Thursday, September 29, 2005

My New PowerBook and MS Virtual PC vs Snapshots

I decided to take the plunge and get a new 12" Apple PowerBook when I had the opportunity to choose what to buy after starting my new job. Sarah used to have an iBook when she was teaching and it was definitely fun to play with to see what kind of Unix-fu I could perform on it. Add in my desire to learn more about forensics and incident response for Macs and I couldn't resist the urge. It took almost a week to get feeling productive and efficient with it.

Where am I going with this? Well, I love playing with malware and testing incident response techniques on virtual machines. My first love is VMware but there is no Mac version so I am forced to use MS Virtual PC. Unfortunately, it doesn't do snapshots like VMware...BUMMER! I'm not really a fan of undo disks but it maybe what I am forced to do. One idea was to use a tool like Deep Freeze or ShadowUser to lock the system so that any changes were undone with a reboot which is a bit like a costly version of undo disks. I am going to test each method and see which is the easiest and most efficient. Until I decide, I will be making duplicates of my VPC files, working on the dupe and deleting it after my test.

ADDENDUM: I have settled on Undo Disks. The additional software adds a level of unneeded complexity and that is something I definitely don't desire when doing malware analysis. One feature I found during testing is the ability to carry forward changes during reboots when using Undo Disks. Sometimes it is necessary to reboot during analysis to see how malware will react...nice feature! One thing I did not check was how this affects booting up with Helix and dd'ing the hard drive. That is one more test to check. :-)

FAEDS Presentation

I presented at the Florida Association of Educational Data Systems (FAEDS) for the 3rd year in a row. This year's presentation was based on last years where I went through the stages of incident response and the tools associated with it. Again, I ran over time this year but not as bad as last year, since I tried to fit in the stages of an attack last year. The disappointing part is I didn't get to do my full demonstration of malware analysis in VMware. Oh well, I will either plan better next year (if I get asked back) or ask for two sessions. The presentation is available by clicking on the title of this post. It is a PDF created from PowerPoint 2004 on my new Apple PowerBook. The presentation is a combination of things I have learned through my experience working for the University of Florida, books and blogs I've read and training through the SANS Institute. I hope to start adding in tutorials on malware analysis with videos and screenshots soon.

Monday, September 12, 2005

Memory analysis

I mentioned this in an earlier post about using dd for memory dumping and analyzing it with strings and how Harlan Carvey was blogging about using the MS Debugging Tools. far do you think I got with the debugging tools? Yep, practically nowhere. The tools weren't intuitive, I'm not a programmer and you have to have the machine preconfigured to make the dump that the debugging tools can read. LAME!

So, where I am going with this? The Digital Forensic Research Workshop ( held their conference in Aug where they put on a forensic challenge based on memory analysis. Two entries received top showing on their website and each contained custom programmed tools to parse memory. The real question is will they be releasing these tools. Kntlist looks like it might be a commercial tool written by George M. Garner, but the more interesting tool (or possibly easier) is memparser which rips through a memory dump and pulls out process lists and detailed info about individual processes. Check out the DFRWS site and look for the memory challenge results.