My Road to Digital Forensics Excellence

DC3 2011 Day 2 and 3

Posted by Paul Bobby on January 29, 2011

Visualization of Mobile Data – John Carey and Timothy Leschke
The bulk of the presentation was a case study in to the George Ford Jr trial (see here). His wife had suspected Ford of infidelity and had secretly installed a GPS device under the drivers seat of his truck. The data that was obtained from this device, along with visualization provided LandAirSea Past-Track, secured the conviction.

VDL Slack in NTFS – David G Ferguson
This talk drew attention to the problem of the slack space of a file whose current file size was different to the logical file size reserved for it. The problem exists within the various 4n6 tools available to us in that they appear to handle searches within that space differently.

I also learnt that the volume shadow service deliberately sets the VDL size of VSCs to 0 (zero) – this renders the VSC invisible to the normal Windows backup processes, and so the VSC is not backed up.

Advanced C2 Channels – Adam Meyers and Neal Keating
Some of the new channels being detected today.

  1. Twitter C2 – A twitter account is created and C2 is posted to that account, read by controllers and bots. Base64 content.
  2. Facebook C2 – data posted to the Notes section of a facebook account using english words as codewords.
  3. Gmail – SSL is allowed to gmail (and now facebook). C2 is communicated over draft email with hex codes.
  4. RSS feeds – malware drops javascript, the JS engine is instantiated, which requests an XML feed from a website. That feed contains the C2.

These guys didn’t like the term APT. But they did like to say reminent instead of remnant.

Windows 7 Artifacts – Rob Attoe
Hey, a fellow Brit – he works for Access Data. This presentation condensed an otherwise 4hour block in to 50 minutes. Awesome – just hit me with everything and I’ll sort it out later.

Some of the artifacts I wasn’t aware of.

  1. Bitlocker-to-go – If the FveAutoUnlock kvp exists in the Ntuser.dat, then the end-user has selected the “remember this password” option when accessing that specific removable media. No password? Then use one of the many methods to boot up the OS, and simply insert the removable device. You may just get lucky.
  2. Jump Lists – Custom or Automatic destinations are listed in the registry. Valuable for behavior analysis.

When did it happen? – Kieth Gould
Kieth rocks. A good solid Geek Meter-5 presentation in to NTFS timestamps and some of the gotchas/misconceptions that forensicators continue to fall prey to.

He reviewed SIA and FNA timestamps, and common scenarios in which the FNA timestamps are changed, file-system tunneling (see this earlier blog article) and reliability monitoring.

Knowledge Management – Sam Wenck
Much has been said about a threat-based approach to Incident Response (as opposed to traditional CND (vulnerabilities) or incident response (presuppose successful intrusion)), and Sam demonstrated the Lockheed Martin implementation of threat-based IR using Request Tracker and some custom programming.

This system comprises the standard ticketing engine with a customized indicator-database and a knowledge management database (like a wiki). The entire system is supported by back-end datastores such as IP databases (where on the perimeters IPs were seen), DNS lookups, proxy logs, etc etc.

The indicator database has a systematic entry method to ensure proper canonicalization of indicator intelligence. At this time we store just atomic indicators. Future work is being pursued to create computer indicators, such as complete TTP models.


One Response to “DC3 2011 Day 2 and 3”

  1. Troy said

    Jumplists are not in the registry. Each jumplist is composed of one or two files. I have a presentation I did a few months ago that shows how to dissect both the automatic and custome destination files. They are fairly easy to take apart. The automatic destination files can show a very long history of files opened by a user. I will trade you my jumplist presentation presentation for Keith Gould’s time stamp presentation.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: