Wow, time has flown by... The presentation went great! Sam and I were really amazed to see the connection to our presentation by lots of folks at DEFCON. Conference was a bit crowded and hard to see the presentations that you wanted to see, but you have probably already read all those reports.
Here is the presentation that Sam and I presented on July 30th. Please feel free to email or let us know your thoughts!
Defcon 18 Presentation - DC Smith Sam Petreski - Forensic Methodology
Thursday, August 5, 2010
Saturday, June 5, 2010
It is official...
Posted @ defcon.org today:
DAVID C. SMITH GEORGETOWN UNIVERSITY AND HCP FORENSIC SERVICES
A NEW APPROACH TO FORENSIC METHODOLOGY - !!BUSTED!! CASE STUDIES
DAVID C. SMITH GEORGETOWN UNIVERSITY AND HCP FORENSIC SERVICES
SAMUEL PETRESKI GEORGETOWN UNIVERSITY AND REMOTE IT CONSULTING
Imagine the following experiment, a unique case is given to three digital forensic analysts and each is given the opportunity to engage the requester in order to develop the information needed to process the case. Based on the information gathered, each of the three analysts is asked to provide an estimate to complete the investigation and can proceed with up to 20 hours to process the case. The analysts are then measured based on the total findings, the time required to process the case, the initial information gathered, and the estimated time to process the case. The expected result is to be varied based on experience and individual characteristics, such as organization, discipline, and the attention to detail of each analyst. Imagine this same experiment but with only 8 hours to process the case, because that is the way it happens in real life.
David Smith and Samuel Petreski have developed a methodology that fits within the Analysis phase in one of the standard Digital Forensic Analysis Methodologies - PEIA (Preparation, Extraction, Identification, and Analysis), to provide a structure for consistent results, better development of the requested goals, increase efficiency in fulfilling the goals, and develop an improved estimate of the time required to complete the request.
This methodology involves the generation and validation of case goals, the evaluation of methods used to achieve the goals, a structure for estimating the effectiveness, time required, processing results of specific methods, and generalized organization and time management. The primary goal of this methodology is to address the structure and optimal path that would allow a digital forensic examiner to perform an examination with a high level of efficiency and consistent results.
This presentation provides an introduction to this methodology and applies its key concepts to real sanitized digital investigations, such as tracking down a suspected executive's adult craigslist ad, performing an analysis on a compromised system involving social security numbers, and making the determination of intellectual property theft.
David C. Smith works as the CSO for Georgetown University and a co-owner of HCP Forensic Services providing information security programs, digital forensics, and expert witness testimony. He has been in the technical field for over 20 years and enjoys engaging in complex technical problems.
Samuel Petreski works as a Senior Security Analyst for Georgetown University and an owner of Remote IT Consulting. Samuel has worked mostly in higher-ed focusing on network architecture and administration, as well as building and administering scalable network security solutions. He posses over 10 years of experience in the IT field working in very diverse environments.
David Smith and Samuel Petreski have developed a methodology that fits within the Analysis phase in one of the standard Digital Forensic Analysis Methodologies - PEIA (Preparation, Extraction, Identification, and Analysis), to provide a structure for consistent results, better development of the requested goals, increase efficiency in fulfilling the goals, and develop an improved estimate of the time required to complete the request.
This methodology involves the generation and validation of case goals, the evaluation of methods used to achieve the goals, a structure for estimating the effectiveness, time required, processing results of specific methods, and generalized organization and time management. The primary goal of this methodology is to address the structure and optimal path that would allow a digital forensic examiner to perform an examination with a high level of efficiency and consistent results.
This presentation provides an introduction to this methodology and applies its key concepts to real sanitized digital investigations, such as tracking down a suspected executive's adult craigslist ad, performing an analysis on a compromised system involving social security numbers, and making the determination of intellectual property theft.
David C. Smith works as the CSO for Georgetown University and a co-owner of HCP Forensic Services providing information security programs, digital forensics, and expert witness testimony. He has been in the technical field for over 20 years and enjoys engaging in complex technical problems.
Samuel Petreski works as a Senior Security Analyst for Georgetown University and an owner of Remote IT Consulting. Samuel has worked mostly in higher-ed focusing on network architecture and administration, as well as building and administering scalable network security solutions. He posses over 10 years of experience in the IT field working in very diverse environments.
Saturday, May 29, 2010
What's Up?
Been working a lot, getting very excited about our Defcon 18 presentation and tool release. We haven't heard back from Black Hat, but always thought it was a really long shot. A better description is that it is part methodology, part process, and part expert system.
The primary goals are to improve the initial request, develop better agreed upon investigation goals, and improved time estimation. Then in the analysis phase, better guidance in choosing the optimal methods and a structure for time management. Fun, eh?
Between that and wrapping up about 6 cases with my two teams (HCP Forensics and GU InfoSec) it has been a crazy couple of weeks. I still have complete the last two rounds of my testing for the Tableau TD1 as well!
Saturday, May 15, 2010
Tableau TD1 Forensic Imager Initial Review
Yea, I finally got paid from wrapping up a case, worst was 90+ over due and best was 45+ days over due BUT the profit from these cases was earmarked to purchase new equipment. The first purchase was from ForensicPC.com and was the Tableau TD1 Forensic Imager. I priced it around and found I could have shaved $20 from the total price, but I had to wait on a full quote from a site that didn't have a online cart. I also purchased it with the Pelican 1450 case (other sites had a mark-up, but free case).
Forensic PC ordering process was just okay, I submitted on a Saturday after depositing the check and they processed the order on Monday. I got an email stating that I went from order received to paid, but then didn't hear anything for 8 days. I wrote a note about the status and got an apology email saying that I should have got a message (maybe spam filtered) telling me about the delay on the TD1 and the case. Since I filter spam and not delete, I checked and there was no message. I did get emails on the ship status and tracking and it arrived yesterday - Whoo-hoo!
Ok, enough overhead on the story. I unpacked and inventoried everything and was impressed with the unit size and features. I had previously used the Voom HC II and noticed a few differences that what I was used to. First, speed. I ran it through some testing (full output spreadsheet to come when complete) and the speed was impressive at 6GB+ on my equipment with MD5 and SHA1. My initial tests were mostly functionality and not to quantify the speed but happy right away with the overall speed with SATA disk to disk, disk to file, and wipe. Second, I like the setup and input of examiner and case info. I thought it might suck with slow typing but since I am used to IPhones it was that bad (I read that you can use a USB keyboard, but that is a future test).
Now a little of the not-thrilled-about / maybe-getting-used-to. Voom HC2 had NTFS format and could create a full size disk-to-file, e.g. 80GB drive to a 80GB file. Sure it had a funky thing with once you mount a Voom HC2 NTFS drive on any system it was not recognizable by the Voom again, but I like having large files without a follow up conversion. TD1 can create FAT32 formats and the underneath structure of the TD1 seems that it is based on "chunks" and configuring the size of the chunks. I processed some images and am not sure that it will be a big deal with me. All my tools cover multiple files and TD1 puts them in nice directories with the dates.
I did update the firmware first thing out of the box and the process was pretty nice. Connected with a firewire 400 port and ran some Tableau windows software. The software saw my TD1 and recommended the firmware update. It ran without any issue, and I powered down, unplugged everything, and powered back up to reread the firmware. Tableau markets the ease of upgrade and would agree.
I should be able to post my validation, functionality, and speed results in the next couple of weeks. I got to get more progress on Sam and I's Defcon presentation.
-Dave
Forensic PC ordering process was just okay, I submitted on a Saturday after depositing the check and they processed the order on Monday. I got an email stating that I went from order received to paid, but then didn't hear anything for 8 days. I wrote a note about the status and got an apology email saying that I should have got a message (maybe spam filtered) telling me about the delay on the TD1 and the case. Since I filter spam and not delete, I checked and there was no message. I did get emails on the ship status and tracking and it arrived yesterday - Whoo-hoo!
Ok, enough overhead on the story. I unpacked and inventoried everything and was impressed with the unit size and features. I had previously used the Voom HC II and noticed a few differences that what I was used to. First, speed. I ran it through some testing (full output spreadsheet to come when complete) and the speed was impressive at 6GB+ on my equipment with MD5 and SHA1. My initial tests were mostly functionality and not to quantify the speed but happy right away with the overall speed with SATA disk to disk, disk to file, and wipe. Second, I like the setup and input of examiner and case info. I thought it might suck with slow typing but since I am used to IPhones it was that bad (I read that you can use a USB keyboard, but that is a future test).
Now a little of the not-thrilled-about / maybe-getting-used-to. Voom HC2 had NTFS format and could create a full size disk-to-file, e.g. 80GB drive to a 80GB file. Sure it had a funky thing with once you mount a Voom HC2 NTFS drive on any system it was not recognizable by the Voom again, but I like having large files without a follow up conversion. TD1 can create FAT32 formats and the underneath structure of the TD1 seems that it is based on "chunks" and configuring the size of the chunks. I processed some images and am not sure that it will be a big deal with me. All my tools cover multiple files and TD1 puts them in nice directories with the dates.
I did update the firmware first thing out of the box and the process was pretty nice. Connected with a firewire 400 port and ran some Tableau windows software. The software saw my TD1 and recommended the firmware update. It ran without any issue, and I powered down, unplugged everything, and powered back up to reread the firmware. Tableau markets the ease of upgrade and would agree.
I should be able to post my validation, functionality, and speed results in the next couple of weeks. I got to get more progress on Sam and I's Defcon presentation.
-Dave
Thursday, May 13, 2010
Defcon 18 Presentation
Good news, Sam and I got an announcement this morning that we have been accepted by Defcon for our presentation "A New Approach to Forensic Methodology - !!BUSTED!! case studies". We are pretty excited and always love Vegas - it is the bomb.
The presentation is shaping up nicely and Sam is working on the software component that will really demonstrate our practical methodology. Again, very excited. Buzz me if you want some up front information, but I'll probably hold off on posting some of the more interesting details until we get most of the work behind us.
Ok, a completely different topic. I am loving my setup for my primary system at home. A quick review:
Intel i7 chip, custom cooling, overclocked to i7-965 using the Easy Tune app from Gigabyte MB. Stress tested with Prime95 keeping the CPU / system temp under 80C at full load, 43C and 46C typical load. Windows 7 64-bit, 8GB of mem, 4 1TB drive, 1 1.5 TB drive, ESATA for Thermaltake BlackX.
Ok, the part I like: I have become a big fan of Sun VirtualBox. I can't put my finger on it, but my total experience is that it seems less invasive that VMware and gives me everything I want. VMs have 1GB ram and different levels of CPU cores assigned. VM's include DeveloperXP, Ubuntu-64 (developer and workstation), Forensic XP, SIFT Workstation imported from VMware, Dirty XP (checking out dubious sites and software), and Georgetown XP. I also have a separated malware XP and Ubuntu systems with additional protections.
Best news, it runs like a champ - I don't feel any pain when running VMs and AV / Secunia PSI. I can schedule snapshots and file them away. Da Bomb-bay!
BTW, see you in Vegas for Defcon and BlackHat - I love the vendor parties!!!
.
The presentation is shaping up nicely and Sam is working on the software component that will really demonstrate our practical methodology. Again, very excited. Buzz me if you want some up front information, but I'll probably hold off on posting some of the more interesting details until we get most of the work behind us.
Ok, a completely different topic. I am loving my setup for my primary system at home. A quick review:
Intel i7 chip, custom cooling, overclocked to i7-965 using the Easy Tune app from Gigabyte MB. Stress tested with Prime95 keeping the CPU / system temp under 80C at full load, 43C and 46C typical load. Windows 7 64-bit, 8GB of mem, 4 1TB drive, 1 1.5 TB drive, ESATA for Thermaltake BlackX.
Ok, the part I like: I have become a big fan of Sun VirtualBox. I can't put my finger on it, but my total experience is that it seems less invasive that VMware and gives me everything I want. VMs have 1GB ram and different levels of CPU cores assigned. VM's include DeveloperXP, Ubuntu-64 (developer and workstation), Forensic XP, SIFT Workstation imported from VMware, Dirty XP (checking out dubious sites and software), and Georgetown XP. I also have a separated malware XP and Ubuntu systems with additional protections.
Best news, it runs like a champ - I don't feel any pain when running VMs and AV / Secunia PSI. I can schedule snapshots and file them away. Da Bomb-bay!
BTW, see you in Vegas for Defcon and BlackHat - I love the vendor parties!!!
.
Thursday, May 6, 2010
Facebook Arrays
Helping a friend out with a Facebook application and I had to deal with an array of array export from a multiquery FQL. Sheeesh, fields and values mis-matched all over the place! However, using dynamic PHP arrays it makes it a little easier with the following code.
#Multiout is the array delivered from the FQL
foreach($multiout as $fqlset) { #Strip the wrapper array
$messagebody = $fqlset[fql_result_set];
foreach ($messagebody as $messageArray) { #Strip the message vs. metadata
foreach ($messageArray as $key => $value) { #Finally get to drop the 'record name' and value
$ordered_array[$key][] = $value;
}
}
}
At the end of the process, you have an ordered array that was combined by the multiquery.
#Multiout is the array delivered from the FQL
foreach($multiout as $fqlset) { #Strip the wrapper array
$messagebody = $fqlset[fql_result_set];
foreach ($messagebody as $messageArray) { #Strip the message vs. metadata
foreach ($messageArray as $key => $value) { #Finally get to drop the 'record name' and value
$ordered_array[$key][] = $value;
}
}
}
At the end of the process, you have an ordered array that was combined by the multiquery.
Monday, May 3, 2010
Why I think a lot of online (potentially you) blogger are idiots!
Yes, idiots - you know, filling the ID-10-T form in triplicate. Yes, yes, I'll choose most dictionary first listing, "an utterly foolish or senseless person", and not the psychology term "a person of the lowest order in a former classification of mental retardation, having a mental age of less than three years old and an intelligence quotient under 25". I don't think they are that bad.
Ok, as you might know, I am a fan of critical thinking (link to the wiki description) and it appear that more and more arguments are relying on emotional arguments and arguments without sound logic or reasoning. A little bit of everyone dies when we have nothing but emotional arguments to make points (that is supposed to be funny, cause I didn't have any reasoning or logic and tried to convince you of a point).
What happened to making points with reason to educate, pontificate, or discuss subjects? You then create your counter points and summarize and if your argument has merit, then you might convince someone of your point-of-view. I don't even care how lame or how much I disagree, I'll listen or read and process.
Also, it used to be easy to avoid because you could learn the fanatical conversations and steer clear of the subjects, like IT certification (google search), Microsoft vs. Novell, or Windows or *nix, and so on.
Final thoughts:
1. If you win an argument with emotional arguments, say with "You don't want our country nuked, do you", aren't you just going to lose the argument to someone else with something similar? Say "Less baby seals will get clubbed by saving electricity and going green all over".
2. Research it! What are your most valid points and what are the best counter points for you to address?
3. Respect it! Treat people like idiots and they will either be pissed off or act like idiots.
-Dave
Ok, as you might know, I am a fan of critical thinking (link to the wiki description) and it appear that more and more arguments are relying on emotional arguments and arguments without sound logic or reasoning. A little bit of everyone dies when we have nothing but emotional arguments to make points (that is supposed to be funny, cause I didn't have any reasoning or logic and tried to convince you of a point).
What happened to making points with reason to educate, pontificate, or discuss subjects? You then create your counter points and summarize and if your argument has merit, then you might convince someone of your point-of-view. I don't even care how lame or how much I disagree, I'll listen or read and process.
Also, it used to be easy to avoid because you could learn the fanatical conversations and steer clear of the subjects, like IT certification (google search), Microsoft vs. Novell, or Windows or *nix, and so on.
Final thoughts:
1. If you win an argument with emotional arguments, say with "You don't want our country nuked, do you", aren't you just going to lose the argument to someone else with something similar? Say "Less baby seals will get clubbed by saving electricity and going green all over".
2. Research it! What are your most valid points and what are the best counter points for you to address?
3. Respect it! Treat people like idiots and they will either be pissed off or act like idiots.
-Dave
Subscribe to:
Posts (Atom)