DCC2009 Takeaways

I had an opportunity to attend some of the presentations at the Digital Crimes Consortium 2009 conference at the Microsoft campus in Redmond, WA.

One of my biggest takeaways from this event was the fact that the needs of CIOs, IT staffs and consultants (which is where I spend most of my time) are, on the surface, vastly different from the needs of law enforcement. "Victim" IT organizations are primarily concerned with getting rid of a malware infection, regardless of what it is...worm, Trojan, etc. In my experience, eradication and returning the infrastructure to normal operations are the primary concern, with compliance and questions about data loss/exfiltration usually popping up after the fact (i.e., too late).

However, LE is interested in intelligence, some sort of actionable data that can be used to investigate cyber crimes, track down the players and prosecute someone, preferably someone fairly high up the food chain.

At first glance, there may not be an obvious overlap. However, both sides have information available that is useful, even valuable, to the other. LE might have data available about cyber crimes that occur across a wide range of victims...such as, was the incident initiated by a browser drive-by, was it targeted, etc? LE (depending upon the level that we're talking) may have trending information available regarding victim types, intruder/criminal activity, etc. Victim IT organizations will have information available about malware variants, outbound connections (to command-and-control servers, etc.), sensitive information collected, etc.

Where things tend to break down is that in some cases, LE either doesn't track the kind of information that might be useful to victims, or they feel that they can't share it because doing so might expose information. Victim IT organizations many times feel the same way...that they can't share what information they have without exposing information about their infrastructure, intellectual property, or "secret sauce". Sometimes, the victim organizations do not want to contact LE for fear that their name would be included in public documents, exposing the fact that and the means by which they were compromised...something those organizations do NOT want made public.

Another takeaway I got from the conference is that there is a definite organization and structure behind cyber criminal activities. There's a hierarchy to the structure, an economic driver (i.e., money), and individuals in the communities are kicked out if they fail to provide something back to the community. These seem to be driven like businesses without an HR department...maybe there are certain elements to this structure that the good guys could emulate.

Taking this anywhere is going to take some thought and some work.

The first part of this trip was to participate with Troy Larson in his Windows 7 Forensics presentation. I've been focusing on the Registry, but Troy's been looking at a lot of other things, most notably Volume Shadow Copies and how they can be used.

One of the things that Troy brought up in the presentation that stood out for me was the number of files (Sticky Notes/.snt, etc.) that are based on Microsoft's OLE, "structured storage" file format. You might be able to get some interesting data from these files using oledmp.pl, or you can use MS's own Office Visualization Tool.

Speaking of metadata, everyone should remember Kristinn's post to the SANS Forensic blog on Office 2007 document structure and metadata; I like it because he includes a Perl script for parsing this information. If you end up using the version of the script for Windows systems, be sure to read the file headers for instructions on how to ensure that you have the right modules installed.

Usually when I mention something like this, I get questions like, "...ok, but what about other document metadata?" Well, let's not forget Didier's work with PDFid.