Computer Forensics practice

You’ve just finished receiving digital forensics training or acquired a new tool (FTK, Encase, Sleuth).  Now what?  You’re waiting for some real cases to crack.  In the meantime, over on the SANS Forensics blog, Ken Pryor has posted an excellent article which lists most of the freely available forensic exercises, challenges, and practice images: http://blogs.sans.org/computer-forensics/2010/07/27/im-here-now-what/

Remember, I’ve previously posted a list of:

REMnux: Distro for Reversers

Lenny Zeltser, SANS Instructor, has released a customized distribution targeted at malware reverse engineers.  From the REMnux page:

REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that’s listening on the appropriate ports.

REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab.

(Tool) FireShark: Aid for web incident response

The tool of the day is FireShark, a free web analysis tool.  This is great to have in your toolbox for IR.  FireShark will generate a mind map of a given webpage — think of it being a graphical representation of NoScript i.e. the map for Amazon.com would show quantcast.com, google-analytics.com, facebook.com, and twitter.com connected because it loads javascript and or images from those pages.  The tool consists of a Firefox plugin with some additional perl scripts.

Now, if the authors would add geolocation to the maps we could quickly see if a site is pulling from a server in Russia or China would could be an obvious sign of infection….

Forensics on Amazon’s Kindle

I recently stumbled upon to great blog posts regarding Kindle forensics.  Eric Huber’s ‘A Fistful of Dongles’ blog has some interesting initial analysis on imaging the Kindle and key artifacts to zone in on.

Part 1: A Cursory Look at Kindle Forensics

Part 2: Additional Thoughts on Kindle Forensics

Some interesting data Eric discovered:

  • last book read w/ timestamp
  • position in the book
  • books loaded on device
  • strings user has searched for
  • *Remember with Kindle’s 3G ability you may want to use a Faraday bag

Analyzing Malicious PDF Documents

So you want to get your feet wet?

  1. Grab Didier Stevens tools here: http://blog.didierstevens.com/programs/pdf-tools/
  2. Grab malicious PDF samples here: http://www.malwaredomainlist.com/mdl.php?search=pdf+exploit&colsearch=All&quantity=50 *Be careful, these are live samples!
  3. Video Tutorial: Didier on analyzing a PDF Document: http://www.youtube.com/v/tHVi2wKCkTc
  4. You’re going to run into some heavily obfuscated JavaScript.  Read this article: http://isc.sans.org/diary.html?storyid=2358
  5. Other deobfuscation tools: Malzilla, SpiderMonkey (need to handle document.write), debug via Rhino, Firefox add-on (haven’t tried this one)

GPS Forensics & Google Earth

I previously wrote about online GPS Forensic references and wanted to put them to use.  I had a suspicion that my girlfriend has been seeing another man.  When she was at work I grabbed her GPS (Garmin Nuvi 205) and connected it via USB (don’t forget a write blocker).  For Garmin models, the file you want to look for is “Current.gpx

Once I copied Current.gpx, I installed Google Earth.  Earth actually imports several different GPS data/location files. Earth parsed all the recent destinations entered into the GPS and loads them as waypoints.  It makes it very convenient to find out where someone has been, where they might live (home location), etc.  Think about all the applications i.e. rental car GPS units.

***If you don’t want to use Earth you can open the gpx file in a text editor (simple XML).  You’ll be looking at lat/longitude coordinates that you can plot yourself.