Comments for SANS Computer Forensics, Investigation, and Response

Comment on How to Disrupt a Botnet by Nuclear Snip3r

Nuclear Snip3r — Mon, 09 Nov 2009 23:14:56 +0000

As much as things change, they really don’t, especially when it comes to dismantling rogue botnets. This is the same advice that we’ve heard before. Yes logging into + issuing a command to one or more nets is illegal and while contacting ISP’s **should** be a viable option, the sheer number of times you actually get a one finger salute is remarkable.

On top of all that, most of the larger botnets are like playing whack-a-mole, where killing off one “head” leads to the generation of 5 more.

There are other (and better) ways to crack this nut.

Comment on How to Disrupt a Botnet by Andre M. DiMino

Andre M. DiMino — Mon, 09 Nov 2009 11:58:03 +0000

I would not advocate the last sentence in item #2. Logging on to network that is not your own, and issuing commands to take it over could potentially be considered illegal access.

It would be far better to analyze the protocol and command structure and pass that to to law enforcement or folks in the security community that track and act on discovered botnets.

Remember that a discovered active botnet should be treated like any other e-crime evidence.

Comment on An Analysis of SpyKing by =USAF= 3D073

=USAF= 3D073 — Wed, 04 Nov 2009 22:23:46 +0000

Great writeup! Might be beneficial to some of the newer CFI guys to maybe post a collections (or review) of commonly used tools, freeware or otherwise…

Comment on Recovering Deleted Text Messages from Windows Mobile Devices by Evgueni Tchijevski

Evgueni Tchijevski — Fri, 23 Oct 2009 09:03:31 +0000

There some other interesing things you can do on win mobile devices i.e.:
You can read Registry hives (Default.hv and System.hv) with the tool from XDA MakeHv.
You can read MMS with MMS-Parse (perl module).
You can read pim.vol EDB database (Call registry and phonebook) with DBExplorer.
if are able to read italian there’s a tutorial on windows mobile forenisc with XDA tools.
http://www.cfitaly.net/node/90
Regards

Comment on Recovering Deleted Text Messages from Windows Mobile Devices by Brad

Brad — Thu, 22 Oct 2009 13:22:24 +0000

Did you mean to block out the ASCII numbers but leave the hex visible?

Comment on Why Digital Forensic Certifications Are Needed by Jason Jordaan

Jason Jordaan — Wed, 21 Oct 2009 16:14:34 +0000

I have looked the the certification debate for some time, especially as certifications began to spring up all over the place in our field. While I agree with Rob that certifications can play an important role in demonstrating that a person has the minimum required knowledge to do a job, this is not actually the same as being able to do the job, and thus if we do consider certifications, they should demonstrate both knowledge and applied skills.

A problem I have with certain certifications is that many of them are “business interests” created by businesses or business people with the purpose to make a profit. While this is no different to a university in a certain sense, there is generally some level of regulatory oversight. So if I wanted to, I could set up a business, and with some slick marketing create the next big thing in computer forensics, design a certification, and make money (not that I plan to before I get flamed into oblivion).

What I think we need are certifications created by non-profit bodies (and the non-profit will limit the numbers of these I am sure), who are made up of the members of the body, and who self-regulate themselves and the certification. In other words, a self-regulating professional body, which could issue appropriate certifications, enforce a code of practice or conduct etc. I know there is some work being done in this regard, but as digital forensic practitioners who are passionate about our discipline, we need to do more.

Comment on Why Digital Forensic Certifications Are Needed by Michael Dundas

Michael Dundas — Fri, 16 Oct 2009 14:23:07 +0000

I remember back when I was working as a system administrator for a pharmaceutical company. I was responsible for a bunch of Netware systems that contained adverse events databases and applications. We had a Novell CNE come in to assist us. I had about 5-6 years experience with Netware at the time. His knowledge was terrible – I could run circles around him on Netware, how it functioned the details etc. This was a big eye opener for me.

Since then over the years, I have found the same with many certifications, SANS, Cisco, CISSP you name it. Sure, you have your ones that are good, but the number of bad ones is staggering to me. Your statement about needing base knowledge is nice, but unfortunately I don’t think that will help.
I have some certifications in BGP, protocol analysis, switching. I got them because the company forced me to in order to work with the products. They have been of no value to me, just a bunch of “letters” and a incremental count for the marketing departments on “the number of people certified on our system.”

Recently, I was told that I should really have a ‘certification’ in order to look at network traffic. I have been doing research and analysis on network traffic, attack patterns, botnets, protocol analysis for years as part of my daily activities. I have trained many companies on network analysis. Really, I need to be certified? If I need to I will, but I think it is silly. It ends up giving employers a false sense of security. They will take the guy who is certified with 3 years experience, over the individual that has 10 years experience and think they are better off — rarely is that the case in my experience.

You comment on needing a drivers license, babysitters license, plumbing license etc. etc. Just because everyone does it, doesn’t make it the right thing to do. Heck, I can get a firearm license without ever having to lay my eyes on a firearm, let alone use one. My father never had a firearm license, but I’d suggest you are safer with him working one than I (even if I had a license, which I do not) — he grew up using them regularly.
Another ‘problem’ I have noticed with certifications are that overtime they get “watered down”. One of the reasons this happens is that there becomes pressure to get large numbers certified due to multiple certifications and competition with other businesses and certification standards.

My hope is that if there are certifications in forensics, they don’t end up following the path of the multitude of other certifications. Don’t do it. Use word of mouth, references, and experience to determine the best fit. If you must do it, Do it right, spend lots of money, time, and transparency determining the best solution and don’t let business and politics get in the way.

Comment on Why Digital Forensic Certifications Are Needed by Larry Daniel

Larry Daniel — Wed, 14 Oct 2009 07:22:43 +0000

I am glad to see discussions going on in this area. While I know I make controversial posts on my blog from time to time, my intention is always to promote thought and discussion in different areas. Rob, keep up the good work!

Comment on Why Digital Forensic Certifications Are Needed by Joseph W Shaw II

Joseph W Shaw II — Fri, 09 Oct 2009 06:32:50 +0000

I don’t think any amount of certification is going to stop the licensing dilemma digital forensic professionals will be facing in the coming years. Several states, including mine, already require it, and more are jumping on that bandwagon due to the lobbying pressure being exerted by various PI groups in an effort to corner the market on lucrative digital forensics work in the private sector. Until digital forensics professionals and organizations start doing the same, we’re going to be in for a bumpy ride, and many of you will find yourselves unable to legally practice your profession regardless of your qualifications. It happened to digital forensic examiners in Texas after the 2007 ‘clarification’ of the law, and it will happen again.

Comment on Why Digital Forensic Certifications Are Needed by Michael Cloppert

Michael Cloppert — Fri, 09 Oct 2009 02:54:29 +0000

This is a good discourse to have in the public domain. First, I’d like to thank John and Rob for facilitating this discussion, even though necessary, critical peer review can be (incorrectly) skewed as undermining the profession. Of course, we know nothing could be further from the truth, but sadly other public forums tend to stifle self-evaluation.

In my 12 years in IT, and 8 in security, I’ve found that the only certifications that produce consistently reliable professionals are those which strictly require demonstrated application of knowledge. I was one of the ones screaming when SANS split certifications to Silver and Gold, because I felt it would cheapen the certification. I feared the many with Silver would not specify the level of their cert, and the public would only see “GCIA” for example. I still feel this way, and sadly, believe that this has played out over time.

Application of knowledge is one thing that distinguishes the CCIE from the myriad other Cisco certifications, to give a slightly different example. While I’m sure they exist, I’ve never met an unqualified CCIE. I’ve met plenty of unqualified SANS cert holders. Because the distinction between applied knowledge and lack thereof is so difficult to see, of course, I have no idea whether these folks have gone through the practical – although I certainly doubt it.

I do not put much weight in test-only certifications because anyone can memorize some stuff for a short period of time. If SANS wants to raise the bar, they need to make the difference between demonstrated applied knowledge and multiple-choice, test-only certifications unambiguous – especially for someone not in our industry like HR generalists, contract authors, proposal writers, and policymakers.

-Mike