SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Intruder Alert! Intruder Alert!

Seven years ago, in the Preface to his The Tao of Network Security Monitoring, Richard Bejtlich wrote:

Three words sum up my attitude toward stopping intruders: prevention eventually fails. Every single network can be compromised, either by an external attacker or by a rogue insider.

Fast forward to 2011, and we find McAfee saying, in the executive summary of a recent report(pdf):

...external and internal threats are nearly impossible to prevent. Miscreants continue to infiltrate networks and exfiltrate sensitive and proprietary data upon which the world's economies depend every day.

Unfortunately, the big news this week is that NASDAQ and HBGary Federal have learned this lesson through first hand experience. Both companies have suffered intrusions that made headlines in the past week or two. Add to that the recent compromise of PlentyOfFish and the newly reported hack of eHarmony and the message is clear: all your base are belong to us. There are many reasons this is still true, and will likely remain true. But those are beyond the scope of this post. Suffice it to say, the preponderance of evidence screams "you must be ready."

In this week's link-fest, I point to a number of tools and must-read items to help move you closer to that state of readiness. But, as always, if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to

Good Reads:

  • Earlier this week, Lenny Zeltser posted Tips for Starting a Security Incident Response Program. He includes high-level tips on creating the hierarchy of documents you'll need to define and govern your incident response program, then provides links to some other valuable resources including sample Incident Response Plans and references for some of the more low-level aspects of the IR program. You should also read The Big Picture of the Security Incident Cycle, which Lenny contributed here back in September.
  • Over on the TaoSecurity blog, Richard Bejtlich posted (a few years ago) Defensible Network Architecture 2.0, which is an update to concepts that he introduced in The Tao of Network Security Monitoring and Extrusion Detection. While this isn't new, it's well worth the read and still highly relevant. The post also serves as a good overview of the concepts covered in Mr. Bejtlich's books (which are must reads).
  • McAfee just released their report Global Energy Cyberattacks: "Night Dragon," which details their findings from various attacks on "global oil, energy, and petrochemical comapnies" dating back 2-4 years. The report is interesting because of the level of detail it provides about the attack and the relevant indicators of compromise. There is a bit too much space spent on how various McAfee products could help protect you, but I suppose that's to be expected. It is, nevertheless, a good (and relatively short) read. I also suspect it will spark debate about whether the release of of such specific indicators of compromise is ultimately helpful or harmful. Will the information help defenders detect compromises and defend their networks? Will it cause the attackers to step up their game and make the provided indicators useless? That debate is beyond the scope of this post, so I'll just say read the report and decide for yourself.


  • Mandiant recently released Memoryze v1.4.4200, which features full support for Windows 7 x32 and x64 (no longer in beta), beta support for Windows 2008 x32 SP1 and SP2, documentation for portable installation on removable media, and cool new searching of process address space.
  • Harlan Carvey has made available the tools bundled with his recently released book, Windows Registry Forensics. I'm about half way through the book as I write this, and I believe it's fair to say that Windows Registry Forensics is a must read for anyone working in Incident Response or Forensics. It has something to offer everyone from beginners to advanced practitioners, and Harlan does a good job of hammering home the all important "Why?" Rather than leave you with a list of registry values and descriptions, he tells you why those values are important under various circumstances. So, by all means, go grab the tools. But be sure to read the book as well.
  • NetworkMiner 1.0 was released earlier this week. This release leaves the 0.x release cycle behind and steps into the maturity of 1.x. NetworkMiner is a network forensic analysis tool and packet sniffer. Rather than a packet/protocol analyzer, NetworkMiner focuses on parsing this data to gather and present information about hosts on the network. This host-based focus makes it easier to identify what services are being used by each host, what outbound connections each host has initiated, etc.



Coming Events:

Digital Forensics Case Leads for 20110210 was compiled by Gregory Pendergast, Interim Information Security Officer and jack-of-all-security at Virginia Commonwealth University. If you have an article to suggest for case leads please email it to