Monday, September 30, 2013

Howto - Creating a ZIP file of LRUP outputs

One of the requests I got was to combine the output of all the text files and compress it so that a single file can be sent by the user from their machine to the IR analyst.

If you want to use an external tool like 7-Zip that can be processed from the command line, it is easy to implement. However, if you want to use an in-built tool or script then there are multiple options.

There is a CodePlex project for this, check out http://powershellzip.codeplex.com/

As an another option, take a look at David Aiken's post from MSDN.

Relevant portions of the code along with the option to combine the various text files is listed below:

function New-Zip
{
param([string]$zipfilename)
set-content $zipfilename ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
(dir $zipfilename).IsReadOnly = $false
}

new-zip $UserDirectory\desktop\$CompName-$User-$Date.zip

function Add-Zip
{
param([string]$zipfilename)

if(-not (test-path($zipfilename)))
{
set-content $zipfilename ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
(dir $zipfilename).IsReadOnly = $false
}

$shellApplication = new-object -com shell.application
$zipPackage = $shellApplication.NameSpace($zipfilename)

foreach($file in $input)
{
            $zipPackage.CopyHere($file.FullName)
            Start-sleep -milliseconds 500
}
}

gci $UserDirectory\desktop\$CompName-$User-$Date-Level1.html | add-Zip $UserDirectory\desktop\$CompName-$User-$Date.zip

gci $UserDirectory\desktop\$CompName-$User-$Date-HostsFile.txt | add-Zip $UserDirectory\desktop\$CompName-$User-$Date.zip

gci $UserDirectory\desktop\$CompName-$User-$Date-OpenFiles.txt | add-Zip $UserDirectory\desktop\$CompName-$User-$Date.zip

gci $UserDirectory\desktop\$CompName-$User-$Date-AuditPolicy.txt | add-Zip $UserDirectory\desktop\$CompName-$User-$Date.zip

gci $UserDirectory\desktop\$CompName-$User-$Date-FirewallConfig.txt | add-Zip $UserDirectory\desktop\$CompName-$User-$Date.zip


#Clean-up routine

rm $UserDirectory\desktop\$CompName-$User-$Date-Level*.html

rm $UserDirectory\desktop\$CompName-$User-$Date-*.txt



Friday, August 30, 2013

LRUP Code published

Code used in the paper is now available from the CodePlex site.

https://infosecnirvana.codeplex.com/

This is a version 2.0, which is optimized for PowerShell V2. All new updates will be available at the CodePlex site from now on.

Comments and suggestions can be posted here.




Friday, August 23, 2013

SANS Gold paper on PowerShell


I have been working on a paper for the SANS Gold certification. The topic I chose was Live Response using PowerShell.

It was a great experience writing it and learning a great deal of  stuff on Windows operating system and PowerShell.

Finally, early this week I got the confirmation from SANS that it has been approved and published.

Paper is available on SANS reading room web site and direct download is available here.

Look for more details on the code and other developments in later posts.

Saturday, July 27, 2013

Programming knowledge in the field of DFIR

Harlan recently blogged about programming knowledge in DFIR field, link is here. It made me realize my own experience in scripting and how it helped gain more knowledge.

I started learning Unix shell scripting when I was working as a system administrator. For sysadmins it is an invaluable tool to automate both simple and complex tasks. Later, as a network administrator, scripting knowledge came handy in automating tasks such as device monitoring using SNMP, configuration  backup, making simple configuration changes, log analysis, etc.

When I moved to the DFIR field many years ago, scripting knowledge came handy particularly in log analysis. When you have month's of apache, proxy and firewall logs to sift through, knowledge of scripting becomes extremely handy. Other areas it is useful include PCAP analysis, Snort device management, manipulating outputs from scanning tools such as NMAP, getting system statistics, doing quick analysis of a system during or after an incident, forensic analysis, etc.

In order to make a script or program to work, you need more understanding of the system and in that process you seek more knowledge. In my view it helps you immensely in any area of work as technology professionals. As Harlan pointed out, you don't need to be an expert programmer, you just need to know the fundamentals and an aptitude for learning. With that basic knowledge, when there is a need to do something that is not currently supported or offered by existing tools you can create your own steps to achieve that task. It may not look pretty in the eyes of an expert programmer but as long as it can satisfy your requirement, you are good to go.

If you are a Unix person, start with shell scripting and then learn Perl and/or Python. If you are a Windows person, PowerShell is an extremely useful tool or scripting language to automate multitude of tasks. It is getting more popular as Microsoft bundles it with most of their new products. If you are from a Unix shell scripting background, it would be real easy to learn PowerShell as they use the similar concepts. Even otherwise, it's a simple language to learn.

As scripting and automation is a subject of immense interest to me, I started learning PowerShell a while ago. I hope to show some of the usefulness of PowerShell in coming weeks.

Saturday, February 11, 2012

New NIST draft document - Computer Security Incident Handling Guide


NIST released a new draft document on Computer Security Incident Handling. This is the second version of the original document that was released in 2008.
This publication seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. It includes guidelines on establishing an effective incident response program, but the primary focus of the document is detecting, analyzing, prioritizing, and handling incidents. 


It is a great reference document for folks trying to implement a new program and for folks to tweak their existing program.
Here is a list of major recommendations:
  • Organizations must create, provision, and operate a formal incident response capability. Federal law requires Federal agencies to report incidents to the United States Computer Emergency Readiness Team (US-CERT) office within the Department of Homeland Security.
  • Organizations should reduce the frequency of incidents by effectively securing networks, systems, and applications.
  • Organizations should document their guidelines for interactions with other organizations regarding incidents.
  • Organizations should prepare generally to handle any type of incident and more specifically to handle common incident types.
  • Organizations should create written guidelines for prioritizing incidents.
  • Organizations should use the lessons learned process to gain value from incidents.
The document is available from the following link


NIST requests comments on this document by March 16th, 2012. If you would like to submit comments, submit it to "800-61rev2-comments@nist.gov" with "Comments SP 800-61" in the subject line.

Sunday, January 29, 2012

Registry Decoder - A new registry analysis tool


Registry Decoder was developed with the purpose of providing a single tool for the acquisition, analysis, and reporting of registry contents.

It is much similar to Harlan's RegRipper. It can perform the analysis on the live system as well as the saved hive files. To acquire the currently in-use registry files, Registry Decoder creates a System Restore Point on the target machine. This ‘freezes’ and generates a read-only backup of the current registry files.


In the current version, the offline component is able to process a number of evidence types including:

1. Individual registry files
2. Full disk images
3. Partition images
4. Databases created by the online acquisition component of Registry Decoder

The analysis tasks it performs include:


1. Hive Viewing
2. Hive Searching
3. Plugins. Currently has 30 plugins
4. Hive Differencing to find the differences between two registry hives
5. Reporting


The online acquisition component can be accessed at: http://code.google.com/p/regdecoderlive/ and the offline analysis component accessed at: http://code.google.com/p/registrydecoder/.

Some of the screen shots from my system are below:







Sunday, December 4, 2011

Club Penguin data loss

Club Penguin is an online gaming site that offers a virtual gaming world for kids. It also offers the players an option to kind of social network, which  made it very popular among the kids.

Dataloss DB recently published a data loss involving this gaming site, where 309 usernames, e-mail addresses, passwords and IP dumped on the pastebin site by hacker(s).

The links to the dataloss db and the pastebin sites are below. If your kids have accounts in Club Penguin, I highly recommend changing the passwords immediately.

http://datalossdb.org/incidents/5050-309-usernames-e-mail-addresses-passwords-and-ip-dumped-on-web-by-hacker

http://pastebin.com/Bzxpc1RF




Saturday, December 3, 2011

InfoSec - Weekly Roundup


  • Mandiant released a new version of their popular memory analysis tool, Redline. Redline accelerates the process of triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis. Read the related blog post below

  • NSRL database is being updated. "The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles in the RDS. This will help alleviate much of the effort involved in determining which files are important as evidence on computers or file systems that have been seized as part of criminal investigations. Link for the NSRL database is below.
          http://www.nsrl.nist.gov/

  • FTC recently reported that Facebook has agreed to settle charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established. Check the below link from FTC for more information.
          http://www.ftc.gov/opa/2011/11/privacysettlement.shtm

  • The big risk item people are talking about is the Carrier IQ key logging software installed on many phones, which allows the carriers to gather many details of you browsing habits. More information is available at the below links.

          http://allthingsd.com/20111201/carrier-iq-speaks-our-software-monitors-service-messages-ignores-other-data/?mod=snippet



Sunday, October 30, 2011

Impact of malware - Scientific American magazine article

Scientific American magazine published an article on the impact of malware and what we can do about it.

Here are some of the comments from the article.

"We don’t actually know how to scan for malware. We can’t stop it, because we can’t find it. We can’t always recognize it even if we are looking right at it."
"Like a thriller character who discovers he doesn’t know whom to trust, cybersecurity experts start running through the options."

This is a very interesting article and if nothing else, it helps spread awareness. I have reported in my blog multiple times how the main stream media is covering the new way of attacks and privacy issues. Now, other types of media started covering these issues as well. The more aware general Internet users about these issues, better prepared they would be.

The article link is below:

http://www.scientificamerican.com/article.cfm?id=a-cybersecurity-nightmare


Wednesday, October 26, 2011

Vulnerable web applications

One of the readers asked about vulnerable web applications pre configured for research and testing purpose. Here is the list I have used in the past: