Thursday, June 30, 2011

Road to CCE, Pt. II: Review of Windows Forensic Analysis 2E


“The key to forensic analysis isn’t pushing the button on an application user interface.  After all, as I’ve said time and time again, the age of Nintendo forensics is over!  The key to forensic analysis is understanding what artifacts are available to you and having a logical, reasoned, and comprehensive plan or process for collecting and interpreting data.”  These are the words of Harlan Carvey, the author of Windows Forensic Analysis (as well as other great titles).  Reading that quote within the final part of Carvey’s book really summed up what it was all about, for me.  Truly understanding what information that is available to us through thorough examination and not relying upon a tool, was really the underlying message I got from this book.  That message is spot on to me, and is the reason I picked up this book.  I did not want to become another ‘button monkey’ who had to rely on a program to perform an investigation.  Tools are great when you have the background knowledge necessary to understand what the application is doing in the background, and the value of the information it provides.  That being said this book is FANTASTIC; obviously with recommendations from Eric Huber, Rob Lee, and Richard Bejtlich this really didn’t need to be said.  
The first part (chapters 1, 2, and 3) of this book will cover the importance of live response to an incident.  It’ll give you examples of important places to look for and gather crucial data.  It will then give examples on how to analyze the data collected.  Chapter 3 delves into the truly fascinating world of memory forensics and how this portion of analysis should not be overlooked (memory holds a ton of information).  The next portion of the book goes into the various files that can be used in an investigation.  The fourth chapter of the book dives into the deep pool of information that the registry of a Windows system.  The fifth chapter covers the other various files that can be obtained, such as, event logs, browser history, and other numerous log files available on systems.  These chapters are very technical and provide a vast wealth of knowledge.  The next portion of the text goes over executable files and rootkits; which covers the interesting ways in which a program operates and then can be altered.  And the final portions of this book ‘ties it all together’ with great examples and providing ways to perform an investigation on the cheap (particularly interesting to me as a student).
This book is an excellent source of information if you’re interested in learning more about what a Windows computer has to offer to your investigation.  I will definitely be keeping this book around for all the great information it provides.  Carvey, not only provides a treasure of information but he provides data within the text so you can get a good look at what sort of information you’re going to want.  To go along with all the miscellaneous data sources, you’re provided with suggestions/recommendations on tools that can help you obtain and analyze that data.  On top of this there are also tips, notes, and warnings that can apply to the topic at hand that help put the provided material into better context.
To sum up, this book is a must for anyone interested in the topic, it reads like a dream for such a technically heavy text. 

____________________________________________________
With yet another book completed on my list of texts I wanted to finish, before moving to more of an intensive hands-on approach to learning forensics.  I will be finishing one last book (of which Harlan Carvey is a contributing author to along with Cory Altheide) before applying everything.  I will be reading Digital Forensics with Open Source Tools next for obvious reasons; with more hands on stuff next in what I want to do why not use open source tools?  I am a bit nervous as to the few “not for beginners” mentioned on the Amazon reviews, but I always like a challenge.  However, hopefully it will be as good as a companion to The Sleuth Kit as some reviews say, as well.  Look for a review in a few weeks!   

Monday, June 6, 2011

B-Sides Detroit Security Conference

B-Sides Detroit was this weekend, woke up early and headed out to Detroit with a couple of buddies for the con for the day.  Got there bright and early and I got really excited when I saw this:


The conference was being held in a semi-warehouse/studio apartment building and it was actually really cool.  Considering this conference is FREE, it wasn't a big deal and it actually added a nice bit of personality to the con.  I should mention for free you get the speakers, a super awesome t-shirt (see below), and lunch (at least the day I attended).

The quality of the speakers were kind of hit or miss for me.  All of them had prevalent information; however, I thought that the some of it was kind of basic and others were more technical (which peaks my interest a bit more.).  Again, this con was free and there were a lot of great enthusiastic people around to chat up and socialize with even on the conferences USTREAM.  The event was very low-key and didn't press any vendor products at you, which is always a plus.  To help pay for the event they had a nicely priced snack bar with some excellent beer to choose from.

Overall, I thought my B-Sides experience was amazing!  I would recommend that anyone check one out, as they host them all over the country and they're growing in popularity.  The environment promotes and encourages new ideas as enthusiastic security professionals gather to talk about the subject they hold a deep passion for.  This con had a personality all in its own and you can't help but like it.


________________________________________

A little background on my experience to gain perspective to my review.  As you can guess from reading this blog I am a undergrad student of 'Information Assurance' here in Michigan.  I have come to love the security field over the last year or two.  The only other conference I've attended was the Minnesota High Technology Crime Investigative Association conference a few months back.  I enjoyed that experience quite a bit, but as it was law enforcement centric it lacked the passion I found in Detroit.