Long Overdue 2015 Update

cc15badgeIt’s been an extremely busy start to the year but I wanted to make a quick post to talk about what I’ve been up to so far.

Last month I got to attend my first SANS DFIR specific event when I took the FOR508 with Rob Lee in Monterey. I’ve taken the 508 previously but this was a much needed refresher. As I’ve discussed in a few different articles the FOR408 focuses on analyzing activity on a Windows computer and the 508 builds upon that base to cover quickly triaging large numbers of systems remotely, a “greatest hits” of memory analysis, timeline automation and analysis, volume shadow copy analysis and covers deep dive artifact analysis on Windows systems like I’ve never seen covered anywhere else. The deep dive section may be things you don’t remember verbatim but the combination of being exposed to them and having the course books as a reference means you’ll quickly be able to analyze those artifacts when the time comes.

In addition to being my first DFIR specific conference, this was my first class with Rob Lee. He was funny, friendly and took the time to chat with students in class and online. Throughout the entire class Rob shared real world stories of exactly how what he was teaching us has been used out in the real world.

For the day 6 challenge Rob and the 572 instructor Phil Hagen tried something they had never tried before, they combined the classes! The data for the day six challenge for both classes is from the same event (508 students have the disk and memory artifacts and 572 students have the network artifacts) so their idea was that teams could work together with 508 students giving 572 students indicators to look for and 572 students helping answer what activity was going on. The plan worked flawlessly and everyone involved seemed to have a really good time. I was fortunate to have some brilliant individuals on my team and we won the challenge and the Lethal Forensicator coins 🙂

Monterey was a great time but as soon as I got back home it was back to the books. Back in December I answered the CactusCon call for papers with a proposal for my first ever public con talk. CactusCon called my bluff so this past Friday I gave a talk on “Getting Started with Memory Forensics”. There were approximately 40 people in the room for my talk and I received some great feedback afterwards. This was my first CactusCon and they did a fantastic job from start to finish. They had multiple tracks of talks, a Dave Kennedy keynote speech, a lockpick village and an area outside for attendees to solder the parts kits onto their badges. I had a great time and I’ve got nine months to come up with a good idea for a talk for the 2016 version.

That’s what’s been keeping me occupied so far this year. I’d say that now I can breathe a little but I doubt very seriously that it’s going to slow down.

Comments

Post a Comment

Popular posts from this blog

SANS Index How To Guide with Pictures

Image
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable. A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index. Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS
Read more

Introducing FaviconLocator: The Eazy Button to Searching by Favicon

Image
  Favicons (short for favorite icons) are the cute little pixelated images that appear next to the site name in web browser tabs, bookmarks, etc. In the image below we can see the iconic GitHub logo on their site and the KFC logo on a bucket of chicken on their site. Originally, favicons were designed to add a touch of professionalism and branding, but for anyone who is like me and has over a dozen tabs open at any time, favicons are the only thing displayed and how I navigate tabs. Most of us rely on favicons on a daily basis but many never think of them as a tool we can use in OSINT and CTI investigations. That’s what we’re doing to talk about here as well as introduce a new tool. In addition to branding and aiding in navigation between tabs, favicons can serve as unique identifiers for websites. These unique identifiers can help us: Trace the online presence of organizations and discover obscure digital assets Map the online infrastructure of potential threats Potentially de-ano
Read more

Automating Domain Squatting Detection with DNSTwist and Python

Image
  There’s a good chance that, at some point, you’ve received a spam email with a link that looked close to the name of a popular domain but was just a little off. Payapl.com instead of Paypal.com or similar. Domain squatting is a malicious activity where attackers register domain names similar to legitimate ones. Attackers may use these domains to deceive users into believing they are visiting a legitimate website, which can lead to phishing and other attacks. DNSTwist (available here: https://github.com/elceef/dnstwist ) is a popular tool that helps identify domain names that are similar to a given domain name. It generates a list of potential domain names by applying various fuzzing techniques to the given domain name and then checks if these domains are registered. Check out the list of Bank Of America copycat domains: DNSTwist is an amazing tool that should likely be a part of every organization's Cyber Threat Intelligence monitoring efforts, and I wanted to automate it
Read more