* You are viewing the archive for the ‘Incident Response’ Category

Volatility Framework 2.0 Released

Wow. This, in addition to MANDIANT’s recently released Redline tool, will amount to another devastating blow to HBGary Responder Pro sales and market share. How can you justify the $9000 USD cost for a Responder Pro license plus annual maintenance if one of these free tools works for the platforms you work on?

The following platforms are currently supported:
32bit Windows XP Service Pack 2 and 3
32bit Windows 2003 Server Service Pack 0, 1, 2
32bit Windows Vista Service Pack 0, 1, 2
32bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
32bit Windows 7 Service Pack 0, … Continue Reading

Share

Warning Before Using Most Common iPhone Passcodes Lists

Regarding this:
http://amitay.us/blog/files/most_common_iphone_passcodes.php

You have to be careful sharing this type of information if you support patrol officers or invesitigators who like to try a passcode or two on their own when they take a phone off a suspect. Some smart gangbangers have their phones already sitting with 9 invalid logins, and the 10th will wipe the phone. Units seized from suspects should be put through your organization’s normal seizure and lab procedures. Please avoid the temptation of trying a passcode or two on your own outside of those procedures.

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: … Continue Reading

Share

RAM Dump Analysis for Apple OS X Systems

Kudos to Kyeong-Sik Lee and the Korean Digital Forensic Research Center for providing what I believe is the first publicly available tool for doing RAM dump analysis for Apple OS X systems. The new tool – volafox – isn’t as evolved as it’s Windows counterparts (HBGary Responder, MANDIANT Memoryze/Redline, or the Volatility Framework), but it is a great start. Volafox can be obtained from the link below.

References:
http://code.google.com/p/volafox/
http://computer.forensikblog.de/en/2011/06/mac_os_x_memory_analysis_with_volafox.html
http://blackhat.com/presentations/bh-dc-10/Suiche_Matthieu/Blackhat-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-wp.pdf

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Good Example of IR Process for a Development Team’s Website

If you run or participate in such a project, you might want to give the Fedora team’s writeup of a recent intrusion a read. Kudos to the Fedora team for their resilient process, their advanced preparation for such an event, and their willingness to share their experiences publicly. The link is below.

References:
http://lists.fedoraproject.org/pipermail/announce/2011-January/002911.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement

Share

Who Can Bypass Blackberry Passwords?

From time to time the question comes up from law enforcement and other investigators: Can Blackberry passwords be bypassed or cracked? To the best of my knowledge the answer is yes, but only by certain authorized entities. Currently the process takes about a year (backlog) and there is a cost associated with doing so.

Who is authorized? As far as I know in the United States federal level law enforcement and the intelligence services can: CIA, NSA, and the FBI. There may be elements of the the US Department of Defense and the US military, but I … Continue Reading

Share

Disabling Windows Autorun in Real World Enterprise Environments

According to this report from Avast, 1 out of 8 pieces of malware has a USB autorun attack component associated with it. In my own malware reverse engineering work, I frequently see malware with the ability to spread through USB removable drives, the root of local drives, and writeable roots of network shares. The obvious mitigation for this problem is to disable Windows autorun where you can.

If you have been hesitant to disable Windows autorun throughout your enterprise for any reason, please consider that you can do so by device type. To be clear, completely disabling … Continue Reading

Share

Quickly Triage Adobe PDF Documents for Malware

If you get frequently getting asked to analyze suspicious Adobe PDF documents for potential malicious content or malware, this triage guide might be of help. Adobe PDF documents are complex things to analyze sometimes, but it is possible to get a quick answer whether or not a particular PDF merits deeper examination.You should always conduct this type of examination on an isolated machine off of any production network. Air-gapped VMware and Deep Freeze based examination systems work fine.The steps below DO NOT definitely determine that a particular PDF has malware or is malicious – … Continue Reading

Share