Month: June 2007

Book Review: Windows Forensic Analysis

windowsforensicThere are very few books on the topic of Windows Forensic Analysis and Harlan Carvey has taken it upon himself to provide the security community with a guided tour of the inner workings of Microsoft operating systems. As Microsoft does not yet offer a “forensic” track in it’s training offerings most forensic knowledge of Windows comes from on the job experience or tool specific training offered by a vendor.

This book begins by leading you through the collection of evidence. The author provides you with examples of collecting data from live running systems using commercial tools, tools native to Windows, and advanced perl scripts which are provided on the accompanying DVD. Locard’s Exchange Principle, a principle unknown to me prior to reading this book, is explained in great detail and is reference throughout the book. The concept is further demonstrated in an example using my favorite security tool, Netcat. People who respond to incidents need to know what to look for. Harlan dives deep into the key items of interest and explains how to pay special attention to volatile information such as system time, network connections, clipboard contents, and mapped drives, to name a few.

Once you have collected your data the author moves into specific chapters on how to analyze and make sense of it. Harlan does a fantastic job of explaining how to analyze memory (dumping the memory, analyzing crash dumps, reading through memory, etc.), analyzing the registry (tracking user activity, explaining how processes autostart from registry entries, etc.), analyzing windows files (working with event logs, common document formats, alternate data streams, etc.), analyzing executable files (static and dynamic analysis), and finally rootkits (detecting and preventing).

On the cover of the book the author has a quote by Troy Larson, Senior Forensic Investigator of Microsoft’s IT Security Group which states:

“The Registry Analysis chapter alone is worth the price of the book.”

When I first received the book I thought “Wow, that’s a glowing recommendation” and upon reading the book cover to cover I couldn’t agree more. I have yet to see a book which takes you through the intricacies of the Windows Registry in such a way that I, being a Linux person, could easily relate to.

The rootkit chapter was a little light on content but the rest of the book makes up for it. There are books out there dedicated to rootkits and I wouldn’t expect the author to provide a book that explains everything about everything and still expect people to be able to carry it with them.

The accompanying DVD contains the scripts mentioned in the book, some videos explaining the use of some tools, as well as a bonus folder that contains … well I’ll let you buy the book to find out what cool tools are provided.

This book should be on every analysts shelf whether they perform Windows forensic analysis as part of their role, or think that they might be called upon to do so in a pinch. I also think that this book is a fantastic supplement to any Microsoft training and any security training you may receive in the future.

I give this book 4.5 stars as it is easy to read and kept my interest throughout the entire book.

Do yourself a favor and pick up this book today.

Suggested Blog Reading – Friday June 8th, 2007

ReadI know I say this on almost every Friday but boy am I glad it’s Friday.

That being said it was only a matter of time before I missed one of my Suggested Blog Reading posts. Being out of the country for the first half of this week certainly caused some bumps in my normal routine. Hopefully I’m back on track and shouldn’t miss another post 😉

I’d also like to take a moment to congradulate fellow blogger and CTO of Whitehat Security Jeremiah Grossman on being named to the 2007 InfoWorld CTO 25 list. He’s in good company for sure.

Here’s the list:

How to rate the value of your websites (Road to Website Security part 2) – Part two in the series.

Part 1 (How to find your websites) of the series describes a process for website discovery. This piece (part 2) describes a methodology for rating the value of a website to the business that many of our customers have found helpful. Website asset valuation is a necessary step towards overall website security because not all websites are created equal. Some websites host highly sensitive information, others only contain marketing brochure-ware. Some websites transact million of dollars each day, others make no money or maybe a little with Google AdSense. The point is we all have limited security resources (time, money, people) so we need to prioritize and focus on the areas that offer the best risk reducing ROI.

Lets talk vulnerability discovery – Another quality post by Jeremiah.

Last year I began talking about how vulnerability “discovery” is becoming more important than disclosure as we move into the Web 2.0 era. Unlike traditional software, web applications are hosted on someone else’s servers. Attempts to find vulnerabilities, even with honest intentions, on computers other than your own is potentially illegal. Eric McCarty and Daniel Cuthbert serve as examples as covered by Robert Lemos from SecurityFocus. Whatever your opinion on the issues, few outside web application security field appreciate the finer points or understand the potential long term affects. People have been listening though.

stealth techniques – syn – Good review of how powerful hping is.

This is a series of three to come articles about stealth scanning, everything that I am going to present is hping oriented so if you want to learn this techniques you’d better get a copy of hping.
This method is invoked when you add nmap the -sS parameter… so let’s start…

Encrypt a file in Windows – Reminder on how to hide your files from prying eyes.

If you’re sharing a computer with other users and don’t want them to read certain files, you’re going to need a decent protection mechanism. Fortunately, Windows provides a built-in encryption mechanism that protects your files at the file system level.

Windows Encrypting File System provides a file encryption technology used to store encrypted files on NTFS file system. Once you encrypt a file or folder, you work with the encrypted file or folder just as you normally do. This means that you do not have to manually decrypt the encrypted file before you can use it.

On remote log injection attacks – Daniel actually showed me, on his laptop, just how easy it was to make this happen. I was amazed, as were the people running the projects involved, how easy it was to inject bogus data. Luckily Daniel is a good guy and let the proper people know about the issue prior to releasing his paper 🙂

A fun paper on remote log injection attacks from Daniel Cid (of OSSEC fame): “the goal of this document is to show some of the most common problems with log injections that we need to be aware when developing programs that parse log messages.”

Recommended Windows Audit Logging Policy – This is a great post. People ask me all the time what types of events they should be logging. The ideal answer is “all logs” but in some environments this isn’t possible or practical. This article gives you some good suggestions on key events to log.

Here is a great post from Randy Smith on preferred Windows logging policy. This is indeed a very common question we face: what logging to enable (my guide on what logging to enable to assist with PCI compliance is coming soon)

Priamos Project – SQL Injector and Scanner – Interesting tool to try out. There is also a demo video to learn more.

You can search for SQL Injection vulnerabilities and inject vulnerable string to get all Database names, Tables and Column data with the injector module.

You should only use PRIAMOS to test the security vulnerabilities of your own web applications (obviously).

Matasano Preps ‘Firewall Mixer’ – I’m anxious to give this a try. Since it runs on VMWare it will be quite easy to evaluate and implement.

The new Clockwork software, currently in beta, provides centralized and easier-to-understand control and change management for multiple vendors’ firewalls. Firewalls are typically manually configured and managed separately. “The problem enterprises have is that they have 200 firewalls from multiple vendors and no control or change management for what the rules are, let alone any understanding of what all those rules mean and why they’re there,” says Thomas Ptacek, principal and founder of Matasano.

Suggested Blog Reading – Thursday June 7th, 2007

ReadIt’s amazing how much work can accumulate when you’re only gone from the office for two days. You can see from the short list of items today that I wasn’t overly impressed with the content out on the blogosphere. Once you weed out all of the postings about the IBM acquisition of Watchfire and the Julie Amero trial you’re not left with much to talk about 🙂

Here’s the list:

How to Deploy Vista Security—Piece by Piece – I have yet to install Vista but the improvements do make it sound…finally useable 😛

There’s a bushel of security enhancements in Windows Vista—they comprise the most important aspect of the new operating system and the most compelling reason to upgrade, analysts say—but they’re not all perfect, nor are they silver bullets.

Common Event Exchange Formats – XDAS – Wow…this article brings up nearly all of my comments and concerns about “common” formats. Check it out.

CEE, the Common Event Expression standard which is a work in progress, lead by Mitre. I was one of the founding members of the working group and I have been in discussions with Mitre and other entities for a long time about common event formats. Anyways, one of the comments to my blog entries pointed to an effort called Distributed Audit Service (XDAS). I have not heard of this effort before and was a bit worried that we started something new (CEE) where there was already a legitimate solution. That’s definitely not what I want to do. Well, I finally had time to read through the 100! page document. It’s not at all what CEE is after. Let me tell you why XDAS is not what we (you) want:

Could I Have a Side of Fries With That Security Please? – Interesting awareness idea.

Now, I’m not saying you should go out and buy McDonald’s biscuits and burgers, attach a security or privacy motto to them, and hand them out to everyone. Not only would the vegetarians likely be upset, but what company has an information security education budget to be able to afford that? Unless you could get the local McDonald’s…or Culver’s (my personal preference), or Dairy Queen, or Subway, or whatever…to donate enough of their tasty tidbits. Hmm…there’s an idea…

2007 Log Management Survey Detailed – I’m not shocked by the results. Everyone I speak with on the topic indicates that compliance is a primary driver for acquiring a log management solution.

Turns out that despite its importance, security is not the prime motivation for log management. More than half of those surveyed reported operations management and monitoring the health of the network as the prime motivation for using log data. And, 43% indicated compliance with SOX, PCI and other mandates as the top priority.

Scroll to top