Monday, August 15, 2011

Musings and Reading Notes

If you know me personally you know I am caught between two worlds. I work in a technology field that requires I know a lot of various hardware and software. At the same time, I like reading a real book in my leather chair with a Scotch poured neat and enjoy a fine cigar from time to time. Real books provide me a feel and comfort not afforded by electronic versions.

That said however, I do for most part read books related to Forensics and technology on my IPad with the Kindle app. It gives me access to a lot of information and reference in a small package wherever I am.

I am currently actively reading or rereading 3 such books. Mt method of "reading" was cultivated years ago from the book, "How to Read a Book" by Mortimer J. Adler and Charles Van Doren.  I have managed to "import" most of this method into Kindle reading. It is a book I would recommend for everyone who reads or wants to read seriously and deeply.

One of my current project books is "Perl Scripting for Windows Security" written by Harlen Carvey of blogging fame. I use Perl frequently for scripting and to write ProScripts to use with ProDiscover. Having used Perl for sometime, I am always looking for ideas and inspiration on HOW and WHEN to use it, not just how to write it. This book certainly fits that niche. Part II on Perl Scripting and Computer Forensic Analysis certainly fit the bill for what I need day to day, and I have experimented and learned some new things with SAMParse and I was surprised to see ProScripts mentioned in the book as well. This is a book I will use as a reference for a long time. I suggest it to anyone with a good grounding in Perl who wants to get unchained from or add to their commercial software. If you are a ProDiscover user it should be a part of your library because ProScripts can take your ProDiscover usage nuclear.

Harlen gets another nod, albeit secondary to Cory Altheide, for Digital Forensics with Open Source Tools. I made the "mistake" of reading an impression of this book this morning over at TaoSecurity and I'll try not to repeat it from familiarity. This book certainly fits the bill for unchained forensics.  I am in my third reading, and my deepest practical work through of the book. I have to say I find it not for the faint of heart. If you do not want to get dirty with Linux and Open Source this isn't for you. It's not in my opinion a book you can read through and pick up a few things that might interest you. This is a practical usage book that begs for practice and experimentation. I had some difficulties with the jumps it made, just like Richard, and I had to overcome the different paths my version of Ubuntu used from the book. That in itself was a great learning experience, but it set me up for a great ride through the rest of the book. I plan on a post in a couple of weeks to go through some of the examples and how i practiced and implemented them.

This past week I had the opportunity to implement for real RegRipper after practicing, benchmarking and testing it for a while. I was working on case where one of the underpinnings was showing the use of an external HD and a data cd written on a certain date when we knew a data theft had probably occurred. I had the registry viewer in ProDiscover, but time was against me since the legal firm wanted to file a quick motion. Using RegRipper, I found data I need very fast and accurately, which would have taken me many hours maybe parsing the data by hand. RegRipper allowed me to see Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder which showed last write time and MRUListEx with last write date on the day the employee left the company. Two of the items listed was a drive E: and a disk who's label was the date the theft had taken place. This enabled me to target the investigation and proceed with the knowledge the incident had probably taken place as believed and artifacts did exist. I have a lot of work to do yet with RegRipper before I understand its power and capabilities, but right now it certainly performs as a great triage tool.

On a last personal note, I have to pass along my prideful boasting on a couple of my children. Victoria just released her first EP of music she wrote, produced by Grey Revell. It is on SoundCloud. A great accomplishment to have before your 15th birthday. Another daughter Dorothy, competed this weekend in the Harmon Classics Hunter Jumper show at Latta Equestrian Center. She has won many ribbons before but this day got off to a rocky start. In her first event, her horse balked and stopped at the second fence, throwing Dorothy over head to the ground. She got up and dusted herself off and walked the horse back out. On the second event the horse refused to jump again and she was excused from the event. Most 12 year olds would have just quit, but Dorothy "talked" to the horse and on next 5 events made it jump. She placed in all 5 and in the last event won the Blue. Quite a growing up experience. I was infinitely more proud than I would be if she had one all her events. There's my bragging for the month.

Tuesday, August 9, 2011

A Computer Forensics Story without a Computer

I spent a little time at the Outer Banks last week, enjoying the surf and the fishing. One night standing on the Avon Pier, I discovered something about Digital Forensics. No, no one walked up to me with a netbook they wanted examined, this was about fishing, but it applied to forensics.

Now, I lived in eastern NC most of my life, and grew up fishing the banks inshore and offshore. So here I was leaning on the pier watching an enormous group of large skates go past. As I stood there I kept watching these sun burnt tourists go past me to the very end of the pier carrying brand new expensive shiny rods and reels purchased at the pier store, hands full of one of every kind of bait they sold, a 5 day NC fishing license that gave them the RIGHT to fish, and for the most part not even a tickle in their brain cells of exactly how to catch fish.

As I watched them go to the end of the pier, deeper is better they thought, and flop their lines in the water right next to the pilings, I knew what was going to happen. And it did, time after times. Their rod would bend almost in half, the crowd would hoot and holler at the enormous fish that must be on the end of the line. The more they would reel (paying no attention to the drag) the more the rod would bend. Finally some old salt would take pity and go over and tell them the tide had wrapped them around the pier and they had caught basically a big telephone pole. This would be followed by a long period of pulling, twisting and a lot of cussing as they tried to get their lines from the pier. Usually it ended with cut lines, and once in a broken rod.

Exactly what you are asking did this situation have to do with forensics? No, I wasn't drinking mass quantities on the pier. It made me think like this. Their shiny new techno rods and reels were great tools, but only if the hands that held them knew what to do with them. The pier is a great vehicle for getting out to the fish, If you understand where the fish could be. And then the water, ah, you have to be able to see below it! Here the light bulb flashes. Forensics is all about whats under the water, how the tide and currents are moving, where you will to use your tools and how.

FTK's, EnCases. ProDiscovers and all the other commercial tools are like those rods and reels, in the hands of someone who knows what is or has happened under the water (network, file system, malware etc) they are powerful. I you don't know the water, you can't use the tool. In the various forums and boards I always see "I am a newbie to CF, what tools should I get"?

My answer : Go to Walmart get a cheap rod and reel (free and/or Open Source tools, images) and spend countless hours learning the water (read, study and PRACTICE).