when typing that. Policies = Political Ick!

The Joy of Reading

So, I used to read tons of books in high school and community college, but got out of the habit once I found my way down to the University of Florida. I have read through a number of computer and security related books over the years and never really gotten the enjoyment out of them the same as when I read previously. Last year, "Stealing the Network: How to Own a Continent" was placed into my lap by a co-worker thinking it was right up my alley. It was a great book. I wish there were more computer books written this way to make them more readable instead of the typical dry, technical content. I haven't even read a technical book cover to cover in over a year because of the lack of page-turning quality found in a good novel.

Thanks to Sarah, I have fallen in love with reading, again. She has tried getting me to read several times over our years together, but it wasn't until our honeymoon trip to Maui in March that she suckered me into reading a John Grishman book we had laying around and BOOM! I read three novels before we returned to the mainland. Below are the books I have read so far this year, the ones I am currently reading and those I am looking forward to reading.

Books I read in 2005:
The Zero Game - Brad Meltzer
The Tenth Justice - Brad Meltzer
Dead Even - Brad Meltzer
The Last Juror - John Grisham
The King of Torts - John Grisham
The Summons - John Grisham
Frankenstein Book One: The Prodigal Son - Dean Koontz
The DaVinci Code - Dan Brown

Books I am Reading:
The Millionaires - Brad Meltzer
The Art of Intrusion - Kevin Mitnick

Looking forward to reading:
The Broker - John Grisham
Angels & Demons - Dan Brown
Deception Point - Dan Brown
Digital Fortress - Dan Brown
Split Second - David Baldacci

BBQ at the ClubHouse

We had a BBQ at the ClubHouse in our neighborhood Capri, today. It was a lot of fun. I spent most of the time cooking hamburgers and hot dogs in between making sure everyone was having a good time. Check out our website at HankandSarah.com for more information.