Saturday, January 14, 2006

Be Careful What You Say...It Might End Up Online!

At the DoD conference, I met a fellow named Paul F. Roberts who is a Senior Editor with eWeek. Jordan and I chatted with him for a while in the Expo Hall while killing time waiting for the Floppy Disk Throw. During the chat, we talked about the Mac OS X Forensics class I was in along with other presentations that either Jordan or I had attended. He showed interest in the Mac class and our experiences with them at work. Paul never mentioned he might included any of this in an article but I guess we should have expected it since he was "covering" the event.

I was taking a break from my article writing and thought I might check out the eWeek site to see what kind of stuff Paul writes. A quick search for his name revealed a slew of articles written by Paul. At the time, the latest one was titled, "Gov't Cyber-sleuths Focusing on Linux, iPod, Xbox" so I clicked it wanting to see what Paul thought about the conference. I never expected to see our names mentioned, but there we were.

Nothing really worth noting, although I would have liked to see more in-depth and insightful quotes than the ones included since they were a bit vague. For example, the Apple PowerBook I use was purchased by UF so that I could learn more about forensics and incident response on the Mac OS X platform. Very true, however, it isn't really for the entire staff to learn from since it is my primary workstation that travels everywhere with me. As for Jordan's quote, he can address that if he wants. I won't put words into his mouth.

Moral of the story...if you don't want it said in an article, don't say it in front of a reporter. Thankfully, we didn't say anything bad, but it would have been nice to know that we might be quoted. It is something I will certainly remember in the future. Paul, if you're reading this, it was great meeting you and thanks for the Corona.

DoD - Day 6 - The End...

Day 6 - 01/13/2006: It is Friday the 13th and the final day of the Department of Defense Cybercrime Conference 2006. I admit that I am sad to see it end. Unlike most people I know, I truly love coming to conferences like this one where I am immersed into a learning environment and subjected to highly technical topics that I am interested in. It is fantastic. There were some presenations that were disspointing, but overall, it was worth every minute of my time.

The day started out early since I had to load up my junk because room checkout was around 11am when I would be in a presenation. After loading up, I headed over to Inverness Hall for breakfast and the "conference wrap-up." Nice things were said about everyone who participated and presented. Jordan and I won First Place in the Cipher Hunt challenge. Now that I think about it, I wish I had a copy of our challenges. Oh well. We received First Place medals in the DoD Cybercrime Olympics 2006 along with USB Aquariums. I received two nice certificates; a generic one for attending the conference and a very nice one for completing the 2 day Mac OS X Forensics class. Those were bonuses I wasn't expecting.

The first presentation of the day was "Identity Theft" by Kevin Mandia. Kevin is an awesome speaker. I was really impressed by his "stage presence" and comfort with the material. He went through a case study of a woman who had $50,000 stolen from her accounts which was later determined to have been accomplished by exploiting Internet Explorer on her computer and installing a keylogger. Great intro to people who don't do incident response and know the associated tools.

The second and last presenation focused on BitTorrent and forensics. It was quite and interesting topic. One of the dilemmas mentioned deals with how do investigators tracking down child porn deal with the issued of forced sharing when they are trying to download and verify potential child porn images. As soon as the investigator finishes downloading a file chunk, it is automatically shared out to others making the investigator a distributor of child porn. It raised several questions that I would like to research later on and possibly provide some help to the author and law enforcement (forensic) community.

I am now hanging out at my sister-in-law's house working on an article with a looming deadline but wanted to get in my last conference update. It was a great experience. I loved meeting all of the interesting people and look forward to keeping in touch with them. I am already anticipating next year's conference. Thanks to DoD, JTF-GNO & Technology Forums.

Thursday, January 12, 2006

DoD - Day 5 Update

Day 5 - 01/12/2006: Today may have been the least exciting day so far. I expected more from several of the presentations I attended. There were several cool people that I met and hung out with which makes up for the mediocre day. It started out with an early breakfast where I sat with some of the Air Force OSI guys, a Marine JAG fellow and a Naval Post Graduate School sysadmin. Very cool people.

The first presentation must have been specifically for law enforcement folks since it wasn't overly technical. Nothing wrong with that, but the title of "Hacking and Forensic Analysis of an iPod" made me expect more. The presentation briefly went over the partition structure of iPods, the directory structure, "hiding" files on it and using to boot Linux from an iPod. I know many others in the class got lots from it so I won't knock it. It just wasn't technical enough for me.

My second choice was a presentation by a lawyer from the JTF-GNO about the rights of system administrators to provide info to law enforcement and what info can be given. It was definitely interesting and raised a few questions I have for the university environment. Not much more that I can say about this one. I do need to review the slides as he did not go over all of them. Great information and excellent speaker.

The third presentation was by Thane Erickson who taught part of the Mac OS X forensics class I was in earlier. He was focusing specifically on Tiger things that were different and/or not covered in the previous class that was mainly on Panther. I learned about the difference in how passwords were hashed between Panther and Tiger, how to crack them, details about Spotlight and associated commandline tools and Dashboard Widgets with their associated forensic value. Excellent stuff. Thane is a good presenter and knows his stuff well. If you ever see him, make sure you tell him that LSU SUCKS!!!

Next, I went to a talk titled, "Daubert Digital Forensics." Since I am not LE, this presentation was just something I thought I might learn more about. I did take a few notes but did not find it overly interesting. Right now, I bet you are thinking, "Duh, it is legal stuff. Of course, it isn't interesting." Well, you have a point, but one day, it might be something I have to adhere to...but not yet.

After lunch with the FDLE boys, I thought "Digital Crime Scene Reconstruction" would be good with Fred Cohen. Hmmm...other people enjoyed it more than I did. His talk did a good job of validating the Daubert talk but his constant joking and goofiness turned me off. During the presentation, I ended up designing a future hacking challenge network layout for UF where I will set it up and challenge all L33T hackers at UF to penetrate. It should be fun.

My next choice was another bust. How did I keep choosing crappy presentations? It was Johnny Long presenting "Death by a 1000 Cuts." How could it be lame? Have you read "Stealing the Network: How to Own an Identity?" If yes, then don't go to this presentation. It is a rehash of one of the chapters and not very exciting. I really disappointed I chose it over Kevin Mandia's "Windows Malware Analysis" presentation. Johnny did get done 15 minutes early, so I was able to catch the last bit of Kevin's presentation which pissed me off even more that I chose the wrong presentation. I think by going to Kevin's "Identity Theft" presentation tomorrow, it will make up for it.

Finally, I caught the last hour of Bill Harback's "Examining the Windows Registry." It was FULL of windows registry information. Holy Crap! Bill went through so much in that hour, I would have had registry coming out of my ears if I had been there for both hours. Afterwards, he gave us updated copies of his presentation along with a free version of a registry tool that was recently purchased by a decently well known forensic tool company.

That's it for Thursday. The presentations I chose to attend certainly did not turn out as I hoped. Tomorrow will be better, especially since Jordan and I will be getting awards for kicking @$$ in the DoD Cybercrime Olympics. Now, I think I am going to drive over to Wing House or Hooters and work on an article for Secure Enterprise magazine that is due next week.

Wednesday, January 11, 2006

DoD - Day 4 Update

Day 4 - 01/11/2006: Today was a good day. Well, other than the fact that Jordan was stuck in our hotel room all day sick, today was definitely a good day for listening to excellent speakers. This morning started off with a Google hacking presentation from Johnny Long. It was a good presentation and pretty much a rehash of the related book, yet still entertaining.

Next, I sat through two 2 hr presentations by Richard Beijtlich from Tao Security. Most people know him from from his extremely popular blog. Richard is a smart guy when it comes to network monitoring and incident response. To top things off, he is a fantastic speaker. His first presentation was on Network Incident Response and went through his standard incident response procedures. One issue he drove home with me was to not tip your hand when responding to an incident. Many times when I am incident handling, I will download the same tools that the attacker used which could easy alert them that I am tracking them if I download from a server they have compromised. There are two sides to the logic there but if there is a risk the attacker might do more damage because they know I am aware of them, they may retaliate. He also had some good ideas of how to implement a logging only server and incident response in general.

Richard's next presentation focused more specifically on forensics from a network perspective. He had some interesting thoughts on creating a ring-buffer type of full packet network logger that simply sits and records all network data in 1gb chunks and overwriting the oldest chunks. Applying the theory of computer forensics to network forensics, he reiterated several times that the key to successful investigations and prosecuting is developing a sound methodology and sticking to it every time. Most of the interesting examples and ideas can be found on his blog as he has posted them at some point in the past. I am glad I made it to both.

The fourth presentation was Xbox Forensic Analysis. No joke...it was a real presentation. Xboxes are beginning to show up more on forensic analysts' desks as they become used for more and more things. Someone playing a game online could be approaching an underage minor or they could have modded their Xbox so they can view illegal photos and videos. It was some interesting stuff. All in all, it makes me want to mod my Xbox even more. Since I have one that appears to have a bad BIOS, it needs to be replaced anyways...what better time to mod it. :-)

The last presentation was on something Jordan and I will be putting together soon at work. Creating a database and web frontend to hashsets. The idea is that known good and bad files can have hashes created and stored in a database. When investigating an incident, hashes from the filesystem can be compared to the database rule out files that are known good, identify those known bads and single out any odd ones not in either group. The whole point is data reduction so that more time can be focused on analyzing suspicious files than what is normally spent on identifying them. We think it is a rocking idea.

I was disappointed there were not many BoF (birds of a feather) sessions planned. Out of the whopping TWO, I chose the "Bring Your Foo: DoD Wireless Hacking Challenge." Come on, with a name like that, how could I resist. The only thing that I didn't consider was that I only had my 3 month old PowerBook with me and no L33T toolz. I was stuck running nmap across the network and trying to find the servers to be hacked. Dave, the Army CID dude running it, had intended on us being on hubs so we could do some passive recon to figure out what was going on within the network. Unfortunately, we were on switches and no person with an Auditor CD knew what to do with ettercap so we were a bit blind. After a hint from Dave, we knew that the servers were on an entirely different subnet. Again, I was still at a loss with only nmap and no Internet access to grab tools that I could compile on Mac OS X. So, just after I shut down my laptop, I noticed someone using Metasploit which reminded me I had downloaded it on my laptop. In a display of power rivaling that of the most L33T script kiddies, I owned two servers within minutes. Ipconfig on one of them showed it had two NICs with one on a completely different subnet from the first two. Geez. Dave put together an awesome challenge but we had limited time reserved in the room and did not get to complete the challenge. Oh well, it was fun and I have some great ideas for putting on a hacking challenge at UF's next ITSA Day.

That's it for me. I am tired, it has been another long day and I will be up early again tomorrow. Thanks for reading.

Tuesday, January 10, 2006

DoD 2006 - Days 2 & 3 Update

Day 2 - 01/09/2006: This was the second day in the Mac OS X forensics class. It was a smidgeon better than the first day. We went through an image of a system and learned about how applications store their configuration, how to read those files, tools to extract data from configs, caches and history files that are specific to certain apps. It was quite interesting to learn about it from a forensic perspective because it also helped me learn more about an OS that I use everyday. I can truly say that I understand X better and where to look if I ever have issues with it or need to cover my tracks. ;-)

The last portion of the class was spent cracking the passwords. It was surprisingly simple. {I just edited this as I started to talk about a tool we used in class but realized it might be a violation since it is an internal tool for "Official Use Only."}. The passwords were pretty easy to get to and crack. I was quite surprised, but remember, this was done on Panther. The instructor said that Tiger has made some changes making it trickier...but not impossible. He will be giving a presentation in the next day or two about Tiger and specific forensic challenges such as this.

Monday evening, the expo began with a large list of vendors and some tasty food. There was a gimmick to get attendees to visit booths by giving out a list of the vendors and requiring their signature from 25 of them so you could be entered into a raffle. I finished it after listening to quite a few pitches but did talk to some interesting people. The turnout of attendees and number of vendors was quite impressive, and I walked away with some pretty darn useful tools and swag. I even got added to a mailing list, portal and magazine subscription that I probably wouldn't have access to if I wasn't here.

Day 3 - 01/10/2006: Today was the official kickoff of the conference with the keynote and headliners. Jordan and I missed the keynote because we were working on the Cipher Hunt challenge which required us to find clues all over the large Innisbrook property and solve the cipher on each one to find the next clue. With a little social engineering and good decipering skills, we kicked some but and were most likely the first team to finish it (but there may have been _1_ before us). This was also the only day they are feeding us all day according to the schedule. There was a nice breakfast, lunch and dinner in a walk_around_and_choose_what_you_want_to_eat_from_the_many_food_tables format.

Det Randy Stone gave a brief presentation about the BTK case and an intro into the forensics that helped catch the killer. It was quite impressive. Johnny Long gave a very amusing presentation on how Hollywood has portrayed hacking. It was damn funny as he went through examples from Hackers, Net Force, Swordfish and more. We were asked to choose if the portrayal was L33T or LAME. Holy Crap! We were all laughing! David Marconi spoke next about Hollywood villians. It was written up as being a talk about the future of hacking in the movies but I didn't see any of that. He was talking about having multidimensional villians and showed too many movie of these types of villians. Oh well, not great.

The evening had food, tickets for free drinks and more vendor action. At 6:30pm, they raffled all kinds of cools vendor-donated prizes. Do you think I won anything? Heck No!! Jordan won the _last_ prize to be given out...a Symantec engraved 20gb iPod Photo. After that, we had the Floppy Disk Throw as the second part of the Cybercrime Conference Olympics as a followup to the Cipher Hunt. We did a great job but there was some crappy judging, crappy distance recording, contestants who should not be eligible and shady score changes at the end. We should have been 2nd but were "bumped" to 5th. Even with that pile of crap, we should still be in the Top 3 and win some kick-butt prizes thanks to our excellent Cipher Hunt work.

It was a LONG day so I will be crashing soon. Sleep will not be coming soon enough. There is so many cool presentations tomorrow. It starts with Johnny Long at 8:30 and keeps getting better after that. I will keep you updated.

Sunday, January 08, 2006

Department of Defense Cybercrime Conference 2006

Today was the first day of the DoD Cybercrime 2006 annual conference. If you check the site, it says the official start date is Jan 10, but they are holding two days of training before the official conference kickoff that were included in the cheap $225 conference fee. That is ridiculously cheap so guess which one I took advantage of...do you know? Well, since I made the decision to buy a PowerBook at work so I could learn more about Mac OS X incident response, I couldn't pass up two days of Mac OS X forensics training. BTW, if you know anything about the conference, you have to be DoD personnel, DoD contractors or some sort of law enforcement. Thankfully, the University Police Department sponsored me so I could attend. SWEET! It is a lot of fun being around all these "feds."

How is it so far? Well, if you haven't been to the Westin Innisbrook Golf Resort, it is a gorgeous place with lush golfing all around the resort. I have spoken here two years in a row for the FAEDS conferences and was happy to finally get to come as an attendee of conference where I can really enjoy the amenities. As for the conference, there are already quite a few feds lurking around the classes. The Mac OS X forensics class is quite good. I have enjoyed most of it and learned quite a bit already. Since the instructors are teaching from a thick book used in their two week class, they have to skim over some topics but I get to keep the book to review later on. Also, the book hasn't been updated for Tiger but the instructor has been doing a good job of pointing out any differences. One instructor is doing a Tiger-specific forensic presentation later this week so I might catch that one, too.

So, my initial thoughts...can I clone myself? There are so many presentations that I want to attend and so little time to fit them all in. About 8-12 presentations are going on simultaneously and I want to see at least 2-5 of them each hour. Luckily, I have been given the "Law Enforcement Only" CD that contains all the presentations, so whatever I don't make it to, I can look at the presentation later. Fantastic stuff. I will try to post every day what is going on and my thoughts about it all.

Monday, January 02, 2006

Performancing for Firefox

This is my first post with the Performancing extension for Firefox. It appears to be very powerful so far. After installation, I hit F8 and the bottom half of Firefox turned into a WYSIWYG blog editor. I really like it so far. First impressions are great. Right now, I am using it on my PC at home but will be testing it on my PowerBook later today. It supports Blogger.com (what I use), WordPress, TypePad, LiveJournal, MSN Spaces and Custom Blogs running on your own webserver with software like WordPress, Movable Type, Drupal, TextPatter, Blogger API and MetaWeblog API.

I was attempting to use the Developer Preview of Flock but it is still pretty buggy and does not compare to Performancing. If you are a blogger and use any of the supported blog software/sites, definitely check out Performancing. Thanks to Martin McKeay for mentioning it in his podcast.