SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Good reads and coming events

It's been a very busy week this week, so this week's Case Leads post is all about brevity. There were a bunch of great articles put out this week and I'm sure I've missed a few. At the end of this week's post there's an email address for the Case Leads series. If you have written or read something you think should be included in the weekly round up, please let us know.

Last week I posted a few sites that regularly publish lists of domains that are known to be serving malware. I'm working on a project that's scraping some of these sites and building lists of IPs for use in a network security monitoring program. What I didn't know at the time was that malwaredomains.com has a text file that they regularly update with new domain names. This makes my task much easier.

For fun this week, I took the text file and extracted the hostnames from all the uncommented lines in the text file. There were over 19 thousand listed. I spent a few minutes writing a shell script that would parse the list of domain names and lookup the IP addresses. I talked to my service provider about hitting their DNS servers with 19K+ requests and they said they wouldn't mind, but suggested I spread the load across multiple DNS servers.

In the end, I found 14 DNS servers that were open to the public and distributed the load across them all. Surprisingly, the 19K+ domains resolved to just over 4K unique IP addresses. Many of these are in the same netblocks and yes, there were several hundred that couldn't be resolved and just a handful that resolved to RFC1918 addresses. I'm going to spend some more time analyzing the data and may post more about it later. On with the Case Leads...

Good Reads:

Coming Events:

Those interested in signing up for vLive 408: Computer Forensic Essentials starting in June 2010, please use the following code to recieve a 25% discount when you sign up!

The code is IN408A.

http://www.sans.org/vlive/details.php?nid=20703

If you have suggestions for the Digital Forensics Case Leads posts, please email them to caseleads@sans.org.

Digital Forensics Case Leads for 200100506 was compiled by Dave Hull, SANS Community Instructor, recovering web app sec guy, now focusing on IR and forensics in the Fortune 500.