SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Google's "password system" code stolen?

Additional details of the attack against Google were reported in the New York Times this week. The claim is that some portion of Google's authentication system code, Gaia, may have been stolen as part of the "Aurora" breach. The bulk of this week's Case Leads was inspired by my own pursuits of late. I've been revisiting some forgotten skills in an attempt to brush up and have been researching information on some new (to me) technologies of interest.


  • My tool of choice this week is IDA Pro, the disassembler that should be in any malware analyst's kit. I was exposed to IDA Pro a few years ago in Lenny Zeltser's Reverse-Engineering Malware course. Unfortunately for me, I'm a bit rusty on its usage, but am getting back into it.

Good Reads:

  • If you're interested in getting started in reversing, you may find Jonathan Bartlett's Programming from the Ground Up (nod to the Metasploit blog for the recommendation), worth a read.
  • I was recently doing some research on HIDS and NIDS and came across an older piece, originally published in 2003, but updated in 2006, that compares HIDS and NIDS. If you're not familiar with the technologies and the differences, it's a good starting point. There's a chart in part one of the series that summarizes the differences and goes beyond the obvious host/network distinction.
  • According to Verizon's 2009 Data Breach Investigations Report "66 percent of victims had sufficient evidence available within their logs to discover the breach had they been more diligent in analyzing such resources." The report goes on to show that many companies collect logs from systems, that a considerably smaller percentage perform intrusion detection and a pathetic number actually review logs in some fashion.
    Even in sufficiently large organizations that do perform monitoring and have a relatively good handle on false positives, knowing which events should have the highest priority can be a challenge. James Voorhees has written a GCIA Gold Certification paper called, Distilling Data in a SIM: A Strategy for the Analysis of Events in the ArcSight ESM that provides a good foundation for intrusion analysts having to deal with the mountain of data, attempting to determine which events should be escalated first. Don't be fooled by the mention of ArcSight in the title, though the paper does include a review of ArcSight's architecture and technology, the principles that Voorees lays out could apply to other systems.


  • Additional details about the breach at Google were published in the New York Times this week. According to the piece, the code for Google's Single Sign-On system, Gaia, may have been among the intellectual property that was stollen. If I were the APT, getting the source code used for authentication for Google services would be a high value target. If the article is correct, the code is almost certainly undergoing some rigorous third-party analysis.
  • As of this writing, the SANS web site shows the 2010 EU Digital Forensics and IR Summit, is being held April 19 and 20, however, due to the volcanic ash cloud (we knew clouds would complicate forensics) that disrupted travel, the Summit has been postponed until September 8 and 9th.

Coming Events:

Digital Forensics Case Leads for 200100422 was compiled by Dave Hull, SANS Community Instructor, recovering web app sec guy, now focusing on IR and forensics in the Fortune 500.