Sunday, March 28, 2010

Malware Case : Concluded


Let me preface this entry by stating that I did NOT follow all of the standard procedures that you would for a real case. I used this situation in an attempt to hone my skills and test my own capability to solve a case like this on a live machine. I did not produce a chain of custody, I did not interview staff members, I didn't take very good notes or record all my commands.

After I captured a full image of the hard drive using ftk-lite, I went ahead and used the installed antivirus solution and Malwarebytes Anti-Malware to scan and clean the original hard drive.

The first step of my investigation was to mount my USB disk with the acquired images (read-only) on my Ubuntu workstation.  I then mounted the image file itself to a folder I created and shared via Samba. Then I mapped a drive to the Samba share from my Windows XP workstation.  This allows to me to run scans and poke around the image as if it were a regular old network share, very slick if you have Windows forensic tools that you like to use. I knew I was looking at a malware incident so I fired off MBAM and scanned the read-only file system. Malwarebytes default action is to report only and produces a very simple log file when the scan is complete.

Friday, March 19, 2010

Malware case: Day 1

Here's the case:

A customer of mine called today because they suspect they have a virus or other malware. I picked up the machine and am capturing an image with FTK-Imager-lite as we speak. I am going to clean the live PC and give it back to the customer and use the image to attempt to figure out exactly what the infection mechanism was. I will detail my processes and findings here on the blog in hopes of attracting tips, comments and guidance from anyone in the audience.

Case background:

Customer complaint of popups and slow overall performance on March 18th 2010.
Collected PC in a powered down state from the customer site March 19th at 0945
Extracted hard drive at 1200 March 19th.
Mounted Read-Only on my Ubuntu workstation at 1205 and began imaging with FTK-lite from a WinXP VM at 1212, raw image format, dumping to Fantom 1 TB USB drive formatted NTFS, clean wiped using dd.
Estimated image completion time is ~12 hours.

Infected machine specs:
HP DX2300/XP Pro SP3/Trend Micro Antivirus/1GB RAM/Core2 Duo/160GB Sata HD

Once imaging is complete I will boot up the machine and capture RAM using memoryze for later analysis.


Any and all suggestions are welcome.


More to follow....

Thursday, March 18, 2010

When is it too early to specialize?

Incident Response, Crime Lab, Expert Witness for Defense, Private Consulting.

These are all very real career possibilities. The question is "When is it too early to choose a speciality?". Considering my small town life, my path will most likely be all of the above. No one is doing Incident response here, the DOJ and State sporadically contract out forensics work, most lawyers have a hard time interpreting the reports they receive from the crime lab and I'm already a consultant. All of it sounds good as experience on a resume, but do I run the risk of never becoming particularly good at any one of these things?

Companies aren't exactly clamouring for entry-level forensic analysts who work from home.

I guess we'll just have to see.

Tuesday, March 16, 2010

The start of a journey.

I'm a few short weeks from taking (and hopefully passing) the GCFA exam. I have been reading and studying everything I can get my hands on for more than 3 months to try to scratch the surface of the Computer Forensics field. I'm fortunate to know a handful of people already working as incident responders and investigators who have been willing to send me reading lists, blog links, old reports and class notes to study and review. Even with all of this it's difficult to know how to prepare for an exam encompassing such a broad field.

I'm already torn between the excitement of catching a hacker in the act or helping put away a creep that desperately deserves it, and the sheer boredom that is cyber-terrorism law and file allocation tables. I'm also torn by who I see working in the field. There seems to be a huge divide between those who innovate, experiment and further the possibilities and those who are happy pointing and clicking their way to a paycheck. I'd like to think that with a few years of experience under my belt I won't want a push-button forensics job. There is way too much to explore in a field that is just now coming into its own.


For now, I'm the new guy.

Wish me luck.