Professional development: The process of increasing the professional capabilities of one's self by attending training or meetings of like-minded professionals who are willing to share information and techniques.
This week I'm attending a FEMA course called "Cybersecurity: Incident Handling and Response". So far it has been review but it looks promising for the next 3 days. It is a free course if one is in your area but seating is limited. I recommend checking it out. I'll provide a full review after the course is over.
If you've been following the blog you know that I am a major proponent of professional networking. It's a great way to meet people that you may be able to employ or gain employment from, there are also lots of people that just know a lot about security, forensics, hacking, etc. that are willing to share ideas and tips. I had no idea that there was already a group of these people that meet regularly here in Helena and have for some time. 2 hours into class and I had an invite to the local DEFCON group. First Friday of the month at the best sandwich shop in town? Done. It simply can't hurt to get yourself known inside local circles.
Speaking of DEFCON, I'll be attending in Las Vegas this year. It will be the first time I've ever attended any kind of hacking conference and I'm pretty stoked to check it out.
Tuesday, May 25, 2010
Thursday, May 6, 2010
Baby Steps
Getting into digital forensics is a tough job. Writing about it regularly is even tougher. Since passing the exam, I have been working on a marketing package to pass out around town, had meetings with my bosses trying to convince them that "Yah. Really. We can charge $225/hr and up for these services", landed my first official retainer fee, set up a proposal for e-discovery work and performed my regular myriad of break-fix, server upgrade and auditing work. I've also helped produce an outline for a book idea with my good friend and forensic-y mentor Chris and sent in a column idea to Into the Boxes. It's been a bit of a whirlwind, but never you mind. I live to serve.
I was contacted by a civil defense lawyer about the feasibility of admitting all the content of a Yahoo user group into court. I mulled it over a bit and tried out a few techniques I've learned over the years for dumping websites, did a little proof-of-concept and turned in an estimate for work. This could turn into a significant amount of work sorting, searching and carving usable info for the defense. I accomplished my proof of concept using a combination of freebie web tools and some yellow-belt linux kung-fu. If I land it and wind up doing all the work I'll be sure to post a more in depth analysis.
I updated my resume, wrote a Curriculum Vitae, created a sheet of services my company can offer and turned it all over to our technical writers and marketing people. I hope I don't get a pile of useless mush with pretty colors back.
Tuesday, April 20, 2010
It can be done!
91.3% Well above the passing grade. It feels good to earn a certification like GCFA. Especially when there are only ~2000 in the entire world.
So what's next?
I've been in study mode for several months so I've decided to just keep on going and start studying for the CISSP exam. I was studying for the exam about 3 years ago when I changed jobs. At the time there was no need for me to carry a certification like that and my company wasn't really interested so I dropped it. I wish I had just forged ahead alone and done it. At any rate, I still have the "All-in-One" CISSP study guide and I'll be ready for the test in a few more months.
I'm also going to start working my local contacts for some forensics work and push towards "Expert Witness" status. It will be a big deal to get a few cases on my Curriculum Vitae and be able to help out some of the area lawyers with cases involving computers, media and any other digital devices. Mobile forensics seems like a niche worth exploring although I can't imagine a lot of steady work coming from it.
I was invited to contribute to "Into the Boxes" which is pretty exciting. I would love to contribute but I'm having a hard time coming up with a topic that won't make me seem like the village idiot compared to the rest of the guys writing for it. I'm open to suggestions on that front.
Chris has started a new blog series on command line vs. GUI tools. I may play devils advocate just for fun. We'll see what he posts later in the week.
Keep studying, keep practicing, I'm still here to help.
Grayson
So what's next?
I've been in study mode for several months so I've decided to just keep on going and start studying for the CISSP exam. I was studying for the exam about 3 years ago when I changed jobs. At the time there was no need for me to carry a certification like that and my company wasn't really interested so I dropped it. I wish I had just forged ahead alone and done it. At any rate, I still have the "All-in-One" CISSP study guide and I'll be ready for the test in a few more months.
I'm also going to start working my local contacts for some forensics work and push towards "Expert Witness" status. It will be a big deal to get a few cases on my Curriculum Vitae and be able to help out some of the area lawyers with cases involving computers, media and any other digital devices. Mobile forensics seems like a niche worth exploring although I can't imagine a lot of steady work coming from it.
I was invited to contribute to "Into the Boxes" which is pretty exciting. I would love to contribute but I'm having a hard time coming up with a topic that won't make me seem like the village idiot compared to the rest of the guys writing for it. I'm open to suggestions on that front.
Chris has started a new blog series on command line vs. GUI tools. I may play devils advocate just for fun. We'll see what he posts later in the week.
Keep studying, keep practicing, I'm still here to help.
Grayson
Tuesday, April 6, 2010
Studying for the GCFA certification: Part 2
Last post I gave you some books to read, let's move on to web resources.
Blogs:
The forensics community is not very large but many of the people in it are more than happy to share the latest developments in hardware, software and techniques. If you search Google for "computer forensics blogs" you come up with a fairly long list of related blogs. Some of them are geared towards hardware reviews and others towards tool usage. Many are by the same people that wrote the books I mentioned last post. My best advice is to follow a couple that suit you and follow the cross-links from each blog.
For example: My blog has a link to "The Digital Standard" written by Chris Pogue, his blog is linked to "Windows Incident Response" written by Harlan Carvey, his blog is linked to the official SANS blog and so on, and so forth. These guys write regular posts about installations, incidents, tool suites and plain old opinion. There are more than a few tasty informational nuggets on their sites. After you take a practice test or two, you'll start to find discussions related directly to best practices and tool usage that you will likely see on the test.
Blogs:
The forensics community is not very large but many of the people in it are more than happy to share the latest developments in hardware, software and techniques. If you search Google for "computer forensics blogs" you come up with a fairly long list of related blogs. Some of them are geared towards hardware reviews and others towards tool usage. Many are by the same people that wrote the books I mentioned last post. My best advice is to follow a couple that suit you and follow the cross-links from each blog.
For example: My blog has a link to "The Digital Standard" written by Chris Pogue, his blog is linked to "Windows Incident Response" written by Harlan Carvey, his blog is linked to the official SANS blog and so on, and so forth. These guys write regular posts about installations, incidents, tool suites and plain old opinion. There are more than a few tasty informational nuggets on their sites. After you take a practice test or two, you'll start to find discussions related directly to best practices and tool usage that you will likely see on the test.
Friday, April 2, 2010
Studying for the GCFA certification: Part 1
I'm scheduled to take the GCFA certification test on April 13th. I have been studying non-stop since right after the New Year.(Call it a resolution if you'd like) I took a practice test last week and scored 86%. I was pretty happy with that score considering I'm learning it under self-study.
Before you take any of the SANS practice tests you are required to sign a legal notice regarding divulging any test questions and their ethics standards.(see: have some or look for a new field) If you landed on this post hoping for a brain dump or a list of the hard test questions, move along, there is nothing to see here.
If you're looking for an overall view of the type of materials you need to study and the background that computer forensics requires, stick around, I may be able to help.
Before you take any of the SANS practice tests you are required to sign a legal notice regarding divulging any test questions and their ethics standards.(see: have some or look for a new field) If you landed on this post hoping for a brain dump or a list of the hard test questions, move along, there is nothing to see here.
If you're looking for an overall view of the type of materials you need to study and the background that computer forensics requires, stick around, I may be able to help.
Sunday, March 28, 2010
Malware Case : Concluded
Let me preface this entry by stating that I did NOT follow all of the standard procedures that you would for a real case. I used this situation in an attempt to hone my skills and test my own capability to solve a case like this on a live machine. I did not produce a chain of custody, I did not interview staff members, I didn't take very good notes or record all my commands.
After I captured a full image of the hard drive using ftk-lite, I went ahead and used the installed antivirus solution and Malwarebytes Anti-Malware to scan and clean the original hard drive.
The first step of my investigation was to mount my USB disk with the acquired images (read-only) on my Ubuntu workstation. I then mounted the image file itself to a folder I created and shared via Samba. Then I mapped a drive to the Samba share from my Windows XP workstation. This allows to me to run scans and poke around the image as if it were a regular old network share, very slick if you have Windows forensic tools that you like to use. I knew I was looking at a malware incident so I fired off MBAM and scanned the read-only file system. Malwarebytes default action is to report only and produces a very simple log file when the scan is complete.
Friday, March 19, 2010
Malware case: Day 1
Here's the case:
A customer of mine called today because they suspect they have a virus or other malware. I picked up the machine and am capturing an image with FTK-Imager-lite as we speak. I am going to clean the live PC and give it back to the customer and use the image to attempt to figure out exactly what the infection mechanism was. I will detail my processes and findings here on the blog in hopes of attracting tips, comments and guidance from anyone in the audience.
Case background:
Customer complaint of popups and slow overall performance on March 18th 2010.
Collected PC in a powered down state from the customer site March 19th at 0945
Extracted hard drive at 1200 March 19th.
Mounted Read-Only on my Ubuntu workstation at 1205 and began imaging with FTK-lite from a WinXP VM at 1212, raw image format, dumping to Fantom 1 TB USB drive formatted NTFS, clean wiped using dd.
Estimated image completion time is ~12 hours.
Infected machine specs:
HP DX2300/XP Pro SP3/Trend Micro Antivirus/1GB RAM/Core2 Duo/160GB Sata HD
Once imaging is complete I will boot up the machine and capture RAM using memoryze for later analysis.
Any and all suggestions are welcome.
More to follow....
A customer of mine called today because they suspect they have a virus or other malware. I picked up the machine and am capturing an image with FTK-Imager-lite as we speak. I am going to clean the live PC and give it back to the customer and use the image to attempt to figure out exactly what the infection mechanism was. I will detail my processes and findings here on the blog in hopes of attracting tips, comments and guidance from anyone in the audience.
Case background:
Customer complaint of popups and slow overall performance on March 18th 2010.
Collected PC in a powered down state from the customer site March 19th at 0945
Extracted hard drive at 1200 March 19th.
Mounted Read-Only on my Ubuntu workstation at 1205 and began imaging with FTK-lite from a WinXP VM at 1212, raw image format, dumping to Fantom 1 TB USB drive formatted NTFS, clean wiped using dd.
Estimated image completion time is ~12 hours.
Infected machine specs:
HP DX2300/XP Pro SP3/Trend Micro Antivirus/1GB RAM/Core2 Duo/160GB Sata HD
Once imaging is complete I will boot up the machine and capture RAM using memoryze for later analysis.
Any and all suggestions are welcome.
More to follow....
Subscribe to:
Posts (Atom)