Friday, April 30, 2010

Symantec Internet Security Threat Report (April, 2010)

Symantec has published their Internet Security Threat Report - both the Internet Security Threat Report: Volume XV: April 2010 and their Executive Summary.  Their annual reports confirms many of the threat vectors we've heard about over the previous months including PDF documents, Active X, web-based attack, etc.  Included is browser comparison, and more definitive information related to hacking, phishing, spam and botnets.

I have been looking for information which can be added to a presentation that I can present to various C-Level Executives.  Realizing that the focal points of said presentation is inevitably different than that directed at mid-level managers, I found such information within this report.  For example, on Pg. 48 of the full document, there is a bar graph detailing New malicious code signatures from 2002 - 2009.  The significance is obvious when you look at the graph.  The question is however, can we translate this trend into additional resources to enhance IT/Information Security within an organization?

Thursday, April 22, 2010

Mac OSX Forensics becomes "The Apple Examiner"

For the last few years, has been a continuing reference source for my Mac-based forensic investigations.  The website has now changed names, and moved to The Apple Examiner Website.  The site is very nicely laid out, easy to understand and contains information on the newest of Apple technology.  I see a new area on iPhone/IPad/IPod.

I've been analyzing some iPhones lately, and instead of focusing on the (logical) information parsed out by Cellebrite and XRY, I've been throwing the images into FTK and EnCase.   FTK does a very good job parsing out the PLISTS for examination.  If you're more partial to EnCase, there is a PLIST parser on the Guidance Website (created 03/2010 by Simon Key) which can be downloaded from here  (you'll likely need an account to log into the Support Portal.)  Once these PLISTS have been parsed out, you cannot imagine the information forensically available within an iPhone.  I'm doing up some screenshots of how to bring the Physical Image into FTK and EnCase to preview it (you have to change a byte).  Of course, I maintain the original, and flip the byte on a copy.

Check out Ryan and Dave's website.  If you're interested in Mac Forensics, you HAVE to bookmark this one.

Monday, April 5, 2010

MoonSols Windows Memory Toolkit

Matthieu Suiche has "made the move in a new direction" and created a new website and toolkit. His new site/company is MoonSols.

Matthieu states:

MoonSols is releasing his first product called "MoonSols Windows Memory Toolkit". MoonSols Windows Memory Toolkit is the most advanced toolkit for Windows physical memory snapshot management.

MoonSols Windows Memory Toolkit had been designed to deal with Microsoft Windows hibernation file (from Microsoft Windows XP to Microsoft Windows 7 in both 32-bits and 64-bits (x64) Editions), Microsoft full memory crashdump (in both 32-bits and 64-bits (x64) Editions), and raw memory dump files (from memory acquisition tools like win32dd or win64dd, or Virtualization application like VMWare). Moreover, MoonSols Windows Memory Toolkit also contains new version of win32dd and win64dd.
Two versions are available - Community (free) and Professional (cost).

Matthieu's WinDD tool has been part of our lab's Incident Response toolset for almost 2 years now. I expect that testing of his toolset will be equally as effective as WinDD.

The continued R&D and commitment of persons like Matthieu (and several others) continue to move our profession forward - almost at a rate that is difficult to keep up with :)