Links...and whatnot
How'd you do that??
One thing I've found to be very true about the community is that folks love to see how other analysts have done things. This is very helpful to know when it comes to writing articles or giving presentations.
Frank Boldewin recently posted CSI:Internet Episode 3: A trip into RAM, which provides an excellent walk-through on how he collected the contents of physical memory from a live Windows system, and then used Volatility (including the malfind, volshell, apihooks plugins) to locate malware. Frank's article is well worth a look, as it is an excellent read.
Advice
Need advice or input on getting started in DFIR work? Corey recently posted links to various articles and posts (including my own), and provided some considerable (and excellent) advice of his own. Even if you're already in the field, this is an excellent source of advice.
HowTos
I posted a quick-and-dirty blog post recently on how to create mini-timelines, and received a comment asking for more of these types of posts. I've considered writing "HowTo" posts in the past, but quickly found myself running short on topics. I'm considering posting more of these, but like I said...I'm kind of running short of topics.
Windows 8
I recently installed the available developer build of Windows 8 into VirtualBox (running on 64-bit Windows 7) using these instructions. So far, so good. During the setup, I opted to use the .vhd disk format (rather than the VirtualBox .vdi, or .vmdk) so that I could later add the .vhd file to a Windows system to see what things look like. I installed the OS, poked around a bit, and then shut the VM down and opened the .vhd file in FTK Imager. The Registry hives that I looked at (NTUSER.DAT) appear to follow the same format as previous versions; as Windows 8 is running in a VM, I won't be able to see things like wireless connectivity, etc. It also appears that Windows 8 uses Jump Lists (good thing I wrote that code to parse those bad boys, eh?); I'll definitely have to take a closer look at them, that's for sure. Looking at the Jump List files in the FTK Imager hex view, I see the file signature for the OLE/compound document binary format file, as well as the "Root Entry" and "DestList" stream names.
From the TwitterVerse, it seems that I'm not the only one moving along these lines...moyix has taken the first steps toward adding Win8 support to Volatility (see it working here).
APT
I know, I know...no one wants to hear about the "Advanced Persistent Treat" anymore. However, it appears that there was an APT Summit in DC this past summer, and RSA recently published an overview document of the findings from the summit. The PDF doc is 3 pages long, and pretty interesting read.
Windows Post-Exploitation
Thanks to Chad Tilbury, I was directed to this page (at pentestmonkey.net) which discusses various means of getting from Local Admin to Domain Admin once a system has been compromised. Looking for artifacts of these approaches can provide indications of what the intruder may have been up to.
One thing I've found to be very true about the community is that folks love to see how other analysts have done things. This is very helpful to know when it comes to writing articles or giving presentations.
Frank Boldewin recently posted CSI:Internet Episode 3: A trip into RAM, which provides an excellent walk-through on how he collected the contents of physical memory from a live Windows system, and then used Volatility (including the malfind, volshell, apihooks plugins) to locate malware. Frank's article is well worth a look, as it is an excellent read.
Advice
Need advice or input on getting started in DFIR work? Corey recently posted links to various articles and posts (including my own), and provided some considerable (and excellent) advice of his own. Even if you're already in the field, this is an excellent source of advice.
HowTos
I posted a quick-and-dirty blog post recently on how to create mini-timelines, and received a comment asking for more of these types of posts. I've considered writing "HowTo" posts in the past, but quickly found myself running short on topics. I'm considering posting more of these, but like I said...I'm kind of running short of topics.
Windows 8
I recently installed the available developer build of Windows 8 into VirtualBox (running on 64-bit Windows 7) using these instructions. So far, so good. During the setup, I opted to use the .vhd disk format (rather than the VirtualBox .vdi, or .vmdk) so that I could later add the .vhd file to a Windows system to see what things look like. I installed the OS, poked around a bit, and then shut the VM down and opened the .vhd file in FTK Imager. The Registry hives that I looked at (NTUSER.DAT) appear to follow the same format as previous versions; as Windows 8 is running in a VM, I won't be able to see things like wireless connectivity, etc. It also appears that Windows 8 uses Jump Lists (good thing I wrote that code to parse those bad boys, eh?); I'll definitely have to take a closer look at them, that's for sure. Looking at the Jump List files in the FTK Imager hex view, I see the file signature for the OLE/compound document binary format file, as well as the "Root Entry" and "DestList" stream names.
From the TwitterVerse, it seems that I'm not the only one moving along these lines...moyix has taken the first steps toward adding Win8 support to Volatility (see it working here).
APT
I know, I know...no one wants to hear about the "Advanced Persistent Treat" anymore. However, it appears that there was an APT Summit in DC this past summer, and RSA recently published an overview document of the findings from the summit. The PDF doc is 3 pages long, and pretty interesting read.
Windows Post-Exploitation
Thanks to Chad Tilbury, I was directed to this page (at pentestmonkey.net) which discusses various means of getting from Local Admin to Domain Admin once a system has been compromised. Looking for artifacts of these approaches can provide indications of what the intruder may have been up to.