Forensic Ramblings

First, thanks very much to David (@DCSecuritydk) for allowing me to ramble about forensics here on Security Distractions.

My name is Mitch; my first IR was ILOVEYOU in 1999 and I have been a forensics dilettante since 2004. I am a digital dinosaur who is currently focusing on OT Security.

I have always been fascinated by what you can discover from performing forensics and really enjoy learning from other skilled forensic practitioners. Back in the day, I started out with a script from a book called “Windows Forensics and Incident Recovery” written by Harlan Carvey (@keydet89)

Harlan has consistently reminded us to think about what we were doing and not just push buttons expecting to find evil. Thanks for RegRipper and all the learnings over the years. I wish I was a better pupil…

The need for Windows deadbox forensics is still there, with focus having shifted to incident response (IR), with the need for speedy accurate triage. Also, the target audience expanded to include not only X86, but mobile forensics, Apple products, Android OS, cars, IoT devices, etc. Given the rise of data breeches and malware attacks, the need for IR is only increasing.

But the basics are the same – paraphrasing the experts:
1)critical thinking – there is no “find evil” button; you need to know what you are looking for BEFORE starting
2)using a documented, defensible, explainable process (expecting the case to go to court)
3)understanding your subjects (Windows, MAC, Android)
4)understanding the threat actors and their TTP’s
5)understanding your tools, their usage and limitations
6)a love of testing, documenting and sharing back to the forensics community
7)mastery of many related topics like Linux, bash shell scripting, Python, Operating Systems, applications and protocols, technology stacks.

A great place to start for some basic forensic training is here:

I had a need to examine a memory dump a while back and I used Volatility
– both versions 2.6 and 3. Depending on the memory sample and what you are looking for, you might prefer one to the other. I will provide some details in another article, if allowed back 🙂

There are many great sites out there on how to use Volatility, but I wanted to mention one lesser known site I found to be very useful, from Marcos (@_N4rr34n6) because it reinforces a need to understand what you are looking for and he shared his thoughts with a number of good examples on how to get there – using grep

Another very useful tool for triage is Bulk Extractor, which also is an often overlooked tool. In the next link, Marcos also shows his command of egrep. You can not be a modern day forensicator with out knowledge of some basic Linux commands.

Another essential item in the documentation process is hashing your evidence. Recently, at the SANS OSINT Feb 2020
Steven Harris @nixintel presented “Hash Or It Didn’t Happen” which can be found here (Yes you need to have a SANS account)

This is an excellent presentation showing Locard’s principle in action.

The also has an excellent OSINT resource site as well :

Finally, one great source of forensics images – DigitalCorpora, has been moved over to AWS and is so fast now :

That’s it for me, for now. Thanks for reading!

Security Distractions

With each new “inspirational” Instagram, Twitter and Facebook New Year post cropping up on our feeds. We couldn’t help but jump on the bandwagon of “new beginnings” and finally launch our blog….

We have talked and talked and talked and talked about how we might one day come around to the idea, that we might eventually be distracted enough to consider creating our own blog. Cue the long back and forth messages over Signal on what to call the god damn thing. Purchasing a domain name these days is so easy, but coming up with a catchy name… Not so much…

We love security and we love getting distracted by it, so eventually it was only logical that the blog should be named something along these lines……

Both myself and Kim find ourselves getting overly excited about the technical side of security everyday to the point that the next new thing we have created ends up being all we can talk about for an hour or so, before we move on to the next new cool thing and forget about the last….

We figured that since we think we are doing some pretty exciting things both professionally in the security world, but also in our own home *cough* datacenter *cough* lab’s that we would try our hand at writing about it.

A lot of our work is based around how we can get the most out of open source security platforms and tools. Most of our focus is around ElasticSearch and the full ELK stack, squeezing every last bit we can out of the platform to write and develop our own custom detection and enrichment methods. We will also talk a lot about MISP, The Hive Project, Squid, Elastalert, Kafka, Sysmon, Threat Intelligence and many many other topics that would be sure to set off your 2019 bull shit bingo card…

There is a lot that can be achieved, when you have a nice and simple logging setup. ELK is free from a license perspective and your limits are pretty much your imagination on what you can do with it.

Enough about the blog and a little on us…

Collectively we work in the Danish finance industry, where we unfortunately share the same corner of the office. Much to the dismay of our colleagues, who have often commented on our old married couple like tendancies…

There is a little about us in the ironically titled “About Us” page..

We promise to try to keep the tone positive and deeply technical, but there also has to be room for a little bitching too right?

Watch this space, there is a lot to come!

Disclaimer: The opinions expressed on this blog and all posts, are our own and do not reflect our employer, this blog is purely for personal use.