2006-05-17: Network Security, Intrusion Detection, Data Forensics

Meeting Announcement and Agenda

May Meeting Redux

33 people attended the May meeting.

The meeting started with projector drama. We managed to unplug the projector during the pre-meeting setup before it had a chance to properly cool the bulb. Upon turning the projector back on the light would not come on. So, I raced back to my office at UF to see if I could find the spare bulb. What I found out is that we don't have a spare bulb. A new bulb for this projector is about $400. So, it doesn't surprise me that I decided years ago to wait until the bulb failed before spending that much money for a new one. Fortuitously, David McDonald, took the bulb out, reseated it into its socket, and revived the projector. Since the meeting was about security and data integrity, the projector drama created a good opening discussion about the problems created by single points of failure.

The next security lesson was the age old adage,"if someone gains physical access to the device all bets are off". This lesson was delivered by Ramzi. He showed us how to build a door buster for $20.

Download the video used for the presentation here (20mb).

After that, the main event was delivered by Jordan Wiens and John Sawyer.

Drive Imaging

• dd (Windows and *nix)
• *nix - http://www.gnu.org/software/fileutils/
• Win32 - http://users.erols.com/gmgarner/forensics/
• ddrescue - http://www.gnu.org/software/ddrescue/ddrescue.html
• dcfldd - http://dcfldd.sourceforge.net/
• dciiidd - not publicly available (DoD developed)
• sdd - http://directory.fsf.org/all/sdd.html

Data Integrity & File Hash Signatures

• md5deep - http://md5deep.sourceforge.net/
• hashdig - http://ftimes.sourceforge.net/FTimes/HashDig.shtml
• NSRL - http://www.nsrl.nist.gov/Downloads.htm

Data & Timeline Analysis

• Sleuthkit - http://www.sleuthkit.org/sleuthkit/index.php
• Autopsy - http://www.sleuthkit.org/autopsy/index.php
• Perl Tools
• Both of these are for Windows analysis but run on *nix
• Harlan Carvey - http://windowsir.blogspot.com/
• Jake Cunningham - http://jafat.sourceforge.net/files.html
• Ftimes - http://ftimes.sourceforge.net/FTimes/index.shtml
• mac-robber - http://www.sleuthkit.org/mac-robber/desc.php

Data Carving

• Foremost - http://foremost.sourceforge.net/
• Scalpel - http://www.digitalforensicssolutions.com/Scalpel/
• DFRWS 2006 Challenge (data carving) - http://www.dfrws.org/2006/challenge/index.html

Memory Analysis

• DFRWS 2005 Challenge (memory) - http://www.dfrws.org/2005/challenge/index.html

Linux Bootable CD for Forensics and Incident Response

• Helix - http://www.e-fense.com/helix/

Antiforensics

• Metasploit Anti-forensics- http://www.metasploit.com/projects/antiforensics/

Online Resources (forums, mailing lists & challenges)

• Forensic Focus - Forums & Articles - http://www.forensicfocus.com/
• ForensicsWiki.org - http://www.forensicswiki.org/wiki/Main_Page
• Honeynet Project Challenges - http://www.honeynet.org/misc/chall.html
• CFTT - http://www.cftt.nist.gov/
• Open Source Forensic Tools - http://www.opensourceforensics.org/tools/index.html