Prayer to Cron

Cron, I have never scripted you before.  I had no use for it.  No one, not even you will remember if your purpose was updates or backup, why we scripted or why you died.  No, all that matters is that you were working when I walked away, that’s what’s important.  Vim pleases you, Cron, so grant me one request, grant me Rsync! And if you do not ls, then to kill -9 with you!

Volatility and Memory forensics

My latest endeavor has been to figure out memory forensics using volatility or any other tool currently available.  We have a copy of Encase Forensics so I’m comparing and contrasting which is better.  It’s most likely that we will end up using both, but trying them out.  Currently the biggest problem I have noticed in the latest version of Volatility is that is does not meet current python standards.  It makes use of the sha module where sha has been replaced by the hashlib module.

So far the use of Volatility has not impressed me much.  Most of what I have encountered can be accomplished with Sysinternals tools.  There are a few things that I would find useful.  Sysinternals does rely on the internal libraries on a system that it is being run against, while Volatility will actually search the memory for items that are running.  This will give a forensic examiner the ability to check for hidden rootkits etc.. While I find this useful it appears to be ‘flaky’.  I’m planning on running some test comparisons with some Malware that is somewhat hidden within the system.  If I can compare what I see to what Volatility sees it may prove useful yet to make Volatility a standard in my forensic investigations.

Another interesting tool that I have found is PyFlag.  While this tool has not yet reached it’s 1.0 version it looks like it may be very useful.  Seeing as both these tools are written in Python I am more interested than some of the other tools that are currently available out there.

I prefer Python over other tools out there.  I have used multiple tools in Perl (there is a very good suite of tools available for Forensics as part of the book Windows Forensic Analysis Toolkit) and a handful of tools within the Ruby scripting language.

I’ll update this blog entry as I find research more information.  I have been working on my personal blog lately and neglecting the Archlinux blog.  I should be able to focus on both more frequently however.

Nessus Beta training

Tenable Network Security has started training via at-home style training.  Now while this doesn’t amount to a direct Archlinux post it does involve Arch in that many Arch users have installed or used Nessus in the past.

First my feelings on the Nessus training and the upcoming certifications that will be available. While everyone is doing it should they jump on board?  Does it really bring a value added resource to the community?  I’m not sure.  Many IT professionals are currently down on certifications.  While I would say that Nessus training is important I believe many will look down on another certification thrown in the ring.

With that being said: I say why not?  Qualys has a certification that is worthless.  I have it and the test along with the training was a joke.  The training I got from Nessus was decent and just as good if not better compared to what I had received from Qualys in person.  I started looking forward to the possibility of getting a Tenable certification and will watch the situation closely.

Though it was online and very basic I learned some things that I had not known. I was really impressed with the features of Nessus.  I have the book and I have used it, but I have only done the basics.  The training that I took (just the Fundamentals course) really opened my eyes to what it really is capable of.  Now if I only had another hour in the day or one more day in the week I would be set.

The training overall was very good.  The cons I would say are that it is extremely bandwidth intensive.  The training uses Adobe Captivate.  The program I was informed had a tendency to play the audio out of sync.  And it did.  Sometimes not even playing at all.  I tried at home during non-peak hours and it was fine.  So…    I also found that the tests had some input type questions that were having an issue with correct answers.  It seemed that I could not find the correct spacing for the answer and some were unclear about exactly what they wanted.  i.e. did it use the nasl module name or the nasl plugin number?  I tried cutting and pasting directly out of the nasl description and it didn’t help me.  I informed the moderator and he was looking into it.

The only aspect of the training that I would say should be worked in the future is the speaker.  His voice was monotone and it seemed as if he was reading a paper.  I know how hard it can be to produce a quality presentation with no audience so it may be something that just requires a bit of practice and work.

But coming from a Beta training I was really impressed.  Most Beta tests are clunky and constantly having issues.  This training had two tests out of I believe five that I felt had issues and they were very limited.  I definately did not expect the level of polish that it had.

Tenable was VERY responsive to my emails.  I generally got responses within the hour and they were very excited about any feedback they received.  I have taken online courses before where they didn’t care how it turned out.  They were not at all like that.

From my current experience I would recommend the training, but my experience with their training is limited to this single course.  I would love to see more from them in the future and glancing around the website it really looks as if that is planned.  So if you use Nessus or plan on it in the future I would recommend you keep an eye on their site.

I have been told that I will be included in an future training.  I would be happy to share my feelings on that as well.  When I get the next notice that the training is made available I will post it.  Unfortunately they only take the first 25 to email for the training.  I am thinking about creating a little flash presentation of my own slides, but again that will require a few more hours that I don’t have.

Blackberry Forensics with Arch

Hunting tools etc..  Here is what I have found.

OpenSync, Barry and then gathering the files from windows (IPD) and analyzing the files on linux.   A good paper is Mobile Device Forensics by Andrew Martin.    Still working.  I think I’m going to end up writing my own paper as analysis of intrusion on a Blackberry is limited.

Forensic Analysis of a Blackberry

Recently I had an investigation come up that was outside of what the Forensic community would consider the norm.  I am investigating a blackberry for malicious activity or software with no concern for illegal or immoral pictures, emails, videos etc..  Most software packages currently available are for locating the employ who is getting ready to get the pink slip.

With all that being said I could not use Paraben’s products or ABC Amber Blackberry Converter as they are just concerned with retrieving data and not with the activities of the software on the system.

Here is what I have found so far.

Blackberry Security: Ripe for the picking

Attack surface analysis of Blackberry

Guidelines on Cellphone forensics

PDA Forensics

Forensic Examination of a RIM device

After all that much of it had nothing to do with what I needed.  The first two were good Symantec papers.  The first being pulled by Symantec after one day of being online.  It was put up by Milw0rm a short time later.

Well that’s all for now.  I’ll post the some step-by-step shortly.

Mobile Phone Forensics & PDA Forensics Links

Virtual Box and Archlinux/C&A

For the sake of not being a post whore I am going to combine two blogs into one.  They are relatively simple, but not so short I can twitter them.

I had struggled with VMware for some time.  Probably way to long, before I decided to move on to virtualbox.  My only real reason being that I was familiar with VMware.

So using the instructions provided Here I had a difficult time installing using pacman.  The installation was successful, but on first run it would fail to start.  Hanging on the registration splash screen.  So I ran the pacman -R virtualbox-ose and followed the directions further down.  And WOOOHOOO I can haz windowz.

Umm, yes terrible lolcatz reference.  Almost as bad as the suggestion of putting windows on a linux system.  I have to have something to pentest though.  Why else would you install windows unless you deliberately wanted hole or to play games?  Now I can do both.

Moving on to post two or sub-post 1.

In the organization I work for we have to have everything Certified and Accrediated to be put on the network.  I agree with this 100%.  There are to many people out there that will load up anything without a care for what they put on the network.  With that being said the people who manage the C&A packages are morons.  They really only care about Windows.  They don’t care about BSD, Mac, or Linux.  They have approved Ubuntu and anything that is in the apt-get repository, but that is the only flavor that has been approved.  So they blanket approve anything in the repository without even bothering to look.   I don’t have a clue how many packages are available, but I know that there are some that should not be available to the average user on the network.  How many of them should be running port scans with NMap? Or wireshark? etc. etc.

[root@home]# pacman -Sy intelligence
:: Synchronizing package databases…
core is up to date
extra is up to date
community is up to date
intelligence package not found, searching for group…
error: ‘intelligence’: not found in sync db

It seems their repository does not contain that package.

Oh, and to top it all off.  One of the morons looked at my Arch box and said “Oh Ubuntu is approved you are OK”.  So they really don’t know the difference between flavors and kernels.

[root@home]# pacman -S clue
clue package not found, searching for group…
error: ‘clue’: not found in sync db

They don’t have that package either.

BING vs Google

Bing (But It’s Not Google) has been pushed by Microsoft as a replacement for Google, but I have not been impressed by the searches that I have attempted on it.

It doesn’t allow for the “hack” type uses that Google has.  At least in what I have found thus far and it does not provide anything more then Google.  It honestly looks as if BING uses Google to get their information.  Most searches done side by side return everything the same and in the exact same order.

So currently I don’t see any reason what so ever to start using BING over Google.  It doesn’t offer a single benefit other than it’s not Google, but I would much rather use Google then contribute to Micro$oft.

Training the future or is the Gov't starting to young?

An interesting article on Forbes about a new program or competition to get youth more involved in cyber security and bring potential candidates forward and into the eyes of those companies and agencies that can make the most use of their budding potential.

So what could be the problem with it?  In all honesty there are a few I’m sure that will make comparisons to the Nazi youth brigades.  In a way it is.  It’s a government sponsored program to groom kids for possible use in the future, but isn’t that what ROTC is?  I think what will really matter is the mindset that is taken.  If it’s used to find high potential candidates and enhance the governments defenses as well as benefit the candidate in providing knowledge then there is no problem.   I don’t think this program is meant to be a propaganda machine so there are no worries in my mind about that.

What I am concerned about is what happens to the washouts?  To think that other governments will not watch the outcome is niave to say the least.  Our government currently watchs the actions of youths in countries that are known to have malicious intent for the United States.  So why wouldn’t they take an interest in our program?  Say someone has an off day on their test?  Or misses a key piece of information because the screen was scrolling to fast?  But they are the best candidate for the position and they become resentful.  What would happen if they suddenly become malicious to the group that trained them?

That would never happen right?  We know that whenever someone leaves they are always on good terms.  There are military units in the world that when you leave you have to be registered with Interpol or other agencies, but can you legally do that with a minor?  Is a potential cyber terrorist as dangerous as a potential physical terrorist?

On top of all that with the abilities that some of these people will have should there be a psychiatric evaluation done on them?  I work with more than one person who needs that.  Sometimes I think we all do.

Well that’s my rant for the day.  Good potential, but with any governement program it will probably be over-regulated and run my some moron politician who will “know better” then any of the experts.  Then eventially closed down just when it’s starting to amount to anything.

Getting started with Archlinux blogging

Little bit about myself and my linux experience.

I started with Linux in 1999 roughly. I had picked up a second hand Red Hat book, installed it on my system and couldn’t figure out where to go from there. I would poke at it a little until 2002 when I had to use Red Hat(what was setup by someone else) to monitor a specific piece of equipment.

I switched over to slackware for a year or two, then through the recommendation of Scott Robbins I tried Arch. I haven’t looked back since.

I’m an Incident Handler for a Fortune 5 company. Doing mostly forensic analysis of suspected intrusions. I use arch to grep/awk through logs etc.. Everyone that I work with is a) Windows only b) Ubuntu nuts or c) dabbling in both. I do work with one Debian junky and I’m working on getting him converted over to Arch, but he’s resisting. ;)