My Road to Digital Forensics Excellence

My CEIC2012 Experience

Posted by Paul Bobby on May 23, 2012

Let me begin with the obligatory “I haven’t written in a while eh?”

Now that that is over with, and with some encouragement to continue posting, here we go.

I’m attending CEIC 2012 in Las Vegas, and with only two sessions left it’s time to post my thoughts on the conference.  Two keynotes to attend, the first being the CEO of Guidance Software. His presentation focused on the where we came from in the forensic world, through the 2000s and a brief look in to the future. It was also used to introduce the Guidance Software App Store to arrive in the Fall. This can only be a good thing. Forensics, hardware, techniques and everything else electronic is evolving at such a fast rate that any one company cannot keep up with it all – coders have been writing enscripts for a while now, myself included, and no doubt we will continue to provide free enscripts to the community. But allow a developer to be compensated for his/her work and you create a way for coders to spend serious time developing some significant scripts and plugins for Encase. Take a look a the Volume Shadow Copy problem – I’ve been waiting ages for Guidance to incorporate native support in to Encase; others have developed tools, so the solution is well understood, but while it likely appears on a future feature list, it is not a priority. An enterprising developer can take up the challenge and probably find many a shop willing to pay $s for it.

The second keynote came from General Richard Meyers, chairman of the Joint Chiefs of Staff, retired. While he retired from service in 2005 his points of view were definitely valid, and offered clarity to the incident problem we are dealing with today. In his summary of the Top 5 threats for today, Cyber Incidents was classified as number two. He also addressed the PRC, classifying them as highly aggressive when it comes to using cyberspace to gain intellectual property. He stressed however that these incidents would not directly lead to military conflict, however the persistence of the threat undermines whatever headway is being made via diplomacy, and that an unintended conflict may occur because of this tension, for example, in another space, such as the South China Sea.

Okay session time, number 1: Manual Web Page Reconstruction. This was a 90 minute lab session, the purpose of which was to teach an approach to reassembling a web page from the artifacts present on the computer. Unfortunately we didn’t start the lab work until 70 minutes in to the presentation, this alone was enough to rate the session as disappointing. However one of the things I always gain from sessions are questions that require some research to find the answer. Here’s the problem that I thought about during this session: if you see a file called “1.jpg” and “1[1].jpg”,”1[2].jpg” in temp internet files – do you know what that means? That’s not the real question though. What I need to figure out is if the web browsing mechanism (we’ll take Internet Explorer for example) is smart enough to know which of these JPGs to pull from the cache.

Let me state it this way, using IE, a user visits website1, website2 and website3. They all have a file called “1.jpg” that is loaded during the page render. The browser stores these JPGs in the cache, but the JPGs are completely different, only their filenames are the same. When the user visits one of the sites again, say, website2, and the image is loaded from the cache, is the correct one displayed? No idea, will have to test.

Session 2: Hunting for Unfriendly Easter Eggs. Two presenters from Deloitte walking us through “Cloppert’s Kill Chain” and modifying it slightly to be a Kill Chain Life Cycle (btw this kill chain is to be credited to Amin and Hutchins as well). The life cycle modifies the chain slightly by making the initial exploit/c2/exfil phase an external phase, that is to say the first penetration in to the network, followed by a cycle of internal phases that may repeat as often as is needed while the attacker modifies the chain with new exploits/recon/c2 etc. The second part of the presentation built on existing “indicators of compromise” proposed by Mandiant, in which case studies were made of real incidents that lead to 300+ IOCs for each stage in the chain. Good stuff.

More to come


One Response to “My CEIC2012 Experience”

  1. Good write up and I couldn’t agree more with you about the Web Page Reconstruction lab, disappointing was being modest IMHO. I think the images 1[1].jpg, etc in the TIF cache is tracked by the Index.dat file present in the TIF folder and this is queried by IE to track and reconstruct the images in the page. Will have to re-read the Net Analysis manual and check.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: