Sharing and Case Studies
There's been some discussion of late in various corners of the DFIR community regarding "sharing" amongst those of us in the community. Some of it has centered on sharing of threat intelligence and IOCs, and that's sort of spawned off into sharing "case studies". I ran across a couple of threads on one online forum (like this one...), where an interest in case studies was expressed, but as is usually the case, few are actually stepping forward to provide them.
My hope is that these discussions have formed a crack in the wall of silence, and that some of us can squeeze our fingers into that crack, and with the help of others in the community, pry it apart.
Andrew Case posted an excellent case study on the DFS blog, one that is truly inspiring. Andrew looked at what he wanted to do and used what was available to him to get it done.
Corey Harrell has posted a number of times to his blog regarding exploit artifacts, and has taken up a series of posts on accessing Volume Shadow Copies. Corey provided some excellent material which he graciously allowed me to incorporate into chapter 3 of WFAT3e, and he has since taken that several steps further. While not specifically related to cases Corey has worked, this is some excellent information that is of significant value to anyone who encounters Vista and Win7 systems.
Recently, Melia post on a "case experience" to her blog, where she had to address an issue of sploitation. I've had similar cases, and I've had issues where such a thing was just part of the case...and I think what Melia's post really points out is that Windows does a great job of illustrating Locard's Exchange Principle; that is, when the user or an application interacts with the operating system, there are very often artifacts of that interaction that survive attempts by the user to cover their tracks.
From a link in Melia's blog post, I found out about the Cheeky4n6Monkey blog, which has some excellent posts, including this one on creating a RegRipper plugin for CCleaner, which actually covers two topic areas: artifacts associated with running CCleaner, and writing a RegRipper plugin. The author correctly points out that I covered how to write RegRipper plugins in WRF.
There are even more examples available of how analysts have pursued real-world cases. Take a look at this post to the Mandiant blog by Nick Harbour, from July, 2010.
I know from experience (in the industry, writing books, etc.) that many of us really enjoy reading or hearing case studies, but the fact is that few of us actually share case studies, or just some portion of our experiences (I won't get into the "why"...). From recent experience, this is disheartening when you go to a conference where many of the presentation titles lead you to believe that case studies or experiences will be shared, but all you get during the presentations, and even out in the common areas between presentations, are blank stares.
No one of us is as smart as all of us. There are some of us who've seen a lot of things, but no one has seen or done everything. Sharing what we've seen through presentations and blog posts is a great way for us to learn, without having to have had the actual experiences.
My hope is that these discussions have formed a crack in the wall of silence, and that some of us can squeeze our fingers into that crack, and with the help of others in the community, pry it apart.
Andrew Case posted an excellent case study on the DFS blog, one that is truly inspiring. Andrew looked at what he wanted to do and used what was available to him to get it done.
Corey Harrell has posted a number of times to his blog regarding exploit artifacts, and has taken up a series of posts on accessing Volume Shadow Copies. Corey provided some excellent material which he graciously allowed me to incorporate into chapter 3 of WFAT3e, and he has since taken that several steps further. While not specifically related to cases Corey has worked, this is some excellent information that is of significant value to anyone who encounters Vista and Win7 systems.
Recently, Melia post on a "case experience" to her blog, where she had to address an issue of sploitation. I've had similar cases, and I've had issues where such a thing was just part of the case...and I think what Melia's post really points out is that Windows does a great job of illustrating Locard's Exchange Principle; that is, when the user or an application interacts with the operating system, there are very often artifacts of that interaction that survive attempts by the user to cover their tracks.
From a link in Melia's blog post, I found out about the Cheeky4n6Monkey blog, which has some excellent posts, including this one on creating a RegRipper plugin for CCleaner, which actually covers two topic areas: artifacts associated with running CCleaner, and writing a RegRipper plugin. The author correctly points out that I covered how to write RegRipper plugins in WRF.
There are even more examples available of how analysts have pursued real-world cases. Take a look at this post to the Mandiant blog by Nick Harbour, from July, 2010.
I know from experience (in the industry, writing books, etc.) that many of us really enjoy reading or hearing case studies, but the fact is that few of us actually share case studies, or just some portion of our experiences (I won't get into the "why"...). From recent experience, this is disheartening when you go to a conference where many of the presentation titles lead you to believe that case studies or experiences will be shared, but all you get during the presentations, and even out in the common areas between presentations, are blank stares.
No one of us is as smart as all of us. There are some of us who've seen a lot of things, but no one has seen or done everything. Sharing what we've seen through presentations and blog posts is a great way for us to learn, without having to have had the actual experiences.