SANS Digital Forensics and Incident Response Blog

Code skills make better Forensic Analysts

by Craig Wright

I know I am pushing something up a hill here in suggesting this, but .Net coding in a Windows environment and general coding skills for Linux should be a goal for all Forensic Analysts to learn. These are essential skills. In fact, they make life far easier if you can write code and think creatively. It is also not difficult to learn how. The ACM and IEEE both offer members free CBT courses on this topic.

I have recently noticed a number of conversations around reading Windows Event logs. The difficulty in extracting events and the limitations of the commercial tools are frequently mentioned. The reality is that is is a simple task that has been incorporated into the .Net framework since version 1.0 first came out. Classes and libraries are available for this very task. There are also many developer sites that offer code examples and tutorials. For instance, the Microsoft Developer Network (MDSN) and others have a set of pages on this problem.

My preference is for the C family of code languages (C, C++, C#) being that I started as a programmer doing C coding in the 80's, but there are a large number of VB examples about (which is not my specialty). Both Visual .Net and the command line compiler (CSC) that exist on nearly all Windows hosts in the last 8 years or so support .Net and have a simple compiler.It is actually difficult to remove all compilers for a modern Windows system and have it continue to run...

Windows has a good implementation of the Regex class. Although these are rather abstract, they allow you to create extremely granular filters.

For a simple C# code example (this could be simplified using foreach statements etc);

//Source File : Event_Reader.cs
//Compilation : csc Event_Reader.cs
//Execution : Event_Reader

using System;
using System.Diagnostics;
using System.Windows.Forms;
using System.Drawing;

public class Event_Reader: Form
{
Button b1 = new Button();

public Event_Reader() {
this.Text = "Security Event Warning in log";
b1.Text = "Click here";
b1.Click += new EventHandler(b1_click);
b1.Location = new Point(100,50);
this.Controls.Add(b1);
}

public void b1_click(object sender, EventArgs e)
{
EventLog elog = new EventLog();
elog.Log = "Application";
elog.Source = "MSSQLServer";

for(int i = 0; i<5;i++)
{

try
{

MessageBox.Show("Message: " +elog.Entries[i].Message + "\n" +
"App: " +elog.Entries[i].Source + "\n" +
"Entry type: " +elog.Entries[i].EntryType);
}catch{}

}

}

public static void Main()
{
Application.Run(new Event_Reader());
}

}

You can search the various properties of the EventLog class and return an instance of EventLog.EventLogEntryCollection. This will define a number of EventLogEntry types. Each of these will correspond to selected relevant entries in the Event Log being analyzed.

In the example listed above, the elog.Log = "Application"; reference is to the Eventlog being searched. The Source, elog.Source = "MSSQLServer"; sets a filter for the type of entry.You can add events for UserName, TimeGenrated, TimeWritten etc by simply substituting these types in the code example (modified from code provided on MSDN)

The Code Project has a simple code base that can be used to quickly put a small fast eventlog filter together and which can be modified to include Regex based search terms.

So, my recommendation. Learn how to code, it is simpler than you think and it will make you a better digital forensic professional.

Craig Wright is a Director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he is helping to launch a Masters degree in digital forensics. He starts his second doctorate, a PhD on the quantification of information system risk at CSU in April this year.

2 Comments

Posted April 24, 2009 at 4:27 PM | Permalink | Reply

mworman

Craig,
I couldn't agree more and I'm glad to see we're like minded in this regard.
There is a definite trend in the forensics/IR world towards flashier devices with lots of LEDs and buttons''but to rely exclusively on these devices is like trying to be a forensic pathologist and only knowing how to operate an MRI machine or ultrasound unit.
These are simply tools of the trade''.true mastery of forensics involves understanding the science of your MEDIUM, which in our case usually involves some sort of information system. Software/hardware programming languages are the human-computer interface and anyone hoping to be considered a professional in this field must understand that the Court and various authorities care far less about whether or not you can fill out Encase fields and much more about whether or not you, as an examiner, understand how bytes are collected, stored, and processed within a computer or similar device.
Blood spatter forensics? This requires a strong grasp of hematology as well as physics!
Ballistic forensics? Metallurgy and firearms expertise.
Forensic anthropology? Human anatomy, evolution, culture, and so on.
Digital forensics? Computer architecture, programming, and data processing are the fundamentals. Learning and combining those skills with the skills to investigate and use tools like Encase/FTK/etc is the sign of a strong professional.

Posted May 2, 2009 at 12:34 PM | Permalink | Reply

mikecloppert

Craig,
I think this applies to any technical discipline of computer security, and agree 100%. I would add that in addition to programming, the best security analysts I've worked with have all had a deep understanding of system and network engineering and architecture, as well. These fundamentals are a good starting point for anyone interested in focusing in on security as a career.
Mike Cloppert