March 2009 Archives

I decided it was time to set my first steps in memory forensics, and was given the opportunity by HBGary’s friendly folks to use the evaluation version of their Responder suite for 2 weeks.

At a first glance, the Responder’s user interface has a very intuitive look and feel to it. I expected that there would be an option to create the memory image, but as far as I have found it can only import pre-existing images. No biggie, this gives me the chance to have a look at ManTech’s MDD as well.

MDD is easy and straight-forward: just append the –o switch to tell it where to dump the memory to, and off it goes. After about 2 minutes, the memory image was created and an MD5 was generated automagically. Nice!


NOTE: I noticed in the evaluation guide that HB Gary’s own Fastdump Pro software was included for acquiring RAM… too late :(

Now let’s head back to the Responder. As there’s not much to clickety-click on at first, I created a new project and began importing my freshly created memory image.



After running through a bunch of different phases of processing the image, the Responder drew my attention to some modules that might be suspicious, and if I’d like to analyse them further. I already recognised my Check Point SecureClient in the list, but hey, who knows what else this VPN client is capable of, so I just selected all modules and sat back while the Responder extracted and disassembled the potentially suspicious modules.


Once done, it kicked of some more plug-ins such as malware analysis, and in about 30 minutes all together the image was imported.

Now all that’s left to do is to click through the results, and I have to say, it’s amazing what this software finds. It lists pretty much everything, from hardware interrupts to running processes, keyword search results, open files, network sockets and registry keys at the time of memory imaging.


What’s interesting too, is that not only can you view lists of all this, you can also view this information per process and drill down into it.


The Responder also has what seems to be a very nice reporting engine behind it, as it can export results to various formats such as PDF, TXT, HTML, etcetera. I haven’t been able to test this in the evaluation version, but it looks promising as far as I can tell.

Although I haven’t had enough free time to go into as much detail as I wanted, I can see already that if I’d work in incident response or forensics one day, this is what I want in my toolkit. From the evaluation guide I received, you can tell how much thought HB Gary put into this tool, even if only for evaluation purposes. The guide pointed to several useful online video’s and explain different situations the application could be used in. Further it lists suggested tests one could do to evaluate the software. Very useful for labs that haven’t used the software yet, and want to verify its workings thoroughly!

A big thank you to Bob from HB Gary for giving me the chance to play with this amazing piece of software. A couple of days ago he informed me that not all features are available in the evaluation software, but the final shipping software is also able to search through the pagefile for keys and passwords, and parse internet history (including timestamps!), emails and other documents. Love it!

I'm not going to write too much on this topic, as other blogs and news sites already extensively reported on it. However I just wanted to remark that most infosec-people out there raise the question whether or not what the BBC did (i.e. buying a botnet, and using it to send spam and execute a DDoS) is a breach of the computer misuse act. On their own website, BBC reports that "if this exercise had been done with criminal intent it would be breaking the law." But even though the attacks were performed under advance agreement, I doubt they asked the actual owners of the zombie-PCs if they wanted to participate in the exercise. Furthermore, if the zombies are on the network of an ISP that follows a strict abuse-policy, those PC owners might get their subsciptions suspended for something they are not even aware of happened.

I did it! It all started with getting my Masters in Digital Forensics in 2008. I was so intrigued by the subject, I soon started lots of extra self-study on the forensics subject, and got the opportunity to attend various EnCase courses. This week, I got some more confirmation that I like what I do and I'm good at it: I passed the Certified Hacking Forensic Investigator (CHFI) exam, and got an email from Guidance Software telling me I passed the EnCase Certified Examiner (EnCE) practical as well. I know, I know, quite some people out there don't like certifications and say they don't help, but personally I find it very important to get this confirmation for myself. On a sidenote, the book I used to prepare for the CHFI (the official studyguide by Syngress) was not good for passing the exam in my opinion (although it makes for a nice reference on computer forensics in general) and I still passed it based on previous self-study. I rock ;)

Anyways, why I'm doing this, you ask? Well, about 2 years ago I began getting tired of working in Information Security. I get this feeling that both employers and customers just don't "get it". They sell security because they see it as a product. They buy security because the auditor said so. They yell at you because the Internet is slow when viewing a livestream via the proxy. They employ people who know which buttons to click to make the traffic get through the firewall, allow any any, oh look, it works! I've had it... Don't get me wrong, I'm not against information security; en contraire, I'm trying to evangelise infosec as much as I can, but ever so often I have the feeling I'm preaching to the choir.

I'm someone that wants to help, make a difference. Maybe a bit of an idealist sometimes. But I want to help people that ask me to do something because they care about the thing that needs to be done. After a system compromise, an organisation wants to know what happened. When someone is copying sensitive information and sending it to the competition, they want to know how ever that was possible. They don't seem to care about security in advance, only once it's too late. So if I want to make a difference, I feel I should move to the other side of the line. Instead of prevention, move to after-the-facts analysis. At least only those that care will ask for my service, or at least they will listen to what I have to say.

So to keep a very long story a little shorter: I want to be a forensic analyst, examiner, investigator, whatever you like to call it. I may not have the practical experience yet, but hey, I am very motivated, eager to learn, and just need 1 chance to proove myself. Feel like you or your company might want to give me that chance? Let me know! For more info about me, have a look at my LinkedIn profile, or drop me an email. And don't back out just because I live in Belgium; I'd be happy to move to Australia, UK, USA or probably any other country where I can be understood in English :)