Thursday, October 16, 2014

Where have I been?

I seem to have been quite the last year or so, figured it would be time for an update.

I am GCFA Certified now, still working at KPMG, Love the team, learning something everyday.

I have published the following article on Heartbleed a few months back:

I had my first interview with a Tech publisher after presenting at the ISC2 Conference in October.

This is a similar talk that I have presented at TechnoSecurity and ArchC0n,

Currently working for a couple of new pieces for KPMG that I will link to this blog.

Wednesday, July 3, 2013

Windows 8 Thesis DRAFT

This has been a little over a year coming, while I have enjoyed everything I have learned on this topic I have until the end of the month to finish it up and submit it for graduation. Feedback on what I might be missing or things that I need to clarify would be great.


One of the most difficult processes of digital forensics is understanding how new technology interacts with current technology and how digital forensic analysts can utilize current Digital Forensics technologies and processes to recover and find information hidden. Microsoft has released their new Operating System Windows 8, with this new release Microsoft has added some features to the Operating System that will present some interesting complications to digital forensics.

               Since the initial release of the Windows 8 Release Candidates there have been some research released that focus primarily on the new user created artifacts and a few artifacts that have been added by the operating system that might contain valuable information. In this paper I will look at the new recovery options that have been introduced in Windows 8, and the impact that have on the artifacts.

               The first thing that I plan to look at is the artifacts discovered by the research of Amanda Thomson. Once I have analyzed these artifacts and then verify the locations on the disk I will create a baseline dataset to compare the impact of the recovery options on these artifacts. I will also use artifacts of new features that I have researched for this baseline.

               The second thing that I will look at is how the various recovery options impact the artifacts that are found on the operating system. This will be done by installing Windows 8 in a Virtual Machine environment and taking snapshots of a base image and then utilizing the various recovery methods. Once the recovery method has been successful I will take the Virtual Machine and mount it into FTK and Encase for analysis.

               The final thing that I will include in this paper is a detailed walk through on where the artifacts will reside on the machine after a recover option has been completed. I will examine the locations on a live machine as well as on a forensic copy. I will show what artifacts are easily recoverable, what artifacts need a little time to recovery and what artifacts that will not be recoverable. 

My Thesis

Wednesday, April 17, 2013

Malware Roulette

When I started my move into malware incident response my training options entailed 3rd party, on the job, or utilizing a piece of malware from a trusted source. I was limited to what I could afford, what I encountered through my work or already knowing the malware I was analyzing. While these are all valid options I wanted more.

I was impressed by the different DFIR challenges that were available online, but quickly noticed the limitations that were imposed on these. You were working with artifacts and clues that that creator felt was important. While this helped baseline where you should focus your attention, but never giving the responder the ability to determine where they should look.

I wanted to take this to the next level and see what it would take to create a malware challenge that would allow a wide range of analysts the ability to utilize and learn. This solution needed to be robust, modular, and somewhat random so it could be used more than once.

With that I am proud to announce the release of Malware Roulette. This application allows analysts to build and test their malware incident response skill set without knowing the actual malware being installed. This application can also create other random artifacts that would be considered false positives as well as non related but potentially malicious network behavior. In total at the most challenging level there are over 12000 unique artifact combinations that could be discovered on a machine.

Malware Roulette is written in the AutoIt scripting language, with all the malicious binaries packaged within the executable. To update the packaged malicious binary all that is needed is to recompile the executable with an updated malware directory. This would quickly allow a new Malware Incident Response challenge to release in a timely manner.

I will be publicly releasing this tool at GFIRST, but before I do that I am looking for people interested in testing this out and helping flesh out current features. If you are interested in testing, please send me an email with the subject MALWARE ROULETTE

·        What is Malware Roulette?
o   Malware IR training App built in Autoit
o   Easily updated
o   3 challenge levels, over 12000 unique artifact combinations
o   Randomly generated directory for malware
o   Malware Directory randomly placed in 7 system folders
o   12 active malware samples
o   12 non destructive system changes
o   12 unique network traffic behaviors