Forensic Images: For Your Viewing Pleasure

By Sally Vandeven

For a student just getting started in digital forensics, concepts regarding forensic images can be confusing. Terminology like images, clones, bit-stream copies and forensic images are often used incorrectly, further complicating the issue. This paper will attempt to clear up the confusion. We will present an instructive clarification of what a forensic image is as well as what it is not. In addition, we will provide a comprehensive look at the many different ways to access data on forensic images using mostly open source tools on both Windows and Linux platforms.
» Read more

Windows ShellBag Forensics in Depth

By Vincent Lo

The problem of identifying when and which folders a user accessed arises often in digital forensics. Forensicators attempt to search for them in the ShellBag information because it may contain registry keys that indicate which folders the user accessed in the past. Their timestamps may demonstrate when the user accessed them. Nevertheless, a lot of activities can update the timestamps. Moreover, the ShellBag structure differs slightly between different Windows operating systems. How to interpret ShellBags correctly has become a challenge. This paper summarizes the details of ShellBag information and discusses various activities across Windows operating systems.
» Read more

Case Study: 2012 DC3 Digital Forensic Challenge Basic Malware Analysis Exercise

By Kenneth J. Zahn

The 2012 DC3 Digital Forensic Challenge included two malware analysis-related exercises, one described as “basic” and one described as “advanced.” For each exercise, competing teams were provided with an ostensibly malicious—though ultimately innocuous—sample and asked to conduct an analysis befitting the sample’s complexity. The author’s challenge team, Plan 9, placed 2nd in the Government-only category, 3rd in the US-only category, and 5th in the overall competition. This paper will discuss an updated version of Plan 9’s solution to the basic malware analysis exercise using a combination of goal-driven and process-driven approaches. It should be noted that one of Plan 9’s goals in the competition was to use only freely available or open source tools to guarantee the portability of the exercise solutions. To improve the utility of this paper, the tools that were presented in the original solution have been updated to reflect their latest versions at the time of writing. Further, the solution has been expanded to include additional analysis tools that were not presented in the original exercise submission.
» Read more

Straddling the Next Frontier Part 2: How Quantum Computing has already begun impacting the Cyber Security landscape

by Eric Jodoin

Theoretical designs of quantum computing are progressively transmuting into practical applications. But, when will such applications of quantum physics phenomena become available? How will they impact the cyber security landscape? As cyber security professionals, what must we know and what must we start doing today to be ready? Using the foundation developed in my previous paper, part 2 focuses on understanding the threats as well as existing and developing opportunities. The first objective of part two is to help the reader take preemptive steps in a timely fashion and posture defenses appropriately. The second objective is to help readers gain the knowledge that will help ensure they can be ready to take full advantage of quantum computing opportunities as they becomes available.
» Read more

Intelligence-Driven Incident Response with YARA

By Ricardo Dias

Given the current cyber threat landscape, organizations are now beginning to acknowledge the inexorable law that decrees that they will be compromised. Threat actors’ tactics, techniques, and procedures demand intelligence-driven incident response, which in turn, depend upon methodologies capable of yielding actionable threat intelligence in order to adapt to each threat. The process to develop such intelligence is already in motion, heavily relying on behavioral analysis, and has given birth to cyber threat indicators as a means of fingerprinting and thus identifying new and unknown threats. This paper will focus on YARA, a malware identification and classification tool used as a scan engine, whose features will be explored in order to deploy indicators at the endpoint.
» Read more

Incident Response in Amazon EC2

By Tom Arnold

The Amazon Elastic Compute Cloud (“EC2”) is one of the richest and most robust cloud environments. The full list of services gives the cottage entrepreneur the computing power and Internet presence of a Fortune 500 company. Although Amazon’s environment is very robust, humans are still a part of building and fielding the application, running on EC2; as such, a fully secure environment can hardly be assured. The likelihood of significant flaws in the applications, or configurations of the systems, opens the risk of a security breach or compromise that will require a security incident response. This paper examines the steps that a first responder should take in response to a detected security incident within Amazon EC2. Forensic examination as covered in FOR408 begins with a trusted, scientific acquisition of evidence to support the analysis and examination process. If a first responder blunders the impact can destroy important evidence; drive the attack to ground; and, leave their environment exposed. This paper is NOT a full discussion on the steps a forensic investigator should take in analyzing the incident; rather the focus is on the immediate action that an Amazon EC2 subscriber should prepare to take in advance of the forensic cavalry arriving on scene.
» Read more

Applying Business and Technical Context to prioritize and generate relevant Cyber Threat Intelligence (CTI)

by Deepak Bellani

Today most threat feeds are comprised of IOCs with each feed providing 1-10M IOCs per year. As the CTI platform adds more feeds , the ability to filter and prioritize threat information becomes a necessity. It is well known that the SOC, Incident Response, Risk and Compliance groups are the primary consumers of CTI. Generating CTI prioritized in order of relevance and importance is useful to help focus the efforts of these high performance groups. Relevance and importance can be determined using business and technical context. Business context is organizational knowledge i.e. its processes, roles and responsibilities, underlying infrastructure and controls. Technical context is the footprint of malicious activity within the organization’s networks, such as phishing activity, malware, and internal IOCs. In this paper, we will examine how business an technical information is used to filter and prioritize threat information.
» Read more

Filesystem Timestamps: What Makes Them Tick?

by Tony Knutson

The purpose of this paper is to delve into how file system timestamps work not only between NTFS, FAT32 and exFAT, but also between Windows Operating Systems. Currently, much disparaging information remains concerning file system analysis. The purpose of this research paper is to assist in putting together the work of the foremost experts in filesystem analysis concerning Created, Modified Changed, File Modified and Access dates and how they work across the spectrum of Microsoft Operating Systems. This information will be gathered from the three main file systems used by Microsoft. The functioning of these timestamps has a direct impact on both the findings and reporting conducted by forensicators in their day-to-day examinations. This paper hopes to serve as a centralized source of information in order to assist others with the necessary knowledge and understanding they need to correctly conduct digital forensic examinations.
» Read more

Exploring the Effectiveness of Approaches to Discovering and Acquiring Virtualized Servers on ESXi

By Scott Perry

As businesses continue to move to virtualized environments, investigators need updated techniques to acquire virtualized servers. These virtualized servers contain a plethora of relevant data and may hold proprietary software and databases that are relatively impossible to recreate.
Before an acquisition, investigators sometimes rely on the host administrators to provide them with network topologies and server information. This paper will demonstrate tools and techniques to conduct server and network discovery in a virtualized environment and how to leverage the software used by administrators to acquire virtual machines hosted on vSphere and ESXi.
» Read more

1 2 3 4