- 1 Episode Media
- 2 Announcements & Shameless Plugs
- 3 Guest Tech Segment with Alissa "Sibertor" Torres :Extracting Network Packets from Physical Memory Images with Bulk Extractor
- 4 Announcement
- 5 Stories
- 6 Paul's Stories
- 7 Larry's Stories
- 8 Jack's Stories that would make Motley Crue blush
- 9 Allison's Stuff
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 318 for Thursday January 31st, 2013
- Offensive Countermeasures in Europe! - March 12-15 in Amsterdam!
- For the first time ever, BSides is coming to Rhode Island. Paul will be co-organizing BSides Rhode Island with the latest PaulDotCom
victimintern Patrick Laverty. Saturday, June 15 in Providence, Rhode Island. You can get in touch with us at BSidesRhodeIsland@gmail.com. Our Twitter handle is http://twitter.com/BSidesRI and our site is at http://www.securitybsides.com/BSidesRI We have two confirmed speakers!
- The Stogie Geeks Show! - For cigar enthusiasts, by cigar enthusiasts.
SANS is running a special promotion for Forensic Online courses.
To learn more about the 15% discount on online forensic classes, visit SANS Specials Training page, which will also tell you how to access the many FREE forensic resources available from SANS. Hurry, the discount will only be valid through February 20.
Guest Tech Segment with Alissa "Sibertor" Torres :Extracting Network Packets from Physical Memory Images with Bulk Extractor
Alissa Torres is a certified SANS Instructor and Incident Handler at Mandiant, finding evil on a daily basis. Alissa began her career in information security as a Communications Officer in the United States Marine Corps and is a graduate of University of Virginia and University of Maryland. She's on tonight to talk to us about Bulk Extractor.
My first investigation at Mandiant as an MCIRT incident handler was to unravel a DNS anomaly occurring on a customer's network. I was tasked with identifying why numerous workstations were hammering the internal DNS Servers with version.bind requests from port UDP 53. Using the stream-based extraction tool, Bulk Extractor, against two memory images from a sample set of affected systems, I was able to get visibility into the anomalous traffic by carving the network packets from the one of the memory images.
As a stream-based tool, Bulk Extractor has several advantages over other forensics tools, which are limited by file system structure and boundaries to interpret data. It processes data, disregarding sector boundaries, and automatically detects and expands compressed data. So, running a hard drive image or memory image through Bulk Extractor automatically unzips compound files like Office files, zipped files and Xpress compression as found in Windows hibernation files. In addition, this tool is capable of processing data segments in parallel, making it much faster than some forensics tools limited to a single processor. Bulk Extractor, written by Simson L. Garfinkel, is included in BackTrack and the SIFT, the SANS Investigative Forensic Toolkit and is available for download.
Bulk Extractor “categorizes” data in specific folders upon processing based on the scanners specified in the job by the analyst. The default scanners look for information of interest in typical investigations (IP, hostnames, MACs, Credit Cards, URLs, and domains). Additional scanner features, and some of the most powerful, include –AES keys, -Net Scanner (carves network traffic), -Wordlist (pulls strings from data image) and –Stoplists (suppresses “known goods” from appearing in the output).
Figure 1 Sample Syntax for Bulk Extractor tool
For those analysts who prefer to use a GUI, Bulk Extractor does have a graphical user interface tool, BEViewer. The BEViewer reports pane displays the results of a Bulk Extractor job that can include default, wordlist, and net scanners in addition to the defaults. By using the viewer, an analyst can search through the output for specific keywords, viewing the data in hexademical or text view in the far right pane (Shown below).
The packets.pcap file can be opened with any network packet analysis tool. Realize that since these packets are pulled from a memory image, there are no time/ datestamps nor are there both sides of the “conversation”. From what I viewed, the memory images I parsed contained inbound packets with no time/datestamps.
Based on what was seen in the resultant pcap, I was able to detect an inbound packet, scanning this local system for a DNS vulnerability and provide this lead to the customer, who confirmed their pen-testing team had been active on the network.
Questions come to light based on this investigation, to include "Are there specific occasions when memory should be dumped locally not over the network in order to prevent trampling over network packets on the local system?” This is a consideration, especially in light of the lack of visibility into internal network traffic between hosts. Unless customers are capturing their own network traffic between subnets, the memory-bound packets may be the only evidence of anomalous activity between hosts.
More information on Bulk Extractor can be found at Simson Garfinkel’s website. We also put this tool through its paces in the SANS FOR508: Advanced Computer Forensic Analysis and Incident Response as we work our way through investigating an enterprise-level compromise by a sophisticated adversary. Check it out at SANS Cyber Guardian in Baltimore, MD April 15 -20, 2013.
Submitted by Alissa Torres
- Join us on our 2nd ever Google+ Hangout! Add PaulDotCom on Google+ and join us in the Google Hangout.
- We are in the process of archiving and cataloging our technical segments, please visit the PaulDotCom Technical Library and we indexed all of the interviews we have conducted. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.
- Larry teaching SANS SEC617 all over and coming to a city near you in 2013