Skip to main content

Posts

Showing posts from 2008

Black Hat USA 2008

So my first Blackhat is in the books. I thoroughly enjoyed it and got to learn quite a bit and get some networking done as well. My only two complaints would be first, that it was completely overcrowded on the 4th floor and that made getting to a session very difficult. The second being that classic conference paradox. A lot of the great topics with new material were presented by people with poor public presentation skills, whereas alot of the great speakers presented either old stuff or no real useful content. That aside it was a hoot.

I started the week attending a Malware Analysis class by Mandiant which was excellent. They basically crammed a 4 day course into 2 days, so it moved very quick and had lots of content and labs. The teachers were extremely knowlegeable and were able to convey the material well. My only suggestion would be that they should have spent more time on Ollydbg, but with the labs I can do that on my own time. They did spend extensive time using IDAPro, whic…

Book Review: Real Digital Forensics

In continuing my tradition of reviewing books that are 2 or 3 years old, I have recently finished reading Real Digital Forensics by Keith Jones, Richard Bejtlich, and Curtis Rose. Yeah, I hate paying full price for a new book, but mostly its because I buy so many books that by the time I get around to actually reading them, its been a few years Laughing. Now on to the review.

With this group of experienced authors, it hard to imagine the book not being a success. While not spectacular, this books is very solid and fairly easy to read. I would have to say for someone looking to attend the SANS hacking and forensic courses, this book could easily fill the gap and save you thousands of dollars. One thing I really liked was that they did not waste time on any fluff chapters about the history of whatever, they just jumped right into the material. They also made it a point to show the differences between incident response on *nix vs. windows. All the chapters that focused on analysis and…

Real Digital Forensics

Real Digital Forensics

by Keith Jones, Richard Bejtlich, and Curtis Rose

1 - Windows Live Response

Never save data locally on the hd, as there is a chance you may be overwriting evidence

Always use the -b option with md5sum, to perform the hash in binary mode

-k option with cryptcat, allows you to set the encryption password

Volatile Data

* system date and time
* current network connections
* open tcp and udp ports
* which exe's are opening tcp and udp ports
* cached netbios name table
* users currently logged on
* internal routing table
* running processes
* running services
* scheduled jobs
* open files
* process memory dumps

To truly verify a system binary, you must compare hashes with trusted source

Common attack involves changing a servers routing table to redirect traffic and bypass firewalls

Firedaemon turns any process into a service

userdump.exe will capture memory space used by any running process. userdump output cannot be sent via netcat, so y…