Let’s Analyze Some Malware With REMnux
Thursday, March 15, 2012, 700 PM
John Jay College-Criminal Justice
899 Tenth Avenue
10th Ave btwn 58th and 59th Streets
New York, NY (edit map)
Selected By Douglas Brush
Malware is an effective attack vector that is used to compromise systems. With the rise of sophisticated attackers, one cannot simply rely on identifying malware by scanning know signatures on file systems. Techniques have to be developed to identify compromised files and then effectively pick them a part to know what they will or have done. This can be a daunting task, but thankfully folks like Glenn Edwards of Foundstone is here to help! Glenn is going to show us how to identify particular types of files and the techniques one can use for analysis with platforms such as REMnux.
Talk description
This talk will outline how one can more efficiently and effectively perform their malware analysis by focusing on resources such as REMnux. While the topic’s scope can be quite large, the focus will be mainly on analyzing Portable Executable (PE) files. We’ll see how to identify what the file in question is to ascertain that it is a PE file and then dive into how one can perform file analysis in an automated fashion as well use some manual methods. With the automated methods, we will look at some simple scripting that the analyst can do and touch on what’s currently included in the tools so the analyst can fully understand what the tools do and how they can be altered to fit their needs.
Bio
Glenn Edwards is a Senior Consultant with Foundstone’s Incident Response practice in New York where he specializes in Incident Response, Digital Forensics and Malware Analysis. Prior to joining Foundstone, Glenn was a Senior Analyst on a Computer Emergency Response Team (CERT) where he helped investigate computer intrusions, coordinated security related incidents and provided both malware analysis and digital forensics examinations to Local, State and Federal Government agencies. Glenn holds a M.S degree in Digital Forensics from the University of Central Florida as well as a B.S. degree in Information Security and Privacy from High Point University
Getting to Know Your NTFS INDX Records
Thursday, April 12, 2012, 700 PM
John Jay College-Criminal Justice
899 Tenth Avenue
10th Ave btwn 58th and 59th Streets
New York, NY
Room 630T
Windows NTFS file systems have morsels of investigative goodness. The MFT is a great artifact and investigators should not overlook INDX records in investigations of file & folder existence as well as those yummy time stamps for timeline creation.
Talk description
Willi Ballenthin of Mandiant has done some great research on the INDX records and their attributes in the Windows NTFS file system. These data structures contain records for each file within a directory and help the file system organize data in an efficient manner. INDX files are interesting to forensic investigators for at least two reasons. First, an investigator may use INDX files as an additional source of timestamps for timeline analysis. Secondly, these files have significant slack spaces. With careful parsing, an investigator may recover old or deleted records from within these data chunks. In other words, the investigator may be able to show a file existed even if it has been deleted. During this talk, we'll dive into the binary structure of the MFT in order to understand INDX attributes, and discuss how INDX records can help you find evil during an enterprise investigation.
Bio
Willi Ballenthin is a consultant at Mandiant where he specializes in incident response and computer forensics. Although he has experience in a variety of forensic settings, Willi enjoys reconstructing intrusions from initial exploit to maintaining persistence. Willi also enjoys developing tools and techniques to aid investigators, such as bringing initial Ext4 support to the Sleuthkit and writing the python-registry module.
So please join us on Thursday April, 12th, 700pm at John Jay College of Criminal Justice, 899 Tenth Avenue (59th St. and 10th Ave.) in Room 630T for this exciting meet-up.
Thursday, September 13, 2012
700 PM
John Jay College-Criminal Justice
899 Tenth Avenue
10th Ave btwn 58th and 59th Streets
New York, NY
Data sets continue to grow at an exponential rate posing a continued challenge for our investigations, discovery and security tasks. Often its not finding the needle in the hay stack but finding the right needles in pile after pile of needles mixed in haystacks. Thankful we have good 'ol math to help us out. Using math we can generate hashes of our data and as a computer security professional you have most likely heard about cryptographic checksums before and how they can be used in computer forensic investigations.
Pär Österberg Medina returns to NYC4SEC (last presentation) for another presentation and will demonstrate how we effectively can take advantage of these checksums, both to find files of interest but also how we can exclude files that are known - making it easier for us to focus and analyze the files we never seen before. He will show how we can integrate the Reference Data Set from NIST and how to partition the NSRL so we can separate the infamous ‘Hacker Tools’ products from our KnownGood database. Furthermore he will show how 'hashdog', a program used to generate custom hash databases, can be used to generate hashes of programs and application that are used by your organization.
Continuing, he will talk about fuzzy hashing and how "almost matching" can be used to identify both file fragments and establish relationship with other files. In addtion, he will also demonstrate techniques that malware can use in attempts obsfucate detection by fuzzy matching and demonstarte how hash collisions can be used for anti-forensics purposes. Lastly, he will present hashmap - a technique that can be used to detect hash collision in files that have been modified with the intent to try to fly under the radar.
Pär Österberg Medina has worked with computer security for over 15 years. Having a background in both system administration and penetration testing, he currently works as an Incident Response Consultant for McAfee and Foundstone Professional Services, specializing in Malware Analysis and Memory Forensics. Prior to joining Foundstone, Pär spent the last 8 years working as an Incident Handler, investigating computer intrusions and coordinating security related incidents for CERT-SE, the national Computer Security Incident Response Team for Sweden. He specializes in Malware Analysis and Memory Forensics, finding Rootkits that try to stay hidden in the Operating System. He has conducted training and lectured on this subject all over the world at conferences such as FIRST, SANS and The GOVCERT.NL Symposium.
So please join us on Thursday September, 13th, 700pm at John Jay College of Criminal Justice, 899 Tenth Avenue (59th St. and 10th Ave.) in Room TBD for this exciting meet-up.
Hey Doug
I no longer live in the new York area , have you guys thought about doing live web casts of these events?
Thursday, May 8, 2014 @ 630 PM
John Jay College-Criminal Justice
899 Tenth Avenue
10th Ave btwn 58th and 59th Streets
New York, NY
The ability to perform digital investigations and incident response is becoming a critical skill for many occupations. Unfortunately, digital investigators frequently lack the training or experience to take advantage of the volatile artifacts found in physical memory. Volatile memory contains valuable information about the runtime state of the system, provides the ability to link artifacts from traditional forensic analysis (network, file system, registry), and provides the ability to ascertain investigative leads that have been unbeknownst to most analysts. Malicious adversaries have been leveraging this knowledge disparity to undermine many aspects of the digital investigation process with such things as anti-forensics techniques, memory resident malware, kernel rootkits, encryption (file systems, network traffic, etc), and Trojan defenses. The only way to turn-the-tables and defeat a creative digital human adversary is through talented analysts.
This talk demonstrates the importance of including Volatile memory in your investigations with an overview of the most widely used memory forensics tool,
So please join us on Thursday May, 8th, 630pm at John Jay College of Criminal Justice, 524 59th Street, Room 630T for this exciting meet-up.