Wednesday, March 16, 2011

Links and Notes

Links and Notes: "Forensic Meet-up
There are plans afoot for a forensics meet-up in the Northern VA area (Chantilly - Centreville - Herndon - Reston) on 31 Mar 2011. The meet-up will likely start around 6:30pm - 7pm, and the location is TBD for the moment...keep an eye here, or on the Win4n6 group. This first meet-up will be free-form, and I'll work up something of an informal agenda.

As more folks become aware of this meet-up, I guess my initial concern would be where to meet. I'd like this to be informal, and everyone to relax and have a beer. If the interest is for something a bit more formal, then we may move to a different agenda later. Eventually, my hope is that this becomes something useful to folks, as we can discuss and implement innovation in the DF and IR fields...

F-Response Patent
On Fri, 11 Mar 2011, Matt announced that F-Response had received a patent for remote forensic innovation! Congrats, Matt...this is very well deserved!

Of specific note is that F-Response provides, '...forensic grade write-protection...' for remote forensics and raw access to systems.

This is fantastic news for Matt, and for the community as a whole! Matt's contributions to the field have been phenomenal, to say the least.

RegRipper Plugins
I recently wrote up some new plugins (and updated the samparse.pl plugin)...

notify.pl - Parses the Notify subkeys within the Software hive for registered Winlogon Notification DLLs, based on Mark's Case of the SysInternals-Blocking Malware post

init_dlls.pl - Checks for keys similar to the one mentioned in Mark's Case of the Malicious AutoStart post

renocide.pl - Checks for an artifact key mentioned on the MMPC site for the Win32/Renocide malware

These plugins are meant to demonstrate a couple of things...first, that Registry analysis can be used in conjunction with other analysis methods to detect malware within acquired images, where AV scanners might fail. I've run AV scans before where two commercial and three free AV scanners didn't find anything, but the fourth free scanner found something. I've also seen where AV used by customers has failed due not to having the incorrect DAT file, but to having the incorrect scanning engine. We're all susceptible to this, and if you use AV as part of your malware detection process for when you examine acquired images, then this is something that you'll need to be aware of, as well.

Second, all three of these plugins took me less than 30 minutes...total...to write and test. In fact, the only real slow-down was deciding how to make the output a bit more useful...for the notify.pl plugin, I copied code from the userassist.pl plugin to list all of registered DLLs sorted based on their key LastWrite times. This means that if I want to deploy any of these plugins as part of my timeline creation toolkit, it's simply a matter of minutes for me to modify them. So in less than 30 minutes, I was able to add three new plugins to the library, and saved everyone who uses those plugins the time for researching and writing those plugins themselves. This serves not only as a force multiplier, but also as a library for institutional knowledge within the community as a whole.

You can get copies of these plugins from Brett's RegRipper.net site.

As a side note, running RegRipper is just part of the malware detection process that I use regularly, and what I'm writing about and detailing for my next book. Part of the supporting materials for this book will include a checklist, as well.
"