Sunday, December 4, 2011

Windows 8 Forensic Overview

**** Update 03/21/2012 ****
This is being revised and updated for SANS DFIR Summit in Austin.
Some Artifacts in the Developer Version are no longer found in the Consumer Version

My Code to save 10% is PrincipalGroup10

Write up of System Refresh can be found here: http://randomthoughtsofforensics.blogspot.com/2012/05/windows-8-refresh-excerpt.html
*************************


I finally submitted my term paper for my Forensics class, While there are some things to be said for waiting until the last minute, my problem was as I delved into the four points I wanted to cover, I found Windows 8 exhibiting some interesting behavior, I also noticed that some of the things I thought would change, did not. 


I will be making my paper available for download soon, but I need to clean up a few things, and will let you know when you can grab it. Meanwhile, here is a few things that I want to pass on. 

When I initially started this paper I took a dive into Windows Registry I was at a loss with what to look for. I posted questions onto Twitter with some guidance of where to look. Eventually I stumbled across the Registry Key called TypedURLsTime, trying to decipher the value contained in the data field I posted to Twitter the information I was looking at.  Harlan Carvey explained that this data is filetime data; I came to rely on the experience of Harlan and others as I asked questions, I am grateful for their experience and willingness to answer my questions and be patient with me. Harlan, went as far to help as sending me a copy of his Windows Registry Forensics book, this is an incredible resource for anyone interested in looking at and understanding the registry.

Building off what I learned from Harlan's book Windows Registry Forensics I was able to confirm that the primary registry hives, SAM, System, Security, Software, NTUser and UsrClass all were retained within Windows 8.  I returned to the Registry Keys for the typedURLs and TypedURLsTime and did some more digging around. Here are the keys below for reference, as you can see URL10 is in both locations, one showing the location visited and the other the filetime that is was accessed.



Through some more analysis of the registry I came across the following keys, which appear to be related to the Immersive Browser that Microsoft is pushing in Windows 8. I attempted to test the typedurls-immersive-browser key, but this feature was not accessible in this build.




While listening to Wade Wegner presentation at the 2011 Build conference, Microsoft touted the ability to allow applications and user to save data to the cloud. With the option of using your Windows Live ID as your user name to facilitate this idea I decided to look a little more regarding this. I found the following while digging into the directory structure of a Live user:

C:\Users\USERID\AppData\Local\Microsoft\Windows\Live\Roaming\2d5b1639895c2556\CloudSync


Within this directory there were numerous files with the SDF file type, some of the files are named the same as the immersive browser keys in the previous images. I decided to look further into the registry to see if I could find any reference to the CloudSync option and I came across the following:




It appears that the Immersive Browser and CloudSync Registry keys will need to be analyzed further. I am planning on looking into them more over the next few weeks, will update blog with the information.

When I was typing out this blog I had I was going to delve deeper into Jump Lists, but they appear to be similar to the Windows 7 area, and felt that my research could be utilized in a different approach. It does not appear that Metro Applications keep a jump list; instead they keep their information in the respective program folder within AppData. I noticed this behavior while utilizing the PicStream Metro App. Digging into the file path I found the following folder structure:



Within each of those sub directories there was a regular file and a file slack for each image I viewed through Picstream application. Further research should define the naming convention of the INetCache sub directories.

Within the Windows 8 Operating system, they have introduced file history backup which changes the way that backups were previously used. In previous versions of windows, backups could only be maintained and restored using the default system. Within windows 8 this solution is more robust and allows backups to be stored both on removable media and remote network shares. By default this will backup folders such as Music, Documents, Videos, Contacts and Favorites.

There are a few artifacts that are established when file history is turned on, this includes File History folder, Registry Value, and Windows Events. The file history folder can be found at C:\Users\USERID\AppData\Local\Microsoft\Windows\FileHistory within this folder there is a configuration folder and a data folder. The data folder is a temporary staging directory for the files that are to be backed up. The Configuration folder contains at least 2 files, they are an EDB file named Catalog#.edb and a XML file names Config#. These files are created both Locally and on the drive being used as backup. As of this writing I have not be able to explore the EDB file. The Config file on the other hand offers the following information: 




If the File History option has been turned on there is also a registry key that is created, this key is only found on users that have turned on this feature. The Registry key can be found at:
HKU\Software\Microsoft\Windows\CurrentVersion\FileHistory 


Within this directory there is a key named ProtectedUpToTime that shows the last time this process backed up the files. This value can be deciphered utilizing a 64 Bit Hex Value - Big Endian values. The DCode application can handle this.





There is also another area in the HKLM registry that may provide more information and keys of importance, this is t. This is the FHSVC which is the File History Service and can be found here: 
HKLM\System\Controlset001\Services\fhsvc. 

Keys in the FHSVC folder













Keys in the Config files








Another area worth looking at in gathering File History information is within the System Events. The following Event Sources provide us with auditing information related to the File History:
  • FileHistory-Catalog
  • FileHistory-ConfigManager
  • FileHistory-Core
  • FileHistory-Engine
  • FileHistory-EventListener
  • FileHistory-Service
The final features of Windows 8 that I am going to cover in this blog are the Refresh and Recovery options. The Recovery feature will bring your windows to a factory state, similar to re-installing the operating system, the refresh feature acts like a restore point, but will clean everything needed for the OS to run, leaving individual files, and applications from the Microsoft store untouched, deleting any other 3rd party application.

When looking at a refreshed image of the windows operating system within AccessData FTK Imager, there are three items that are quickly noticed. These are two partitions and an unpartitioned space.





Partition 1 is a 350MB partition that contains the information needed to boot up the operating system. There are a few interesting files that can be found in this partition that can provide some more clues about what has happened on with the operating system and if the device has been recovered or refreshed. When comparing this partition against machines that have had the refresh/recover option ran against them and those that have not we can see some differences in files.























The screen shot on the left is from a machine that has not been refreshed or restored, while the one on the right has been refreshed. From my analysis of this partition from a refreshed or recovered is there will be more unallocated spaces in a recovered machine. On all images there is a folder called Recovery in the System32 folder, within this directory there is a file called ReAgent.xml, this file is used to recover or refresh. 

On a Refreshed/Recovered machine there is a new folder named Log under the recovery folder. In that folder is a file called Reload.XML. The Reload.xml is an updated ReAgent.xml file; it will also have a different timestamp from the ReAgent. This folder and file will give a good idea if the machine has been refreshed or restored. Out of the 24 lines in these xml files, the only line different is:


                    

For a non-refreshed or recovered system the state and status would both be 0.

Partition 2 is the main system partition that is mapped to the C: Drive. This partition also allows us to know if the machine was refreshed or restored. A restored machine will have a lot of unallocated spaces of various sizes that can still be data carved against. The directories and files shown between a Restored and a Non-Restored machine will be similar, but against a refreshed machine there will be two new Directories that contain data. These folders are the $SysReset and Windows.old, as can be seen below.





Within these folders we can still access the previous data that was on the drive, this data still remains in its file structure under the Windows.Old folder. Within the $SysReset there are two directories that contain what appears to be potential useful information. Within the Logs folder there are three files that will provide some usable data. The SystemResetPlatform.log and the setupact.log provides details of what was changed, the MigLog.xml will contain the Users that were retained and their current mappings. This can be beneficial after a reset a user account is deleted.  There two files located in the Framework/Migration/Preserve that also may provide evidence at a later date, they seem to deal with the Microsoft Store, and since this feature is currently not available I am unable to investigate.


Over the next few months I will research more artifacts that might be left behind in Windows 8, and the behaviors that the new operating system brings with it. As more features are unlocked there is potential for more locations that must be analyzed to find the big picture.

Monday, November 21, 2011

Why Des Moines for InfoSec


About two weeks ago I started posting that my company was looking to fill a new position on my team. Since I feel this is a great opportunity for anyone interested in pursuing a challenging, and it means that my team can hopefully get an incredible team member, I thought I would promote the good things about the Des Moines Iowa area, and working for Principal Financial Group.

The job posting can be found here.

Why Des Moines?

I moved to the Des Moines are about 5 years ago from the Middle Tennessee area where I had lived for about 5 years, previous to that I had moved from almost 8 years of living in the KC area to the central Iowa area. I always liked the laid back, atmosphere of Central Iowa, but coming from KC I missed the excitement and opportunities that a larger city has to offer. When we moved back to the midwest from Tennessee, we were aiming for Kansas City, but I landed my first real IT job in Des Moines so we put down roots.

While it has taken me time to realize how much I actually love the area, and the potential that offers for a family, and building of a solid info sec career field, it has grown on me. One of the biggest hurdles I have been forced to over come is that this will NEVER be like Kansas City, Chicago or Nashville, and I am finally ok with that. What Des Moines has instead is the ability to become an incredible technology city for its size and location.

There are a lot of options available to the family moving to the Des Moines area to keep them entertained and engaged without the feeling of always being in a rush to get somewhere. Des Moines has an incredible farmers market, full of produce and goods from local merchants. This is home to numerous sports teams that feed into various professional clubs, such as the Chicago Cubs, Chicago Bulls, and Phoenix Suns. We also have Arena Football, Soccer and Hockey teams. We also have college teams in the Big 12, and the Big 10 nearby.. Including the team that gave Oklahoma State their first loss in 2011.. There are two major lakes nearby, Saylorville and Gray’s Lake that offer fishing, boating, trails and numerous other aquatic events. Des Moines is also home to the Science Center of Iowa with an IMAX Dome Theatre, Botanical Center, Living History Farms, and Adventerland Amusement Park. There is always something to do with two kids, or just a romantic night get away.

Live music in Des Moines ranges from small settings, outdoor festivals, to large arenas. We have a wide mixture of talent come through here every year; George Strait, Bob Seger, ACDC, Reba, Mercy Me, Wilco, David Allan Coe, Staind, Tech N9ne, Queensryche, Big Sean, Primus, Janet Jackson and many others. For festivals we have 80/35 Music Fest, LazerFest plus the State Fair Lineup.
Cost of living in the area has remained lower then Kansas City, Nashville and even the coastal cities. For example, I just filled up with Midtier fuel at $3.02/gallon, milk is running about $3.10/gal for 2%. Movie tickets are about $7/adult, large popcorn is $4.50, pop is $4.00.

For me, my career in infosec is tied to my passion of digital forensics, incident response, and malware analysis. I realize as of right now that this is going to be a difficult but not completely out of the question. To start with we have Iowa State University, offers the Information Assurance Center, which is one of the original 7 NSA certified centers of academic excellence in information assurance, they also host the IT Olympics, with is a CDC event for High School kids, and support the local community college CDC competitions. DMACC offers the Electronic Crime Institute which is a two year program for infosec which specializes in digital forensics. 

Des Moines is also home to multiple global companies; The Principal Financial Group, Wells Fargo, Nationwide, GuideOne, ING and many others. We have the largest percentage of employment in the Financial Activities, yes we have a smaller population, but we also have A LOT of financial companies. Since we are an agriculture state we also have a booming bioscience industry that needs protection. There are plenty of Federal Government jobs in the area, such as the USDA Labs in Ames, The Iowa Forensic Labs in Ankeny, and there is an FBI Fusion Center in Des Moines. We also have Silicon Prairie that helps showcase the technology startups that are forming out of the area known as Silicon 6th, not to mention the Technology and Research Incubators in the area. 

With the need of a robust information security industry needed in the area I am surprised that an established company has not chosen to open a location in the area. I can think of a half dozen that based on their philosophy, vertical markets, and professionalism would make a great addition to the financial and agribusiness sector in central Iowa. We also have the talent capable of supporting the development of a solid Forensics and Incident Response company in the area.

Of course there are some drawbacks when it comes to Infosec. With the proximity of Kansas City, Chicago, and Minneapolis/St. Paul we are over looked by some of the cool conferences and events, would love to see a SANS, or a GFIRST conference make a stop here, but I do not see that happening. Technology User Groups are available, but attendance and support varies from meeting to meeting. I am in the process of working to remedy this, I have started to establish BSidesIowa for 2012, and looking at options to get more InfoSec traffic to come this way. I can’t do it alone, but if I do not attempt to start the fire it might not happen. We also are in the process of starting a hackerspace.

We also are not going to have everything a larger city has, but we are close enough that a weekend road trip is not out of the question. We have an international Airport that can get employees out to the coast quickly if needed. 

Don’t take my word for it, here are some other reviews of the place:

Why Should I work at Principal?

I have worked a wide range of careers and companies since I graduated from High School. These have ranged from digging trenches and laying drainage tiles, manager of arcades, lighting and sound production for a theatre in Nashville, to my current path of an Info Sec specialist. I have worked with enough companies to see the good and the bad, and what I expect as an employee.

When I started at Principal it was pre-housing market bubble crash, financial bailout and increased unemployment. Principal tries very hard to be transparent to its employees, making sure we understand the motivators of Senior Management and the decisions that impact the employees. They might not always make the easiest choices, and people will complain, but I feel that over all the management team here does an outstanding job.

When I first started at Principal, we had perks such as Free Drinks Monday, Family Fun Packs, Christmas Gifts and a few other minor ones that have phased out due to the economy. Out of everything that we have lost I think I miss the Family fun Packs the most. These packs gave employees options of how to do something with their family, this could be Tickets to the State Fair, Adventureland Amusement Park, Iowa Cubs Game, Show at the Civic Center, or a few other options.

Looking back at some of the quarterly department meetings, and yearly reports it appears that Principal was anticipating the impact of a financial crisis and worked to shore up its investments to minimize the impact of the fall out. We still lost a few employees due to lay offs, but there were other levers that were pulled to maintain a solid workforce without severely impacting the employees. We all gained more responsibilities, streamlined processes and hunkered down.

For the last two years Principal has taken steps to bring back perks to the employees, reward us for our sacrifices and actually listen and act on our yearly employee opinion surveys. The management team usually looks at 2 or 3 pain points identified in these surveys and works on improving them over the next year. They also announce to employees what these pain points are and attempt to solicit ideas to improve them. Principal is also big on personal development, but it really depends on how important development is to your direct leader on how much external development you might be able to receive. Usually in late spring or early summer Principal hosts Development Weeks where they bring both external and internal speakers in to help develop the employees. Topics cover time management, stress mitigation, talks with Senior Management, and a myriad of other topics that change year to year.

For external development, Principal offers tuition reimbursement, and in the case of my team we try to send one or two people out for major training (SANS, EC-Council, Linux) every year. I was given time off last year to attend GFIRST, and utilized training for my attendance at BSIDESKC. My leader is also very accommodating with my hectic class schedule.

My Team
For lack of a better word, we are awesome.

In reality this is a team that has been through a lot of development, set backs and growth in the last 3 years. This is the strongest I have seen us as a team, and I know that we will only get stronger.
The team that I am on is a great group of guys, we have a myriad of talents and skill sets that we bring to the table, we have finally started to get a good working groove since we acquired a new leader about 2 years ago. With him being very technical and knowledgeable about the threats and risks we are facing has allowed us more visibility to the CISO and upper management, allowed a more security focus direction when dealing with the business unit, and getting our team the training we need. He has allowed us to excel and take risks, knowing that he supports us in our choices. Of course he also expects us to have researched and tested the options before us before we make a choice and run with it. The team is made up of fathers, farmers, firefighters, recent college graduates, hackers, defenders, technical gurus, soon to be empty nesters, beer snobs, and many other traits that have meshed very well.

Don’t take my word for the company; here is what others are saying:

As you can see Des Moines and The Principal have a great opportunity for those willing to relocate and take a chance. It might take a little bit to get used to the laid back atmosphere and incredible corn fed beef, pork, and turkey. Or the incredible hunt for deer, duck, geese in the area. Given time this area will grow on you, you will learn to love the laid back atmosphere, the wonderful opportunities, and the ability to experience all 4 seasons... some times those seasons all might hit within the same 48 hours... 

If you have any questions feel free to ask. 

We have something for everyone, below is a list of everything we offer. That is just the tip of the iceberg.

  • Sporting options
    • Chicago Cubs Minor League Team
    • Iowa Energy (NBA Development League for Bulls and Suns)
    • Iowa Barnstormers (Arena Football)
    • Buccaneers (United States Hockey League)
    • Menace (Soccer Team)
    • Drake Relays (track and field)
    • Principal Charity Classic (golf)
    • Hy-Vee Triathlon (Olympic qualifier)
    • Des Moines Marathon
    • Ragbria - Cross State Bike Ride
    • Live Horse Racing
  • Culture
    • Civic Center of Greater Des Moines
    • Temple of Performing Arts
    • Des Moines Playhouse
    • Des MOines Metro Opera
    • Ballet Des Moines
    • Des Moines Symphony
    • Jazz in July
    • Wells Fargo Arena
    • Multiple smaller venues
    • Simon Estes Riverfront Amphitheater
    • Des Moines Art Center
    • Pappajohn Sculpture Park
  • Attractions
    • Des Moines Botanical Center
    • Science Center of Iowa
    • IMAX Dome
    • Blank Park Zoo
    • Great Ape Trust
    • Adventureland Park (Amusement/waterpark)
    • Living History Farms
  • Festivals and Events
    • Iowa State Fair
    • 80/35 Music Festival
    • World Food Festival
    • Farmers Market
  • Trasportation
    • Enclosed Skywalks
      • Over 4 miles
      • one of the largest in the US
    • Crossroads of 2 Interstates 
      • I-80 (East/West Omaha-Chicago)
      • I-35 (North/South Kansas City-Minneapolis)
    • Public Bus System
    • Greyhound, Jefferson Lines, and MegaBus
    • Amtrak Station 40mi south
    • International Airport
  • Education
    • Main Campuses
      • Drake University
      • Grand View University
    • Other Facilities
      • Simpson College
      • William Penn
      • Upper Iowa
    • Other Institutions
      • Des Moines University
      • Iowa State University (Ames, IA)
      • University of Iowa (Iowa City, IA)
      • DMACC
  • Parks and Recreation
    • Principal Riverwalk
    • Brenton Skating Plaza (Outdoor Ice Skating by the river)
    • Gray's Lake (Massive lake near Downtown)
    • Jester Park (Horse Back Riding)
    • Saylorville Lake

Friday, November 18, 2011

My Perfect Forensic Curriculum


It was asked at Mid-terms what we thought of our Forensics Class, and what we would change. Digital Forensics is my passion, and I had A LOT of ideas. At the time I kept quiet because I was considering the question. I have decided to post this as a blog, to allow some discussion and communication on the topic.

This is the description of the class:
Fundamentals of computer and network forensics, forensic duplication and analysis, network surveillance, intrusion detection and response, incident response, anonymity and pseudonymity, privacy-protection techniques, cyber law, computer security policies and guidelines, court testimony and report writing, and case studies. Emphasis on hands-on experiments.

While the overall description sounds like a great class, in reality there is so much information being delivered that there is really no depth what we learn. Keep this in mind, this idea is a long term development, will require funding, and dedication to make this happen. I feel that if you want to be the best in the country providing this education, then you have to make the commitment to decimate the competition.


Intro to Forensics: (Undergrad)
Basically you want the students to leave this class with a solid understanding of the history of forensics, investigation process, and a well-rounded foundation for pursuing the investigation.


Windows Forensics: (Undergrad/grad)
Basically you take this book, and you spend 16 weeks going through it. Reinforce what they are learning in class with labs. First few weeks of class they create an image of a PC, and then utilize various tools through the semester to analyze it. You also have a few live machines that you can do live analysis on. You teach the students the ins and outs of Windows OS, the quirks, the pain points, and the tools to utilize.

Linux Forensics (Undergrad/Grad)
Basically you take this book, and you spend 16 weeks going through it. Reinforce what they are learning in class with labs. First few weeks of class they create an image of a PC, and then utilize various tools through the semester to analyze it. You also have a few live machines that you can do live analysis on.


Mac Forensics (Undergrad/Grad)
Basically you take this book, and you spend 16 weeks going through it. Reinforce what they are learning in class with labs. First few weeks of class they create an image of a PC, and then utilize various tools through the semester to analyze it. You also have a few live machines that you can do live analysis on.


Network Forensics (Grad)
This class is to find an attacker footprint on the network. They will learn to analyze from switches, IDS, Net Flow, pack capturing. They will learn to find Covert Channels, carving logs and packet captures, and correlating traffic and artifacts to find the evidence.


Mobile Forensics (Grad)
This class will teach the student how to forensically investigate mobile devices. Students will learn the process of investigating and handling various mobile devices and the information that is stored withing various artifacts that can be recovered.


Advanced Forensics (Grad)
This class would delve deeper into forensic analysis, techniques used for Anti-Forensics, stenography, etc . It could also be used to define research goals for improving forensics capabilities and solutions. 

This should give the student a dedicated and more complete understanding then just cramming everything into a single 16 week brain dump course. This also requires a facility and resources to accomplish this goal. You will need to recruit the some of the Digital Forensics power players to refine and establish a solid baseline. You will need to have two or three professors who are dedicated to Forensics to teach and develop the curriculum and take the time to invest in training.

If this is done right, you can help fund the curriculum by utilizing the services of the program for the following:
·         Conducting Digital Forensics
·         Provide Training for practitioners
       Data Recovery services
      Technology Transfer of tools researched and developed by University.

  

Thursday, November 10, 2011

Everything I know about InfoSec is reinforced in Modern Warfare 3


I picked up Modern Warfare 3 (MW3) the day it came out, one of the only first person shooters I play. While playing online against other gamers I realized a lot of the strategies and philosophies I use in my day job protecting the network from evil. These strategies are even more relevant when I am playing such game modes as Domination and Capture the Flag.

Rule 1 – Do not be afraid to utilize different tools to get the job done.
In MW3 you have plenty of equipment at your disposal, they all provide different tools to get the job done, and excel at different strategies and requirements. With practice you are able to customize your favorite equipment to make them more robust and feature rich. In InfoSec we are taught to utilize some core tools to secure out network. As we gain more experience with the tools we learn the various capabilities that advanced users can comfortably access, as well as coming across new tools that provide a richer tool set to accomplish different needs in the tasks we are assigned.

Rule 2 – Your team is only as strong as your weakest link
In MW3 you might be the best player in the game, but you learn quickly if you cannot win the game by yourself, there are too many variables that are stacked against you. If you want to succeed in the team games you have to work together as a team, and you have to support your weakest link. Just like in InfoSec, you could be the rock star InfoSec guru in the company, but if you attempt to secure everything by yourself, you are going to lose. To protect the network you have to rely on your team and their strengths, those with known weakness need to have helped to improve their skills, while utilizing their strengths to help secure the objectives.

Rule 3 – Maps are different, they have unique qualities, so does each network
In MW3 every map is slightly different and provides different quirks for the players to adapt to. Some maps are wide open with plenty of sight lines while others are packed tightly together, multiple choke points and limited sight lines. The same is true with the networks we are set to defend. Some networks are very distributed and allow everything to pass through; some are tightly controlled with multiple choke points to secure against attacks, while others are small, tightly packed with very limited sight lines to actually see what is travelling in them. Just like the maps in MW3 you must learn the quirks of your network if you want to win.

Rule 4 – You are pwned if you will not adapt to the environment or the attack
In MW3 the likelihood that you will encounter the same environment or attack is very rare. You will end up losing. You must be able to adapt to strategies against you in order to defend or attack the objectives if you want to win. Just like in the InfoSec world, it is very unlikely that you will encounter the same attack vector or environmental variables for every attack. Your strategies must be able to be adapted dynamically to these variables or you will be pwned.

Rule 5 – To survive you must be willing to continue learning
In MW3 it is true the younger players have better hand eye coordination in playing these games, they also usually have more time to play, But I have seen older players play very efficiently against them. In the InfoSec world we are constantly being forced to learn new skills, technologies and attack vectors. If we are not willing to continue to learn than we quickly will become obsolete and increase the risk to the network we are tasked to defend.

Rule 6 – It is ok to specialize in a role
In MW3 every player has a preferred play style, this can be the run and guns kill everything that moves, to the camping sniper who is dropping targets with pinpoint efficiency. In the InfoSec world it is ok to specialize in a few areas and remove yourself from the generalist pool. Keep in mind doing that run the risk of closing some advancement doors, but will allow you to concentrate on the technologies or threats that interests you the most. You can be the guru that specializes in pentest and exploiting webapps, or you can be the guy that is the sniper forensicator* on your team that can pinpoint the data required.  (*word taken from Chris Pogue, Sniper Forensics series)

Rule 7 – It is ok to admit when you have no clue what you are doing, and ask for help
In MW3 this is one of the hardest things I have seen, it is usually by people not afraid of failure. When I first started playing 1st person shooters I was a spray and pray shooter, I mentioned in one game I have no clue what I was doing and some youngster took me to a closed match and walked me through some basic strategies. In InfoSec there is going to be a time when you realize that while you are interested in something you have no clue what you are doing. You can muddle through the tasks and pray that you are doing it right, or can ask for help and learn the skills necessary for success. Hopefully when you ask for help someone will be there to provide assistance.

Rule 8 – If you are not enjoying the action it’s time to change it or move on
In MW3 there will be a time that you are no longer enjoying the session. This can be because the team you are on is not cohesive and refusing to work as a team or the strategies involved just are not working. When this is the case it’s time to find a different session, attempt to get the mentality changed or leave for a few days. The same can be said in the InfoSec world. If you are not happy with your current situation you need take stock of the environment and decide if it is something that you can change and want to within the organization, if you would be happier in another job on another team, or if it has just been a rough few days and you need to take some time away to recharge. In the end a game or work should be something you enjoy more then you hate.

Rule 9 – Regardless how good you think you are, some hotshot punk will come in and pwn you.
In MW3 I keep finding out how good I thought I was is not really as good as the other players in the game. I am a casual gamer, my k/d ratio is horrible, but I have fun and I try my best. I have learned that I am no match for the younger generation when it comes to these games. In the InfoSec world I have learned that there is always someone better than me out there. Someday there will be some hotshot kid come into my environment and show me up, I can either be angry and bent out of shape or I can admit that they are better, and learn from them.

Rule 10 – Sometimes you are going to just have a bad day, just don’t take it personally
In MW3 some days regardless how well you normally play nothing will be going right for you. You will be doing great if you actually have a positive k/d ratio. In the InfoSec you will have those days too. You will do everything you can to keep things working and running smooth, but something will come up and smack you around. It is going to be hard on those days to keep things in perspective, but if you don’t you will get burnt out quicker and not enjoy your job. I have not met anyone in InfoSec that got into this field because they hate it, just like I have not met anyone online in MW3 that started playing because they hate it. If you are having an off day, take a few steps back, adapt to the issue and work to resolve it.
                
BTW before I forget again.. if you want to match up and help educate me.. XBOX gamer tag is Thrall Rasp

Tuesday, September 27, 2011

BSides Iowa, Where Else would you want to be?


What is BSides?
Each BSides is a community-driven framework for building events for and by information security community members.  The goal is to expand the spectrum of conversation beyond the traditional confines of space and time.  It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.

What is BSidesIowa?
BSidesIowa is starting out to fill a gap in central Iowa for the technical knowledge sharing that seems to be lacking. While we have numerous user groups in the area we do not seem to have a collective event for members to come together and share the knowledge that represented in the area. Des Moines and the Central Iowa location are home to numerous organizations that could benefit from this event. This area is home to multiple financial companies, DMACC and its High Tech Crime Program, Iowa State University, multiple IT security companies, State, Local, and Federal government agencies, and numerous user groups. With all that potential Central Iowa still is missing a cohesive event that brings professionals together.

How can you help BSidesIowa?
We are looking at sponsors willing to assist in getting this event off the ground. With the belief that the event should be free for participants, we are in need of corporate sponsors willing to help offset some of the cost required to run and organize this event. We are specifically looking for some help with the following:
  • Facility Rental (we are needing a space that can hold 70+)
  • Audio/Video Equipment Rental (Projector, Screen, Microphone)
  • Printing Needs (Speaker Handouts, programs, signage and other as needed)
  • Event Catering (Breakfast, Lunch and Snacks)
  • Event Recording (Would like to record the talks for those unable to make it)
  • T-Shirts (to promote the event, optional)
  • Post Event Catering (Supper, optional. Would allow the discussion to continue)


What benefit do you get for being a sponsor at BSidesIowa?
With the format and philosophies of BSides we are unable to allow vendor specific talks, if your organization would like to have a talk then the speaker will need to submit a request like other speakers when we do a CFP. Sponsors will gain the following benefits:
  • Being part of the media conversation: as people talk about us they talk about you or at least see you.
  • Big Fish in a Small Pond: For some, sponsoring large events is not within their price range leaving them with no option for communicating their message. BSides is just the place for you! This small, community atmosphere brings together active and engaged participants who want to absorb information. Sponsoring a BSides event enables to be that big fish in a small pond and better communicate your message to an active audience.
  • Stay in touch with the industry: BSides enables its supporters and participants to identify and connect with industry leaders and voices. These participants represent the social networking of security. They are the people who you want to engage to solicit feedback and bring voice to your conversation.
  • Targeted and Direct Audience: You didn't enter the security industry selling your product to everyone the same way, so why approach events that way?  Instead of marketing to the broader "security" community connect directly with the security professionals who write about, talk about, recommend, and implement security products and services.
  • Be associated with the next big thing: Nobody knows what the “next big thing” will be, but these events are community driven with presentations voted upon by the industry. There is no magic to how it works, but we believe that listening to the underground can help prepare you and help identify what the next big thing might be.
  • Sponsorship listed on Programs, Signage and other marketing materials used to promote the site. This includes t-shirts if they are produced.
  • Sponsors will have the ability to network with event attendees. Vendor area if space is available. 

Sunday, September 25, 2011

Forensics Term Paper - Windows 8 Registry

I have been tossing around a few ideas for my term paper this fall. And yes, I am still alive..

Part of me wanted to do Malware Analysis and finding unknown evil in the enterprise by investigating interesting traffic, processes, communications and just plain dumb luck to find something. Then utilizing multiple methodologies and utilities to track down the infection and remove it.

Then I read an article on Windows 8 Beta and Jump Lists (Thanks Harlan) and that got me to thinking a little more on the subject of finding out what I can in that OS in regards to the Jump List and Registry. .

A few minutes ago I submitted my initial proposal to my professor on my work. Hopefully I will be presenting this at BSides Iowa in 2012..

Proposal that was Sent:


One of the most difficult processes of digital forensics is understanding how new technology interacts with current technology and how we can utilize current Digital Forensics technologies and processes to recover and find information hidden. Recently Microsoft released the Developer Beta Preview of Windows 8, with this release Microsoft has added some features to the Operating System that will present some interesting complications to digital forensics.
               
The first thing I plan to look at is the way that Windows 8 handles the Registry Hive Traditionally the registry has been known to house a myriad of useful information for the digital forensic investigator. This information has contained but not limited to; removable media that is plugged into the device, current configuration of the machine that the operating system is installed on, recently accessed files by users, orphaned artifacts of uninstalled software, as well as potential identifiers of malware infection.

To analyze the Registry data variances from Windows 7 to Windows 8 it will require utilizing multiple virtual machines to create useable environements and the creation of a baseline file to compare the changes against. Once these baselines have been established then we can compare the registry files between the two versions and see what is different between Windows 7 and Windows 8. We will then install various software versions and compare the changes to the registry from these installs across the environment. After we have installed our software we will uninstall them and compare the registries to see what artifacts have been left behind because of the uninstall process. This will allow us to see what Registry entries remain across both versions. Finally we will infect both virtual machines with malicious code to see how the registries handle malware infection across both versions of the tested windows operating systems.

The second thing I intend to look at is the Jump Lists. This was a new artifact that was found in Windows 7. The Jump List allows quick access to recently accessed files, or most frequently access files[1]. There are other capabilities in the jump lists in Windows 7 that should carry over. From my initial look at the Windows 8 operating system it appears that you can customize the jump lists. I am interested to see if customizing it to a small jump list amount, if there is more stored in the registry.  

In investigating the Jump Lists it will require setting limitations on the data retained by the jump lists and seeing how the operating system reacts. We will need to understand how these changes would impact the registry and the jump list if the jump list is turned off, and told to remember nothing, told to remember less, or if the limit is increased. This will require analyzing the registry as we make the changes to the jump list to compare against the baseline and the modified versions.

By understanding how the registry behaves within the Windows 8 operating system this will allow us to know what tools currently can handle the new operating system, what tools would need to be modified and what options are missing from the current tool sets that are deployed by digital forensic investigators. This research will give us a chance to understand the changes that we are going to be faced with as well as share our knowledge with the others in the field.

Thursday, August 25, 2011

Forensics Reading List

This is the list that my professor has decided we need to read or be familiar with.
Thought I would pass it along in case someone wanted some Article to read, or want to add to it.


Required Reading List

Note: The instructor may make minor changes or add a few more papers to this list during the semester.

Module I: Digital Forensics: An Overview

  1. [Required] Gary Palmer, A Road Map for Digital Forensic Research,  Digital Forensic Research Workshop (DFRWS), Final Report, Aug. 2001.
  2. [Required] Sarah Mocas, Building Theoretical Underpinnings for Digital Forensics Research, Digital Investigation, vol. 1, pp. 61-68, 2004.
Module II: Forensics Basics and Criminalistics

No required readings. Here is a reference book.
  1. Richard Saferstein, Criminalistics: An Introduction to Forensic Science, 8th edition, Prentice Hall, Inc., 2004, ISBN: 0-13-111852-8.
Module III: Basic networking and OS Concepts: A Review
No required readings. Please read CprE 308 and 489 textbooks whenever needed.
  1. Andrew Tanenbaum, Modern Operating Systems, 2nd Edition, Prentice Hall, Inc., 2001, ISBN: 0-13-031358-0.
  2. Alberto Leon-Garcia and Indra Widjaja, Communication Networks: Fundamental Concepts and Key Architectures, 1st Edition, McGraw-Hill Companies, Inc., 2000, ISBN 0-07-022839-6.
Module IV: Advanced Topics in Computer and Network Forensics
Forensic Duplication and Analysis
  1. [Required] Brian D. Carrier and Joe Grand, A Hardware-Based Memory Acquisition Procedure for Digital InvestigationsJournal of Digital Investigations - March 2004 edition, 2004.
  2. [RequiredThe survey of disk image formatsCDESF Technical Working Group, September 2006.
(More will be added).
Cyber Forensics Tools and the Testing Thereof
  1. Encase Online Manual (on Lab Machines)
  2. FTK Online Manual (on Lab Machines)
  3. Bruce Schneier and John Kelsey, Secure Audit Logs to Support Computer ForensicsACM Transactions on Information and System Security, v. 1, n. 3, 1999.
  4. Alec Yasinsac and Yanet Manzano, "Policies to Enhance Computer and Network Forensics," in Proceedings of the 2001 IEEE Workshop on Information Assurance and Security United States Military Academy, West Point, NY, 5-6 June, 2001.
  5. Eoghan Casey, Practical approaches to recovering encrypted digital evidence, Digital Forensic Research Workshop (DFRWS), Aug. 2002.
  6. Matthew Geiger, Evaluating Commercial Counter-Forensic ToolsDigital Forensic Research Workshop (DFRWS), Aug. 2005.
PDA and Cell Phone Forensic Analysis
  1. [Required] Wayne Jansen and Rick Ayers, Guidelines on PDA Forensics, NIST, August 2004.
  2. [[Required] Mobile Device Forensics (Blackberry, Android), http://www.mobileforensicsworld.org/, 2009.
Network Surveillance
(Will be added).
Profiling Cyber Criminals
  1. Eric Shaw, Keven G. Ruby, and Jerrold M. Post, The Insider Threat to Information Systems: The Psychology of the Dangerous Insider, Security Awareness Bulletin, No. 2-98. 1998.
Network Attack Traceback and Attribution
IP Traceback
  1. K. Shanmugasundaram, et al, Payload Attribution via Hierarchical Bloom Filtersin Proceedings of the ACM CCS 2004.
  2. [Required] A. Belenky and N. Ansari, Ip traceback with deterministic packet markingIEEE COMMUNICATIONS LETTERS, vol. 7, no. 4, pp. 162�164, Apr. 2003.
  3. [Required] Alex C. Snoeren, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Beverly Schwartz, Stephen T. Kent, and W. Timothy Strayer,Single-Packet IP Traceback, IEEE/ACM Transactions on Networking (ToN), Volume 10, Number 6, pp. 721-734, December 2002.
  4. Micah Adler, Tradeoffs in Probabilistic Packet Marking for IP Tracebackin Proceedings of 34th ACM Symposium on Theory of Computing (STOC) 2002.
  5. D. Song and A. Perrig, Advanced and authenticated marking schemes for ip traceback, in Proc. of IEEE INFOCOMM 2001, Apr. 2001.
  6. [Required] M. F. D. Dean and A. Stubblefield, An algebraic approach to ip traceback, in Network and Distributed System Security Symposium (NDSS �01), Feb. 2001.
  7. [Required] Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson, Practical Network Support for IP TracebackProceedings of the 2000 ACM SIGCOMM Conference, pp. 295-306, Stockholm, Sweden, August 2000.
  8. Steve Bellovin, ICMP Traceback Nessages, Network Working Group Internet Draft, 2000.
Stepping Stone Attack Attribution
  1. [Required] A. Blum, D. Song, and S. Venkataraman, Detection of interactive steping stones: Algorithms and confidence bounds, in 7th International Symposium on Recent Advances in Intrusion Detection (RAID 2004), Sophia Antipolis, France, Sept. 2004.
  2. W. T. Strayer, C. E. Jones, I. Castineyra, J. B. Levin, and R. R. Hain, An integrated architecture for attack attribution, BBN Technologies, Tech. Rep. BBN REPORT-8384, Dec. 2003.
  3. [Required] X. Wang and D. S. Reeves, Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays, in Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003), Washington DC, USA, Oct. 2003.
  4. X. Wang, D. S. Reeves, and S. F. Wu, Inter-packet delay based correlation for tracing encrypted connections through stepping stones, in Proceedings of the 7th European Symposium on Research in Computer Security (ESORICS 2002), Zurich, Switzerland, pp. 244�263, Oct. 2002.
  5. D. L. Donoho, A. G. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford, Multiscale stepping-stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay, in Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), Zurich, Switzerland, Oct. 2002.
  6. X. Wang, D. S. Reeves, S. F. Wu, and J. Yuill, Sleepy watermark tracing: An active network-based intrusion response framework, in Proceedings of 16th InternatConference on Information Security (IFIP/Sec�01), Paris, France, June 2001.
  7. [Required] K. Yoda and H. Etoh, Finding a connection chain for tracing intruders, in Proceedings of the 6th European Symposium on Research in Computer Security (ESORICS 2000), Toulouse, France, Oct. 2000.
  8. [Required] Y. Zhang and V. Paxson, Detecting stepping stones, in Proceedings of the 9th USENIX Security Symposium, Denver, USA, pp. 171�184, Aug. 2000.
VoIP Security, Caller-ID Services, and Tracing Anonymous VoIP Calls
  1. [Required] R. Kuhn, T. Walsh, and S. Fries, Security Considerations for Voice Over IP SystemsNIST Special Publication 800-58, January 2005.
  2. [RequiredX. Wang, S. Chen, and S. Jajodia, Tracking Anonymous Peer-to-Peer VoIP Calls on the Internet, in Proceedings of ACM CCS, 2005.
P2P Forensics
  1. [Required Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay ShieldsForensic Investigation of Peer-to-Peer File Sharing Network, DFRWS 2010.
Botnets Investigative Analysis (Optional)

  1. Laurianne McLaughlin, Bot Software Spreads, Causes New Worries, IEEE DISTRIBUTED SYSTEMS ONLINE, Vol. 5, No. 6; June 2004.
  2. Bill Mccarty, Botnets: Big and Bigger, IEEE SECURITY & PRIVACY, JULY/AUGUST 2003.
  3. David Dagon, Guofei Gu, Cliff Zou, Julian Grizzard, Sanjeev Dwivedi, Wenke Lee, Richard Lipton, A Taxonomy of Botnets, NSF Cybertrust PI meeting, September 25, 2005.
  4. Felix C. Freiling, Thorsten Holz, and Georg Wicherski, Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks, tech report, Department of Computer Science, RWTH Aachen University, April 2005.
  5. Ramneek Puri, Bots & Botnet: An Overview, GSEC Practical Assignment Version, SANS Institute, August 2003.
  6. Evan Cooke, Farnam Jahanian, Danny McPherson, The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets, USENIX SRUTI'05: Steps to Reducing Unwanted Traffic on the Internet Workshop, Cambridge, MA, July 7, 2005.
  7. Know your Enemy: Tracking Botnets, http://www.honeynet.org/papers/bots/A word version.
  8. [Required] Anirudh Ramachandran, et al., �Revealing Botnet Membership Using DNSBL Counter-Intelligence,� in SRUTI '06.
  9. [Required] Cliff C. Zou and Ryan Cunningham. �Honeypot-Aware Advanced Botnet Construction and Maintenance," in the International Conference on Dependable Systems and Networks (DSN), June 25-28, Philadelphia, 2006.
  10. [Required] David Dagon, Cliff C. Zou, and Wenke Lee. "Modeling Botnet Propagation Using Time Zones," in 13th Annual Network and Distributed System Security Symposium (NDSS), p.235-249, Feb. 2-4, San Diego, 2006.

(Will be added).
Multimedia Forensics and Multicast Fingerprinting

  1. [Required] H. Chu, L. Qiao, and K Nahrstedt, "A secure multicast protocol with copyright protection," Proceedings IS&T/SPIE Symposium on Electronic Imaging: Science and Technology, San Jose, CA, Jan. 1999.
  2. [Required] B. Briscoe and I. Fairman, "Nark: Receiver-based multicast non-repudiation and key management," ACM Conference on Electronic Commerce, Denver, CO, Nov. 1999.
  3. [Required] I. Brown, C. Perkins, and J. Crowcroft, "Watercasting: Distributed watermarking of multicast media," Network Group Communication, Pisa, Italy, pp. 286-300, Nov. 1999.
  4. [Required] P. Judge and M. Ammar, "WHIM: Watermarking multicast video with a hierarchy of intermediaries," Proc. NOSSDAC, Chapel Hill, NC, Jun. 2000.
  5. R. Parviainen and P. Parnes, "Large scale distributed watermarking of multicast media through encryption," in Proc. of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security Issues of the New Century, vol. 64, pp. 149�158, 2001.
  6. P. Judge and M. Ammar, "Security issues and solutions in multicast content distribution: a survey," IEEE Network, Jan./Feb. 2003.
  7. W. Trappe, M. Wu, Z.J. Wang, and K.J.R. Liu, �Anti-Collusion Fingerprinting for Multimedia�, IEEE Trans. on Signal Processing, vol 51, no 4, pp.1069-1087, special issue on Signal Processing for Data Hiding in Digital Media and Secure Content Delivery, April 2003.
  8. A. Eskicioglu, "Multimedia security in group communications: Recent progress in key management, authentication and watermarking," ACM Multimedia Systems, Special Issue on Multimedia Security 9, pp. 239�248, Sep. 2003.
  9. [Required] M. Wu, W. Trappe, Z.J. Wang, and K.J.R. Liu, �Collusion-Resistant Fingerprinting for Multimedia,� IEEE Signal Processing Magazine, Special Issue on Digital Rights: Management, Protection, Standardization, vol 21, no 2, pp.15-27, March 2004.
  10. Z.J.Wang, M.Wu, W. Trappe, and K.J.R. Liu, �Group-Oriented Fingerprinting for Multimedia Forensics,� EURASIP Journal on Applied Signal Processing, Special Issue on Multimedia Security and Rights Management, 2004:14, pp.2142-2162, Nov 2004.
  11. H. Zhao and K. J. R. Liu, "Bandwidth efficient fingerprint multicast for video streaming," IEEE Int. Conf on Acoustics, Speech and Signal Processing, May 2004.
  12. H. Zhao and K. J. R. Liu, "A secure multicast scheme for anti-collusion fingerprinted video," Global Telecommunications Conference, 2004.
  13. H. Zhao, M. Wu, Z.J. Wang, and K.J.R. Liu, �Forensic Analysis of Nonlinear Collusion Attacks for Multimedia Fingerprinting,� IEEE Trans. on Image Processing, vol 14, no 5, pp.646-661, May 2005.
  14.  Z.J. Wang, M. Wu, H. Zhao, W. Trappe, and K.J.R. Liu, �Anti-Collusion Forensics of Multimedia Fingerprinting Using Orthogonal Modulation,� IEEE Trans. on Image Processing, June 2005.
  15. [Required] H. Zhao and K.J.R. Liu, �Fingerprint Multicast for Secure Video Streaming,�  in IEEE Trans. on Image Processing.
Crime Scene Reconstruction: Evidence Linkage Discovery and Causal Reasoning
  1. [Required] J. Adibi, et al, The KOJAK Group Finder: Connecting the Dots via Integrated Knowledge-Based and Statistical Reasoningin Proceedings of the Sixteenth Innovative Applications of Artificial Intelligence Conference (IAAI-04), 2004.
  2. J. Zhang and V. Honavar, Learning Decision Tree Classifiers from Attribute Value Taxonomies and Partially Specified Data, in Proceedings of the International Conference on Machine Learning (ICML-03), 2003.
  3. [Required] J. Xu and H. Chen, The Topology of Dark Networks, Communication of ACM, Vol. 51, No.10, October 2008.
Stock Spam


  1. [Required] Frieder and Zittrain, Spam Works: Evidence from Stock touts and Corresponding Market Activity, working paper, March 2007.
  2. [Required] Hanke and Hauser, On the Effects of Stock Spam E-mails, working paper (later version published in the Journal of Financial Markets, 11(1), February 2008.
  3. [Required] Bohme and Holz, The Effect of Stock Spam on Financial Markets, working paper (also published in WEIS 2006), April 2006.

Case Studies
No required readings.
Module V: Investigative Techniques from Intrusion Detection and Response
Survey


  1. [RequiredH. Debar, M. Dacier, and A. Wespi, A Revised Taxonomy for Intrusion-Detection Systems, Research Report of IBM Zurich Research Lab, 1999.
General Model
  1. D. Denning, An Intrusion-Detection Model, 1986.
  2. R. Maxion and K. M. C Tan, Benchmarking Anomaly-Based Detection Systems, 2000.
Detection Method

Misuse Detection

  1. K. Ilgun, R. A. Kemmerer, and P. A. Porras, State Transition Analysis: A Rule-Based Intrusion Detection Approach, 1995.
  2. C. Y. Chung, M. Gertz, and K. Levitt, DEMIDS: A Misuse Detection System for Database Systems, 1999.

Anomaly Detection

  1. H. S. Javitz and A. Valdes, The SRI IDES Statistical Anomaly Detector, 1991.
  2. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, A Sense of Self for Unix Processes, 1996.
  3. D. Wagner and D. Dean, Intrusion Detection via Static Analysis, 2001.
  4. R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni, A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors, 2001.
Learning (or Data Mining) Based Approaches
  1. C. Warrender, S. Forrest, and B. Perlmutter, Detecting Intrusion Using System Calls: Alternative Data Models, 1999.
  2. A. Valdes and K. Skinner, Probabilistic Alert Correlation, 2000.
Implementation Issues
  1. B. Mukherjee, L. T. Heberlein, and K. N. Levitt, Network Intrusion Detection, 1994.
  2. F. Kerschbaum, E. H. Spafford, and D. Zamboni, Using Embedded Sensors for Detecting Network Attacks, 2000.
  3. P. A. Porras and A. Valdes, Live Traffic Analysis of TCP/IP Gateways, 1998.
  4. J. S. Balasubramaniyan, J. O. Garcia-Fernandez, D. Isacoff, E. H. Spafford, and D. Zamboni, An Architecture for Intrusion Detection Using Autonomous Agents, 1998.
  5. S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, J. Rowe, S. Staniford, R. Yip, D. Zerkle, The Design of GrIDS: A Graph-Based Intrusion Detection System, 1999.
  6. W. Lee, W. Fan, M. Miller, S. Stolfo, and E. Zadok, Toward Cost-Sensitive Modeling for Intrusion Detection and Response, 2001.
Evaluation Issues
  1. N. J. Puketza, K. Zhang, M. Chung, B. Mukherjee, and R. A. Olsson, A Methodology for Testing Intrusion Detection Systems, 1996.
  2. R. P. Lippmann, D. J. Fried, I. Graf, J. W. Haines, K. P. Kendall, D. McClung, D. Weber, S. E. Webster, D. Wyschogrod, R. K. Cunningham, and M. A. Zissman, Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation, 2000.
  3. R. P. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and K. Das, The 1999 DARPA Off-line Intrusion Detection Evaluation, 2000.

Module VI: Steganography & Steganalysis
  1. [Required] Ross J. Anderson and Fabien A. P. Petitcolas, INFORMATION HIDING: AN ANNOTATED BIBLIOGRAPHY, 1999.
  2. Ross Anderson, Fabien A.P. Petitcolas, On The Limits of Steganography, 1998.
Module VII: Anonymity/Pseudonymity/P3P
  1. [Required] David Chaum, Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms, CACM, v. 24, n. 2, pp. 84-88, 1981.
  2. [Required] David Chaum, The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability, Journal of Cryptology , 1/1, pp. 65-75, 1988.
  3. Michael Waidner. Unconditional sender and recipient untraceability in spite of active attacks. In Eurocrypt '89, volume Lecture Notes in Computer Science of 434, pages 302--319. Springer-Verlag, 1989.
  4. J. Bos and B. den Boer. Detection of disrupters in the DC protocol. In Lecture Notes in Computer Science 434 (Eurocrypt '89). Springer-Verlag, 1989.
  5. Ceki G�lc� and Gene Tsudik, Mixing Email with Babel, Proceedings of the 1996 Symposium on Network and Distributed System Security, 1996.
  6. [Required] P. Syverson, D. Goldschlag, and M. Reed, Anonymous Connections and Onion Routing, Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, IEEE CS Press, pp. 44-54, May 1997.
  7. [Required] Michael Reiter and Aviel Rubin, Anonymous Webtransactions with Crowds, ACM Transactions on Information and System Security, v. 1, n. 1, pp. 66-92, 1998.
  8. Adam Back, Ulf M�ller, and Anton Stiglic, Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems, Lecture Notes in Computer Science, No. 2137, pp. 245, 2001.
  9. Clay Shields and Brian Neil Levine, A Protocol for Anonymous Communication Over the Internet, Proceedings of the 7th ACM Conference on Computer and Communication Security, Athens, Greece, Nov. 1-4, 2000.
  10. Rob Sherwood, Bobby Bhattacharjee, and Aravind Srinivasan, P5: A Protocol for Scalable Anonymous Communication, IEEE Symposium on Security and Privacy, 2002.
  11. Michael Freedman, Emil Sit, Josh Cates, and Robert Morris, Introducing Tarzan, a Peer-to-Peer Anonymizing Network Layerthe First International Workshop on Peer-to-Peer Systems, 2002.
  12. [Required] Yong Guan, Xinwen Fu, Riccardo Bettati, and Wei Zhao, "An Optimal Strategy for Anonymous Communication Protocols," in Proceedings of the 22nd IEEE International Conference on Distributed Computing Systems (ICDCS 2002), June 2002.
  13. George Danezis, Roger Dingledine, David Hopwood, and Nick Mathewson, Mixminion: Design of a Type III Anonymous Remailer2003 IEEE Symposium on Security and Privacy, May 2003.
  14. B. N. Levine, M. K. Reiter, C. Wang and M. Wright, Timing attacks in low-latency mix systems, In Financial Cryptography: 8th International Conference, FC 2004.
  15. Michael K. Reiter and Xiaofeng WangFragile Mixing, ACM CCS 2004.
  16. Platform for Privacy Preferences (P3P) Project, http://www.w3.org/P3P/, 2002.
  17. [Required] Anna Lysyanskaya, Ronald L. Rivest, Amit Sahai, Stefan Wolf, Pseudonym Systems, Selected Areas in Cryptography 1999, Lecture Notes in Computer Science.
Module VIII: Cyber Law, Security and Privacy Policies and Guidelines, and Legal Issues
  1. [Required] U.S. DoJ, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Computer Crime and Intellectual Property Section, US DoJ, 2002.
  2. Daniel Ryan and Gal Shpantzer, Legal Aspects of Digital Forensics, The George Washington University, 2000.
  3. J. Patzakis and V. Limongelli, Encase Legal Journal, Guidance Software, April 2004.
  4. SWGDE Document, Scientific Working Group on Digital Forensics, Arpil 2003.
  5. THE SEDONA PRINCIPLES: Best Practices Recommendations &Principles for Addressing Electronic Document Production, SEDONA Principles, Jan. 2004.
  6. ACPO GuideGood Practice Guide for Computer based Electronic Evidence, Association of Chief Police Officers,
  7. NIJ Guide, Electronic Crime Scene Investigation: A Guide for First Responders, 2001.
Module IX: Legal and Ethical Issues (Optional)
No required readings.
Module X: Court Report Writing and Testimony Skills
No required readings. Here are two useful documents:

  1. Judy Nodurft, Documentation and Writing Skills for Legal Reports, California Social Work Education Center (CalSWEC), University of California, Berkeley, 2001.
  2. ABA Litigation Section, Factors to Consider When Presenting Expert Testimony, ABA Litigation Section Annual Meeting, August 22, 2005.
Recent Cryptographic News on Hash Collision and Weakness
  1. Xiaoyun Wang and Dengguo Feng and Xuejia Lai and Hongbo Yu, Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD, Cryptology ePrint Archive, Report 2004/199, http://eprint.iacr.org/, August 2004.
  2. Eli Biham and Rafi Chen, Near-Collisions of SHA-0, Cypto'2004.
  3. NIST's NSRL Project response on recent cryptographic news on hash collision and weakness, 2004.

My Additions:

Blogs (I know I am missing some):

  1. Sans Forensics Blog
  2. Harlan Carvey
  3. Fist full of Dongles
  4. Digital Forensics Solutions
  5. Tao Security