Wednesday, July 3, 2013

Windows 8 Thesis DRAFT


This has been a little over a year coming, while I have enjoyed everything I have learned on this topic I have until the end of the month to finish it up and submit it for graduation. Feedback on what I might be missing or things that I need to clarify would be great.

THESIS ABSTRACT

One of the most difficult processes of digital forensics is understanding how new technology interacts with current technology and how digital forensic analysts can utilize current Digital Forensics technologies and processes to recover and find information hidden. Microsoft has released their new Operating System Windows 8, with this new release Microsoft has added some features to the Operating System that will present some interesting complications to digital forensics.

               Since the initial release of the Windows 8 Release Candidates there have been some research released that focus primarily on the new user created artifacts and a few artifacts that have been added by the operating system that might contain valuable information. In this paper I will look at the new recovery options that have been introduced in Windows 8, and the impact that have on the artifacts.

               The first thing that I plan to look at is the artifacts discovered by the research of Amanda Thomson. Once I have analyzed these artifacts and then verify the locations on the disk I will create a baseline dataset to compare the impact of the recovery options on these artifacts. I will also use artifacts of new features that I have researched for this baseline.

               The second thing that I will look at is how the various recovery options impact the artifacts that are found on the operating system. This will be done by installing Windows 8 in a Virtual Machine environment and taking snapshots of a base image and then utilizing the various recovery methods. Once the recovery method has been successful I will take the Virtual Machine and mount it into FTK and Encase for analysis.


               The final thing that I will include in this paper is a detailed walk through on where the artifacts will reside on the machine after a recover option has been completed. I will examine the locations on a live machine as well as on a forensic copy. I will show what artifacts are easily recoverable, what artifacts need a little time to recovery and what artifacts that will not be recoverable. 

My Thesis

Wednesday, April 17, 2013

Malware Roulette


When I started my move into malware incident response my training options entailed 3rd party, on the job, or utilizing a piece of malware from a trusted source. I was limited to what I could afford, what I encountered through my work or already knowing the malware I was analyzing. While these are all valid options I wanted more.

I was impressed by the different DFIR challenges that were available online, but quickly noticed the limitations that were imposed on these. You were working with artifacts and clues that that creator felt was important. While this helped baseline where you should focus your attention, but never giving the responder the ability to determine where they should look.

I wanted to take this to the next level and see what it would take to create a malware challenge that would allow a wide range of analysts the ability to utilize and learn. This solution needed to be robust, modular, and somewhat random so it could be used more than once.

With that I am proud to announce the release of Malware Roulette. This application allows analysts to build and test their malware incident response skill set without knowing the actual malware being installed. This application can also create other random artifacts that would be considered false positives as well as non related but potentially malicious network behavior. In total at the most challenging level there are over 12000 unique artifact combinations that could be discovered on a machine.

Malware Roulette is written in the AutoIt scripting language, with all the malicious binaries packaged within the executable. To update the packaged malicious binary all that is needed is to recompile the executable with an updated malware directory. This would quickly allow a new Malware Incident Response challenge to release in a timely manner.

I will be publicly releasing this tool at GFIRST, but before I do that I am looking for people interested in testing this out and helping flesh out current features. If you are interested in testing, please send me an email with the subject MALWARE ROULETTE

·        What is Malware Roulette?
o   Malware IR training App built in Autoit
o   Easily updated
o   3 challenge levels, over 12000 unique artifact combinations
o   Randomly generated directory for malware
o   Malware Directory randomly placed in 7 system folders
o   12 active malware samples
o   12 non destructive system changes
o   12 unique network traffic behaviors

Sunday, April 7, 2013

BSIDESIOWA 2.0.13 Recap


BSidesIowa 2.0.13
Conference in Review

When I started to write this post I wasn’t sure what I wanted to say, how I wanted to take this conversation and what I wanted to share. BSidesIowa 2.0.13 has been one of the more interesting and chaotic events I have had the opportunity to be involved with.  

I should have realized that after the Rainbows and Unicorns that happened around the first BSidesIowa that I shouldn’t expect the 2nd BSidesIowa to be as easy. The first event was in Ames, great budget, and some good speakers. As fate would have had it, the 2nd BSidesIowa was a high stress, chaotic organizational cluster.

With this being my last year for my Masters, and BSidesIowa was going to happen in my final Semester I wasn’t sure what my organizational capabilities would be. I went to find help, Phil Polstra, a professor at University of Dubuque stepped up and said he would help, and UD would possibly host it. After a few more discussions we had a date, facility and a few student volunteers. Things were starting to run smoothly, until right around the first of the year. At this time Phil started to pick up more responsibilities at work and I was preparing for relocation to Chicago. Luckily Phil was able to get help from Kayla Sieverding, a student at UD. There was honestly a time we had the discussion if we could pull it off.

As the event continued to progress we had a lot of far reaching stretch goals on what I wanted to provide at BSidesIowa, looking back to I might have been a little too aggressive on what I wanted. We started to see some great talks coming in; we had confirmation for some incredible training, and had some great door prizes. About the 1st of March the realization kicked in that we had no financial sponsorship…. With less than 5 weeks before the event we started to look at options to reduce costs and what we could cut. Over the next few weeks we had a couple of Sponsors step up and offer some support. Thank you SANS for covering the networking party, and to the donors that wish to remain behind the scene, Thank you, your generosity helped us pull it off.

Day of the event was a cloudy weekend, 60F, still a gorgeous day, although there was some rain in the morning, it turned out to a pretty nice day. The talks were amazing, the training classes were incredible, and the shirts were cool.

So let us look at some data:
Event
Budget
Shirts
Training
Tracks/Talks
Lockpick Villiage
# Registerd
# Check in
Attendee %
2012
3000
Yes
no
1/7
no
130
70
53%
2013
1550
Yes
Yes
2/14
Yes
175
203
116%

Yes, you read that right. We had less budget, we offered more and had almost 3x the attendees. These numbers don’t show the whole story. Out of the 175 that were registered 25 were for the lockpick village, and the rest was for the Conference itself. I personally know multiple individuals that were unable to attend the conference that was registered. So looking at the numbers we actually had 17+% of our attendees as last minute walk-ins.

With the overall comments of the attendees and the data above I feel that this event has been extremely successful. While I would love to see the same growth rate next year, I am ok with keeping the same size and continue to focus on quality of our presentations training for our Attendees.  

The Future of BSidesIowa Conferences:

So what does all this mean for BSidesIowa?

With a 3x growth in attendees over last year, we will continue, the local attendee support for this conference is incredible.

We will be back next year, likelihood will put us in the Davenport Iowa area, although there is interest to hold this event in Western Iowa.

Sponsorship:

                We need to learn to engage potential local sponsors and look outside the normal Information Security Companies. Local sponsors should understand the value that we bring to the community and to their organization in training, speakers and networking opportunities.

                We need to engage potential national sponsors and change the preconceived notion that Iowa is just farm country. We need to show them that there is incredible talent, training and potential clients in the 
area that could potential utilize their products.

                We need to re-evaluate what we want in sponsorship and our sponsorship packages. Yes I aimed high and wanted to grow big and fast, I was humbled this year.

                We need to open a dialogue with those sponsors that declined us this year and figure out what we need to change, what they want for sponsorship and what we are comfortable in giving them.

Location:
                We have been lucky with college campuses for donated spaces. As we grow and want to add more we are going to need to make sure that the space can handle us.

                For workshops we need to make sure that we have the infrastructure in place to handle everything. While there were some issues, we were still successful.

Speakers:
                We have an incredible selection of speakers in the Midwest, the range of the topics were incredible. If I can have a similar lineup every year I would be happy. 

                We would like to help strengthen the Mentor track to give new speakers the encouragement and resources to grow.

Topics:
                I have always known what I wanted to see the BSideIowa brand grow into. Yet it took talking to one of the Metasploit trainers to actually make it click. We have Hacker cons, we have DFIR cons, but we have very limited, if any cons that primary purpose is to cater to both tracks and give cross training. Alissa Torres brought up in the 2012 SANS DFIR Conference that DFIR professionals need to get out of our lanes and learn what the Red Team is doing. I would love to see that BSidesIowa grow into that type of community driven conference.

                I would also like to see talks showcasing research from local professionals and students. Show the talent that we have in Iowa and the Midwest. We had some great talks this year that helped.

Workshops:
                These went off incredibly well, the attendees all loved them. They helped make the conference this year. I want more next year.

                If we are able to promote the Red Team/Blue Team tracks I would love to be able to have 2 training sessions for each track. Give each specialization the ability to learn from each other.

                We will invite TOOOL back, this time we will plan a little further in advance and hopefully not have any shipping issues.

                Are you interested in organizing a 4hr or even longer training session?

Closing:
                This was one of the best events that I have ever had the privilege of working on, the support we have received from the community, sponsors and the Trainers are humbling. The fact that our trainers and the Lockpick Village leaders;  Ryan (Metasploit), Heather(Metasploit), Hal(Linux Forensics) and Dave(Lockpick) came to Dubuque on their own expense and offered incredible training for free to our attendees is awesome.

I was also impressed that my daughter attended her first Infosec Conference and survived the entry level Metasploit class. Considering her first experience in linux was 2 days before the conference. Heather, thank you, she still talks about what she learned.

      We are going to need to start working on next year, planning and organizing. Who wants to help? 
Patories@gmail.com

Ken