This Blog is dedicated Digital Forensics and Incident Response, tools, techniques, policies, and procedures.
Tuesday, April 24, 2012
Delivering GSR at ACFE Greater Chicago Chapter
I will be delivering the Trustwave Global Security Report at the ACFE in Chicago this week! Really looking forward to it! Hope to see you there!
Monday, April 23, 2012
The Core Duo
"The Core Duo"
Once again I am sitting in an airport (LaGuardia this time)
writing another blog post. The good
news, is that it looks like my life is taking back on some semblance of
normalcy, and I can start writing again.
Since my promotion to Managing Consultant, in conjunction with the
release the Trustwave Global Security Report, I have been swamped. But, that's all I have to say about that.
So I have recently been doing a lot of speaking and
teaching, and came to an interesting conclusion about what are the core (an in
my opinion, critical) skills of our trade, which I have affectingly dubbed,
"The Core Duo".
When I really started to think about it, what we do
(Forensics and Incident Response) really boils down to only two things.
1. Spotting Patterns
2. Spotting Anomalies
Now, I know this sounds really simple...maybe too simple,
but let me explain. First of all,
simplicity is something that I think is frequently minimized as being
undesirable. I think there are a lot of folks who think something to the effect of, "If something can be
explained in simple, easy to understand terms, it must not be very
complex". I challenge that this is not
the case. I think, that even the most
complex situations (which we all know, cyber investigations are among the most
technical and convoluted anywhere) is made up of components that can be broken
down and simplified. Being able to do this is a critical element in actually understanding what you are doing and why you are doing it. That in turn leads to be successful at what you are doing. Which finally, leads to you solving the case, and potentially, some bad guy going to jail.
Ok...so think about your "typical" case. You have stuff (technical term)...RAM dumps,
volatile data, forensic images, maybe some log files. You are asked to find something (again,
technical term) within that stuff. What
are you asked to find will depend on the case, but the theme is the
same...go find something specific. Now
the fun begins as far as I am concerned...how do you find the something within
the stuff?
Well, there are these things we commonly refer to as,
"Indicators of Compromise" or IOCs.
They are data points that indicate the presence of something within the
stuff. So I was thinking, "What
makes one data point an IOC and another data point not an IOC?" I argue that it's because that something has
to fall into one of two categories. It
is either an anomaly, or a pattern.
Let's first explore what I mean by using the term,
"Anomaly". It just means that
the something is different than all of the other somethings. There is something about THIS something that
makes it different. WHAT is different is,
why it's anomalous, what does the anomaly mean, etc...that's the easy
part. Binaries can be extracted, log
files can be parsed, ripped reg hives can be clearly read and compared with
forensic timelines...all the things we normally do in a case. BUT (and this is a pretty big but) ALL of
that...all of the tools that exist, all of the book and blog posts that have
been written, all of the conferences we attend, and all of the money we spend
on training...they all hinge on this one thing...can we spot the anomaly. Can we find the one or the two (or whatever)
files, amongst the tens or hundreds of thousands that are like the kids on
Sesame Street, doing their own thing?
THIS is the first core of our trade.
The second core item of the "Duo" is the ability
to spot patterns. In my opinion, this
applies more to incident response than it does to forensics, although by no
means exclusively. Think about a case in
which all you have are log files. This
is common in my world in E-Commerce cases involving things like SQL Injection,
Remote File Inclusion, and Web Shells.
Some of these cases literally involve millions of lines of log files
that at first glance, all look more or less the same. Anyone who has worked on an E-Comm case knows
what I am referring to. Line after line
after line after line of logs...and you are thinking to yourself, "What
the heck am I even looking for?" Me? I am looking to identify the first sign of an anomaly,
then for a pattern of those anomalies.
Some of the logs entries will have something different about
them...it's WHAT is different, and HOW we spot them that is the real meat of the analysis. Then, once
you spot the anomaly, you would look for a pattern of that anomaly. Does it occur at regular increments? Does it originate from the same
location? Does the access show the same
thing or things being accessed over and over...can you spot the pattern?
So what does all this mean.
OK Chris, we agree with you, to be good at Forensics and/or IR you have
to be good at spotting anomalies and patterns.
So what? What does that mean to
me? Well, I am glad you asked! A couple of things.
1. It gives you an area of focus. Still, one of the most common issues I see
while training investigators is analysis paralysis. Simply freezing when confronted with so much data...what do I
do...where do I go...how do I even begin?
How do I go from gathering data to actually starting to solve
cases.
I think that by knowing, that in
every case, regardless of what the case may be, you are either looking for an
anomaly or a pattern can help you focus on the task at hand, and get down to
making progress (not just throwing tools at data and expecting it to solve the case for you. FORENSIC HINT: THAT will NEVER happen .
2. It helps you as you try to tie your data points
together. In an "average"
case, we may have data points in our timeline, registry hives, RAM, system event
logs, and from binary analysis. We have a
lot of data points that all indicate that a breach took place, data was accessed, malware was installed, basically tell the
story of what happened during that breach.
By understanding that what you are looking at are a series of anomalies
that form a pattern. This pattern is the
backdrop against which you will formulate the rest of your investigation.
So, in conclusion, I know it may sound simple, but what I
have named, "The Core Duo" of forensics/IR is the ability to spot
Anomalies or Patterns. Knowing and
understanding this concept can help investigators (both new and seasoned) begin
difficult investigations with a better idea of what something they are trying
to find within the stuff.
On a side note, since I have begun using this concept, the
students that I have taught (and those in the audience at the conferences I
have spoken at) have really liked the idea, and have indicated that it really
does work. Once gentleman recently told
me that he wrote them down on a sticky note, and attached the note to his
monitor.
It very simply stated.
1. What is the anomaly?
2. Can you spot the pattern?
I think that's a great idea!
While I don't have sticky notes on my monitor, I DO have Case Notes, and
in my notes, I now have an entry under my "Misc" tab that indicates
the same thing. I urge you to give it a
try and let me know how it goes.
Happy Hunting!
Monday, April 2, 2012
Will You Come to Church With Me This Easter?
So, I'm not sure how many of you know about my personal life...not many I imagine, but I am a Christian. This is my testimony.
I am a sinner, and in need of a Savior. I believe that Jesus Christ is the Son of the living God, who gave up his life on a cross on a hill more than 2000 years ago so save me from my sin. Because of Jesus, I can live a life of victory. Free from my sin, free from the grip of the enemy, and free to be everything God created me to be (like a Lethal Forensicator).
This week at my church, our pastor (Dr. Alex Himaya) challenged us to invite three people to church this Easter Sunday, and to pray for them. Well...I work remote...my kids go to a Christian School...and pretty much all of my friends in Tulsa are Christians. Not wanting to dismiss his challenge with a simple, "Sorry...nobody here for me to invite", I thought of my sphere of influence. I wanted to change my mindset to who CAN I invite, not why I can't invite anyone.
So, I was thinking...my sphere is the forensic/IR world. I have contact with hundreds of fellow Forensicators via this blog, Twitter, and FaceBook. So, I am going to reach out to all of you, around the world, and ask you...
"Will you come to Church with me this Easter Sunday?"
If you would like to attend, you can listen LIVE online! Just click on the link!
It is my prayer that wherever you are in your life, you realize that God loves you because of who you are...not because of what you have done, or what you could ever do. You cannot earn God's love...it's a gift. Given freely. You just have to accept it.
I hope you take this opportunity and join us this Easter Sunday at The Church at Battle Creek, in Broken Arrow, OK via the web.
Happy Hunting...er...Hoppy Easter! (haha...get it...)