Join Us!

Java deployment cac...
 
Notifications
Clear all

Java deployment cache index files  

Page 1 / 2
  RSS
keydet89
(@keydet89)
Community Legend

Is anyone analyzing the subject files for indications of an initial infection vector? If so, what are the commonalities you're seeing?

Quote
Posted : 05/02/2013 11:33 pm
keydet89
(@keydet89)
Community Legend

Bueler?

ReplyQuote
Posted : 06/02/2013 1:51 am
BitHead
(@bithead)
Community Legend

Um, he's sick. My best friend's sister's boyfriend's brother's girlfriend heard from this guy who knows this kid who's going with the girl who saw Ferris pass out at 31 Flavors last night. I guess it's pretty serious.

ReplyQuote
Posted : 06/02/2013 3:14 am
keydet89
(@keydet89)
Community Legend

I heard that he passed out because he saw what my IDX parser could do and was so amazed. He was so excited that he then ran all the way to 31 Flavors, had an ice cream, developed hyperglycemia, and passed out again! o*g!

Glad to see you're parsing the *.idx files and your stuff is all locked tight, BitHead.

ReplyQuote
Posted : 06/02/2013 5:17 am
BitHead
(@bithead)
Community Legend

In all seriousness I personally have not had a cause to examine Java deployment cache index files. Yet.

ReplyQuote
Posted : 06/02/2013 10:46 am
keydet89
(@keydet89)
Community Legend

Interesting.

So, you may be concerned with malware on a system, but not so much as to how it got there?

I try to raise these topics for discussion, and the reason for doing so hit me last night. I was contacted by a member of LE (on the federal level) as one person amongst several in the email "To" field…this examiner has some misconceptions with respect to shellbag analysis that led to some pretty significant confusion…the kind that you find when you've gone too far down the wrong rabbit hole. I don't think that the folks doing the research could have anticipated the questions the examiner had, nor foreseen the assumptions that were made. This is why I tried multiple times to get a discussion going on the topic in this forum…

ReplyQuote
Posted : 06/02/2013 6:13 pm
joachimm
(@joachimm)
Active Member

Harlan, can you elaborate a bit on the misconception, might be a useful learning experience for others as well.

ReplyQuote
Posted : 07/02/2013 12:50 am
jhup
 jhup
(@jhup)
Community Legend

Elucidate please.

Malware is not my bucket of things per se, but definitely can get a few guys interested if you can give me some more fodder.

Do you have more than already out there?

ReplyQuote
Posted : 07/02/2013 12:59 am
keydet89
(@keydet89)
Community Legend

jhup,

Here's good start
http//windowsir.blogspot.com/2013/02/binmode-parsing-java-idx-files-pt-trios.html

The ForensicsWiki page that you linked to is an excellent resource that Joachim compiled. However, like many technical resources the format specification will only get you so far.

A while back, Corey Harrell posted here
http//journeyintoir.blogspot.com/2010/10/anatomy-of-drive-by-part-2.html

You'll notice that at that point, Corey tied an *.idx file to the malware infection, but wasn't able to get much further. Now, we have tools to parse these files, and as you can see from my post, Corey provide a sample of the file so I could parse it and provide the information.

The format spec is a great start, and allows tools to be written. Then, analysts can start using the tools and begin to see how to use the data…well, that doesn't really happen often, so what I was trying to do was bridge that gap and illustrate how to build on the format spec to not only develop tools, but analysis techniques.

ReplyQuote
Posted : 07/02/2013 1:15 am
joachimm
(@joachimm)
Active Member

I don't know, I often use format specs in analysis as well. Tools often cover a common basic of the format.
This approach has allowed me do very interesting findings, with e.g. the PST conversation index, partial emails in Windows Search databases, recovering NTFS compressed files, etc.

Agree that a file format does not makes much sense if you don't understand what it is used for.

Although I'm not the audience Harlan writes for, I think he makes a great effort to reach out to the community to try bridge that gap. Where I like to increase that gap by spitting out more file format specifications 😉

ReplyQuote
Posted : 07/02/2013 1:52 am
BitHead
(@bithead)
Community Legend

Interesting.

So, you may be concerned with malware on a system, but not so much as to how it got there?

No I just have not encountered a case where malware analysis has been necessary.

ReplyQuote
Posted : 07/02/2013 8:27 am
joachimm
(@joachimm)
Active Member

No I just have not encountered a case where malware analysis has been necessary.

So in a case you never check if a system contains malware? If so are you in e-discovery?
If not what are you using a virus scanner?

Ever heard of the trojan horse defense?
https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2005-15.pdf

ReplyQuote
Posted : 07/02/2013 10:19 am
BitHead
(@bithead)
Community Legend

So in a case you never check if a system contains malware? If so are you in e-discovery?
If not what are you using a virus scanner?

Ever heard of the trojan horse defense?
https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2005-15.pdf

If you are investigating a fraud case do you look for malware? If so why?

If you are investigating a drug trafficking ring do you look for malware? If so why?

And even if you scan an image with A/V to protect your analysis system, does the presence of a virus or other piece of malware always impact the case?

The trojan defense is as ridiculous as the Chewbacca defense.

ReplyQuote
Posted : 07/02/2013 6:51 pm
keydet89
(@keydet89)
Community Legend

If you are investigating a fraud case do you look for malware? If so why?

Someone may claim the Trojan Defense. Seriously…yes, files were exfil'd from the box, but I didn't do it, it was the result of a virus or Trojan that had infected my system.

If you are investigating a drug trafficking ring do you look for malware? If so why?

Perhaps, it depends on what the 'customer' asks.

And even if you scan an image with A/V to protect your analysis system, does the presence of a virus or other piece of malware always impact the case?

Again, it depends on the type of case, who your customer is, etc. Does it mean that this is always done as a matter of process…it might, depending upon the type of processes you have set up in your lab. I can't say definitively, "no", because I haven't seen every lab.

However, I think that the issue of what one may or may not do on a case has eclipsed the original question. For example, take a look at this image
https://blogs.sans.org/computer-forensics/files/2012/04/Spearphish-Attack.jpg

The image is taken from a SANS course…it's a snippet of a super timeline created using data from the course. The data itself is used to illustrate the effectiveness (or lack thereof) of AV solutions in protecting a system, but what you see in the timeline is a malicious PDF doc hitting the system, and before the files are dropped, two Java *.idx files are created.

Now, at the time that the course was developed and the timeline was created, tools for parsing *.idx do not appear to have been available….they are now. Many analysts looking at such a timeline (if they had created one) might look at the creation of the *.idx files as "kimchee" (term taken from a recent thread in another forum) and simply ignore them. But now we have tools to parse this information apart and provide additional context to raise awareness of intelligence that is available in the timeline.

ReplyQuote
Posted : 07/02/2013 7:20 pm
jaclaz
(@jaclaz)
Community Legend

The trojan defense is as ridiculous as the Chewbacca defense.

The Chewbacca defense does have (IMHO) it's merits (of course rarely so in drug trafficking cases).
After all it was actually (very loosely) inspired by a real case, the O.J. Simpson Murder Trial
http//en.wikipedia.org/wiki/Chewbacca_defense

If the issue at hand is "objectionable pictures" or "warez" or similar unlawful content found on a PC's hard disk, or dDOS and the like originated from a machine the Trojan defense may actually be "Trojan truth".

jaclaz

ReplyQuote
Posted : 07/02/2013 7:26 pm
Page 1 / 2
Share: