It's been a while since I've written about this topic, and in that time, there have been some useful security updates provided by Microsoft, as well as some troubling developments with Microsoft's Kerberos implementation. In order to fully cover these topics, I'm going to split the discussion into two articles. This article will cover specific … Continue reading Protecting Privileged Domain Accounts: Restricted Admin and Protected Users
[Author's Note: This is the 6th in a multi-part series on the topic of "Protecting Privileged Domain Accounts". My primary goal is to help incident responders protect their privileged accounts when interacting with comprised hosts, though I also believe this information will be useful to anyone administering and defending a Windows environment.] PsExec is an … Continue reading Protecting Privileged Domain Accounts: PsExec Deep-Dive
Hash filtering is a time-saving technique for a computer forensics examiner when working on a huge disk image. In a nutshell, this technique can filter out all those files in your image that belong to the operating system or well-known software packages. This will let the examiner focus on unknown files, reducing the scope of the investigation. After all, there's no point in spending time checking files we already know.
This filtering operation is based on hashes. Usually, we calculate the hash for every file in the image and check it against a list of hashes previously calculated over known good files. We call this list the known good hash set. All files with hashes matching the list are filtered out.
On the other hand, we would like to know if there are malicious files in our computer forensics case image. Again, the technique works by calculating the hash for every file in the image, looking for matches in a list containing pre-calculated hashes for known malicious
"Hope for the best, prepare for the worst." — English proverb
"Before anything else, preparation is the key to success." — Alexander Graham Bell
Forensic analysts and the organizations employing them can simplify and expedite the forensic analysis process with preparation. If you accept that system compromise is a matter of when not if, then prepare your systems in advance for forensic analysis.
Before moving systems into production, grab a copy of Jesse Kornblum's MD5Deep from http://md5deep.sourceforce.net and create MD5 checksums of all the files on the system. Have your desktop folks incorporate this into their image building process. If you're really diligent, update your hashes after applying patches.
Astute readers will say, "I can download known hashes from NIST's