Difference between revisions of "Episode318"

From Security Weekly Wiki
Jump to navigationJump to search
(Created page with "{{Advertisements}} = Episode Media = [http://pauldotcom.com/2013/1/episode-318 Episode 318] [http://traffic.libsyn.com/pauldotcom/PaulDotCom-318.mp3 MP3] = Announcements ...")
 
Line 23: Line 23:
 
To learn more about the 15% discount on online forensic classes, visit [http://www.sans.org/online-security-training/specials SANS Specials Training page], which will also tell you how to access the many FREE forensic resources available from SANS.  Hurry, the discount will only be valid through February 20.
 
To learn more about the 15% discount on online forensic classes, visit [http://www.sans.org/online-security-training/specials SANS Specials Training page], which will also tell you how to access the many FREE forensic resources available from SANS.  Hurry, the discount will only be valid through February 20.
  
= Guest Tech Segment with Alissa "Sibertor" Torres :Extracting Network Packets from Physical Memory Images with Bulk Extractor =
+
= Interview: Dr. Gene Spafford =
  
Alissa Torres is a certified SANS Instructor and Incident Handler at Mandiant, finding evil on a daily basisAlissa began her career in information security as a Communications Officer in the United States Marine Corps and is a graduate of University of Virginia and University of Maryland.  She's on tonight to talk to us about Bulk Extractor.
+
[http://spaf.cerias.purdue.edu/narrate.html Dr. Spafford is one of the senior, most recognized leaders in the field of computing. He has an on-going record of accomplishment as a senior advisor and consultant on issues of security and intelligence, education, cybercrime and computing policy to a number of major companies, law enforcement organizations, academic and government agencies....With over three decades of experience as a researcher and instructor, Professor Spafford has worked in software engineering, reliable distributed computing, host and network security, digital forensics, computing policy, and computing curriculum design. He is responsible for a number of "firsts" in several of these areas.
  
My first investigation at Mandiant as an MCIRT incident handler was to unravel a DNS anomaly occurring on a customer's network. I was tasked with identifying why numerous workstations were hammering the internal DNS Servers with version.bind requests from port UDP 53. Using the stream-based extraction tool, Bulk Extractor, against two memory images from a sample set of affected systems, I was able to get visibility into the anomalous traffic by carving the network packets from the one of the memory images.
+
Dr. Eugene Spafford is a professor with an appointment in Computer Science at Purdue University, where he has been a member of the faculty since 1987.]
 
 
Bulk Extractor
 
 
 
As a stream-based tool, Bulk Extractor has several advantages over other forensics tools, which are limited by file system structure and boundaries to interpret data. It processes data, disregarding sector boundaries, and automatically detects and expands compressed data. So, running a hard drive image or memory image through Bulk Extractor automatically unzips compound files like Office files, zipped files and Xpress compression as found in Windows hibernation files. In addition,
 
this tool is capable of processing data segments in parallel, making it much faster than some forensics tools limited to a single processor. Bulk Extractor, written by Simson L. Garfinkel, is included in BackTrack and the SIFT, the SANS Investigative
 
Forensic Toolkit and is available for [http://github.com/simsong/bulk_extractor download].
 
 
 
Bulk Extractor “categorizes” data in specific folders upon processing based on the scanners specified in the job by the analyst. The default scanners look for information of interest in typical investigations (IP, hostnames, MACs, Credit Cards, URLs, and domains). Additional scanner features, and some of the most powerful, include –AES keys, -Net Scanner (carves network traffic), -Wordlist (pulls strings from data image) and –Stoplists (suppresses “known goods” from appearing in the
 
output).
 
 
 
Figure 1 Sample Syntax for Bulk Extractor tool
 
 
 
[[File:Sibertor1.jpg]]
 
 
 
BE Viewer
 
 
 
For those analysts who prefer to use a GUI, Bulk Extractor does have a graphical user interface tool, BEViewer. The BEViewer reports pane displays the results of a Bulk Extractor job that can include default, wordlist, and net scanners in addition to the defaults. By using the viewer, an analyst can search through the output for specific keywords, viewing the data in hexademical or text view in the far right pane
 
(Shown below).
 
 
 
[[File:Sibertor2.jpg]]
 
 
 
The packets.pcap file can be opened with any network packet analysis tool. Realize that since these packets are pulled from a memory image, there are no time/ datestamps nor are there both sides of the “conversation”. From what I viewed, the
 
memory images I parsed contained inbound packets with no time/datestamps.
 
 
 
[[File:Sibertor3.jpg]]
 
 
 
Based on what was seen in the resultant pcap, I was able to detect an inbound packet, scanning this local system for a DNS vulnerability and provide this lead to the customer, who confirmed their pen-testing team had been active on the network.
 
 
 
Questions come to light based on this investigation, to include "Are there specific occasions when memory should be dumped locally not over the network in order to prevent trampling over network packets on the local system?” This is a consideration, especially in light of the lack of visibility into internal network traffic between hosts. Unless customers are capturing their own network traffic between subnets, the memory-bound packets may be the only evidence of anomalous activity
 
between hosts.
 
 
 
More information on Bulk Extractor can be found at [http://github.com/simsong/bulk_extractor/wiki/introducing-bulk_extractor Simson Garfinkel’s website]. We also put this tool through its paces in the SANS FOR508: Advanced Computer Forensic Analysis and Incident Response as we work our way through investigating an enterprise-level compromise by a sophisticated adversary.
 
Check it out at [https://www.sans.org/event/cyber-guardian-2013/schedule/ SANS Cyber Guardian in Baltimore, MD April 15 -20, 2013].
 
 
 
Submitted by [http://twitter.com/@sibertor Alissa Torres]
 
  
 
= Announcement =  
 
= Announcement =  

Revision as of 05:52, 27 January 2013


Episode Media

Episode 318

MP3

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 318 for Thursday January 31st, 2013

SANS is running a special promotion for Forensic Online courses.

To learn more about the 15% discount on online forensic classes, visit SANS Specials Training page, which will also tell you how to access the many FREE forensic resources available from SANS. Hurry, the discount will only be valid through February 20.

Interview: Dr. Gene Spafford

[http://spaf.cerias.purdue.edu/narrate.html Dr. Spafford is one of the senior, most recognized leaders in the field of computing. He has an on-going record of accomplishment as a senior advisor and consultant on issues of security and intelligence, education, cybercrime and computing policy to a number of major companies, law enforcement organizations, academic and government agencies..... With over three decades of experience as a researcher and instructor, Professor Spafford has worked in software engineering, reliable distributed computing, host and network security, digital forensics, computing policy, and computing curriculum design. He is responsible for a number of "firsts" in several of these areas.

Dr. Eugene Spafford is a professor with an appointment in Computer Science at Purdue University, where he has been a member of the faculty since 1987.]

Announcement

  • Join us on our 2nd ever Google+ Hangout! Add PaulDotCom on Google+ and join us in the Google Hangout.
  • We are in the process of archiving and cataloging our technical segments, please visit the PaulDotCom Technical Library and we indexed all of the interviews we have conducted. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.

Stories


Paul's Stories

Larry's Stories

  1. Shark? - [Larry] - I learned something about google…
  2. Flaw in Enigma - Neat.

Jack's Stories that would make Motley Crue blush

Allison's Stuff