Saturday, June 25, 2005

Time for a server upgrade...

Our server went down for a while Fri. I'm not quite sure how long since Sarah was on it early Fri evening updating photos and I noticed it around 1:15am Sat. It is an old Gateway 450 MHz Pentium II with 256 MB RAM running Suse Linux that probably is either having a power supply problem or I kicked it too many times under my desk. I have considered upgrading it for quite sometime considering there are three fast AMD's sitting next to it. I hate to have to run too many machines simultaneously. Virtualizing it is something that has crossed my mind before since there is a smoking fast dual processor AMD Athlon MP 2000+ & 1800+ machine with 3 gigs of RAM sitting next to me. It is primarily my malware analysis box that is currently in flux as to the OS that will end up on it. I like Suse and Kubuntu. Suse is slick and well-done, plus I like KDE. Suse also is not free and RPMs suck. Kubuntu uses KDE and is Debian-based making software management so much easier than RPMs, but alas, the SMP support is not fabulous and it destroyed the performance of my VMware virtual machines. I downloaded the ISO for Yoper and may try that out after I finish my current NWC review (Red Hat stuff ;). There is a dual mobo with an Athlon MP 1800+ with a gig of RAM that I may be giving Jordan soon. Maybe I can talk him into buying me an Athlon MP 2600+ in exchange so he could then have it with dual 1800+ processors. That is an idea that I might just have to bug him about.

Currently, my desktop is an Athlon 64bit 3200+ with a gig of RAM and there is an Athlon 2600+ with a gig of RAM just sitting next to it unused. Maybe it should become a file and web server...I just don't know. So much power and so little bandwidth used by our sites. That is partly why I was thinking of virtualizing the web server. It provides a layer of security in addition to being able to consolidate server tasks to one powerful machine. Enough rambling about this. I still have yet figured out the true usefulness of the debugging tools I wrote about previously. They are installed, I created a crash dump, opened it to see complaints about symbol issues and have not been able to get much further. Time to sleep since Gabi is finally sleeping. Good night.

Saturday, June 18, 2005

Current Incident Response Toolkit

I have finally compiled my latest IR Toolkit list based on the list layout from Scott F. in the ISC diary (mentioned in a previous post below). I carry several CD's with me that are customized bootable CD's. My primary CD is Helix with all of my tools listed below added into the bin folder so they are available from the custom command prompt, Auditor CD, Whoppix CD, and Knoppix CD. I expect to update my toolkit soon to include the MS Debugging Tools once I become more familiar with it. VMware is my testing platform of choice and my backup DVD contains several custom installs of WinXPPro and Win2003Server with different sized OS drives (so dd'ing them doesn't take forever). I need to go back and modify those environments so they can do memory dumps for analysis as mentioned in Harlan Carvey's blog. Note: McAfee is licensed under my employer's contract and Ad-Aware is not freely licensed for academic use.

Adware & Spyware Tools
|-- Ad-Aware SE Personal - 1.06r1
|-- BHO Demon - 2.0.0.22
|-- CWShredder - 2.15
|-- HijackThis - 1.99.1
|-- Microsoft Windows AntiSpyWare - 2/16/2005 Beta
|-- Spybot Search and Destroy - 1.4

Antivirus Tools
|-- McAfee CleanBoot - 1.0
|-- McAfee Stinger - 2.5.4
|-- McAfee VirusScan Enterprise - 8.0i
|-- Microsoft Malware Removal Tool - 1.4

Incident Response ToolKit
|-- DiamondCS CmdLine - 1.0
|-- DiamondCS OpenPorts - 1.0
|-- FoundStone BinText - 3.0
|-- FoundStone Forensic Toolkit - 2.0
|-- FoundStone Fport - 2.0
|-- FoundStone Galleta - 1.0
|-- FoundStone Pasco - 1.0
|-- FoundStone Rifuti - 1.0
|-- FoundStone ScanLine - 1.01
|-- FoundStone ShoWin - 2.0
|-- FoundStone SuperScan - 4.0
|-- Heysoft LADS - 4.0
|-- Inetcat.org NBTScan - 1.5.1
|-- myNetWatchman SecCheck
|-- NetCat - 1.1
|-- NirSoft CurrPorts - 1.05
|-- NirSoft CurrProcess - 1.10
|-- NirSoft StartupRun - 1.22
|-- NTSecurity.nu PMDump - 1.2
|-- SysInternals AccessEnum - 1.2
|-- SysInternals AutoRuns - 7.01
|-- SysInternals Contig - 1.52
|-- SysInternals DiskView - 2.0
|-- SysInternals FileMon 9x,NT,x64,IA64 - 7.0
|-- SysInternals Hex2dec
|-- SysInternals ListDLLs - 2.25
|-- SysInternals Page Defrag - 2.3
|-- SysInternals ProcessExplorer 9x,NT,x64- 9.11
|-- SysInternals PS Tools - 2.15
|-- SysInternals RegMon 9x,NT,x64,IA64 - 7.0
|-- SysInternals Rootkit Revealer - 1.4
|-- SysInternals Sdelete - 1.4
|-- SysInternals ShareEnum - 1.6
|-- SysInternals Sync - 2.2
|-- SysInternals Sigcheck - 1.2
|-- SysInternals Strings - 2.1
|-- SysInternals TCPView - 2.4
|-- Red Cliff Web Historian - 1.1
|-- Sam Spade - 1.14
|-- Tigerteam.se SBD (encrypted netcat) - 1.36
|-- UnxUtils - 04-14-03
|-- Windows Forensic Toolchest (WFT) - 2.0

Security Tools
|-- Ethereal - 0.10.11
|-- Nmap - 3.81
|-- MS Baseline Security Analyzer - 1.2.1
|-- Putty - 0.58
|-- WinDump - 3.8.3 beta
|-- WinPcap - 3.1 beta 4
|-- WinSCP - 3.7.5 beta

Friday, June 17, 2005

MS Debugging Tools vs. DD & Strings

How do you analyze memory (live or dumped)? Most people I know, texts read and classes taken speak of using strings (cli) or bintext (gui) against a dd of memory. Strings will pull out all kinds of interesting information like URLs, IPs, usernames, passwords, parts of files, so on and so forth. Of course, all the information is a pain to sort through thanks to all the non-human readable crap contained within memory. Pmdump (cli) or CurrProcess (gui) are used on live systems to dump running processes letting us see decrypted malware to help determine its intent through strings or running against a slew of virus scanners to see if its core is a variant of something else.

Harlan Carvey has a couple of blog entries about "RAM, memory dumps and debuggers" that raises several issues I hadn't thought of before now. I have tried my hand at Ollydbg and a couple of pieces of malware to learn more about their protection scheme and the underlying goal of the writer but never really knew what I was doing. Now, I have new tools to learn to pick apart malware. The next step is to add them to my custom Helix CD and see what I can break. Also, Harlan (or is it Mr Carvey) linked several MS KB articles about generating full memory dumps, kernel memory dumps and small memory (64K) dumps on command.

I will write more when I get some testing time in. For now, I have to work on a review for NWC. That, and my list too. I will add the MS debugger to that list, now.

Sunday, June 12, 2005

Good Tool Listing on ISC

There is a good listing of incident response tools listed during one the daily journals on the Internet Storm Center. The list was done by Scott F. (I don't know who he is) and is organized quite nicely. I like the way the tools are listed and will post my kit shortly in the same manner but with version numbers making it easy to keep track of what I have so checking the tools site can show me quickly if I have the latest version or not. The other thing I like doing that was not touch on is using Helix as my main IR tool. Scott's list includes Helix at the bottom as an "additional CD I keep around for the Unix geek in me." Helix's live IR analysis features ROCK! I have customized the win32 side of Helix with tools the I prefer to use and were not included originally, in addition to updated versions of the tools that have been released since Helix was pressed. And, to top it all off, I ripped out the Unix side of Helix and created a custom WinPE environment which is a little more useful in win32 IR and forensics. What is the ETA on my list??? This week since I will be telecommuting from home in order to help out with my new beautiful daughter, Gabriella Skye Sawyer. The next few weeks of telecommuting will give me the opportunity to catch up on documentation and policy items. Yeah, go ahead and groan as I did when typing that. Policies = Political Ick!