SANS expanded the Reverse-Engineering Malware course (FOR610) to include a day's worth of capture-the flag malware analysis challenges. The challenges are built upon the NetWars tournament platform and are designed to reinforce the skills learned earlier in the course by experimenting with real-world malware. You can get a sneak peak at the new experience.
In this weeks CaseLeads, there's a bunch of new useful tools that might come in handy in certain situations while handling incidents PDF Analysis, Malware Analysis, Honeypots and MAC forensics! A sequel of a multi-part series on protecting our credentials whilehandling incidents. When some weird registry keys appear in log2timeline results, you discover an attack vector on manipulating execution chain? More and more on Prefetch Analysis Challenging forensicators, The Honeynet Project publishs a cool challenge for fun and profit. More on that weird DUQU source code guess what it is? When a digital lock refuses to unlock for the FEDS, guess what they do? STEGO techniques comes to light again using foreign languages!? And finally raids are not only in games! in our real life @ The Pirates bay?
If you have an item you'd like to contribute toDigital Forensics CaseLeads, please send it to firstname.lastname@example.org.
One of the best ways to learn how to analyze malicious software is to practice. Here's a set of challenge questions, building upon an earlier network forensics puzzle, so you can strengthen your malware analysis skills.
Let me start by noting how much fun I had while investigating and analyzing everything for this forensics challenge, I was able to apply many different techniques, from analyzing logs to file carving and network forensics. It's the 2009 forensics challenge from DFRWS and you can find the description, system images and pcap files at http://dfrws.org/2009/challenge/submission.shtml
The first thing I did was grab the images and pcap files from the DFRWS site and mounted those images on my workstation for analysis:
asm forensics # mount -o loop,noexec,ro /forensics/nssal-linux-side-fs.dd /mnt/ps3asm forensics # mount -o loop,noexec,ro /forensics/jhuisi-linux-side-fs.dd /mnt/ps3-jhs
At this point I tried generating a timeline but I ended up with two huge files, 240 MB and 75 MB, it would not be easy to go through that by hand so I tried to narrow ...
This week's Case Leads features two free tools from AccessData and Paraben Corporation, a digital (forensics) treasure hunt to test your skills, spying, drive-by (browser) attacks and consequences resulting from Stuxnet.
As always, if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to email@example.com.
- Earlier this month AccessData released a new version of their popular (and free) utility, the FTK Imager. Version 3 has a number of useful features such as the ability to boot forensic images in VMWare and the ability to mount AFF, DD, E01, and S01 image formats as physical devices or logical drive letters. The latest version of the application also supports HFS+, VxFS (Veritas File System), exFAT, EXT4, Microsoft's VHD (Virtual Hard Disk) and compressed and uncompressed DMG