Saturday, August 30, 2014

Recommending Reading - A new resource for those looking to learn

I am often asked about which books should be read related to topics in computer security and forensics. Sometimes these questions come from new people who want to break into the field while others come from experienced people wanting to branch out or to really deep dive into a specific subject. In the past, I have generally answered these questions in ad-hoc way, whether through a customized email or over instant messenger.

In an attempt to centralize my book recommendations, I have created a Recommend Reading page on my website. This page lists books across a range of categories (security, forensics, reversing, etc.), provides a brief insight into each book's contents, and also lists the general technical know-how of the specific topic needed to understand the book.

This page is a work in progress, and I definitely welcome suggestions for updates and new additions. Please note that I will only list books that I have actually read. With that said, I do accept review copies of books and often pick up new books that seem interesting.

I would like to thank Ashley and Vico for helping with the design of the page and for proof reading.

Thursday, August 14, 2014

Interview with Eric Huber on A Fistful of Dongles

I was recently interviewed by Eric Huber on his popular AFOD blog. I went into some details of my path to where I currently am in my digital forensics career and some advice for people new to the field.

http://www.ericjhuber.com/2014/08/afod-blog-interview-with-andrew-case.html

Wednesday, April 9, 2014

Building a Decoder for the CVE-2014-0502 Shellcode

Yesterday on the Volatility Labs blog I published a post on analyzing some interesting shellcode from a recent attack campaign and 0day exploit. The shellcode was encrypted multiple times and required full static reversing before revealing the algorithm needed to decrypt the backdoor URL. I think you will like it:

http://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0502.html


Monday, November 25, 2013

Our Registry Forensics Master Class is now Live!



I am very happy to announce that the Registry Forensics Master Class that I developed in conjunction with 504ENSICS is now live. The master class is completely focused on registry forensics, and takes students from the basics through advanced topics and analysis techniques. A few of the topics covered include:


  • Acquiring hives from both disk images and memory samples
  • Understanding the raw artifacts contained in the variety of hives
  • Analyzing the artifacts using a number of popular forensics tools
  • Scripting registry forensics tools for automated and repeatable analysis
  • Timelining registry contents
  • Baselining hives to determine activities caused by malware and user actions
  • Incorporating Windows backup facilities into registry analysis
  • Investigating the registry in volatile memory (RAM)
  • Analyzing malware in the registry 
  •  Defeating anti-forensics


The class is an online, self-paced course that mimics what would be covered in a 2-3 day in-person offering. Each lesson in the course includes a lecture that teaches a specific topic in registry forensics followed by a hands-on exercise. The exercises are completed in online Windows and Linux virtual machines that are pre-configured with all the tools and materials needed. To ensure students are learning the material, each exercise includes questions that must be answered in the quiz module. This module tracks a student’s progress, and can produce reports of the student’s grades so that course can be justified to managers and directors. Each exercise also comes with a complete lab guide that walks the student through how to answer each question as the instructors would.

The course ends with a large investigation that requires combining skills learned throughout the class. After completing the course, students will be able to immediately use the techniques learned in real-world investigations involving digital forensics, incident response handling, and malware analysis.

Leading up to our public release we asked Ken Pryor (@kdpryor), a well-known digital forensics analyst, to review the course. Upon completion, he provided the following feedback:

“The Windows Registry Master Class is a great course for new and veteran analysts alike. I entered the course expecting to learn a little something, but came out of it feeling like I got so much more than I had bargained for. Each module of the course taught me something new. The excellent labs reinforced what I learned in the modules and gave me the ability to gain firsthand knowledge of the material. I strongly recommend this course for analysts of all skill levels, as I believe everyone can gain from it.”

For more information on the course or to register, please see the Hacker Academy page where it is hosted here. If you have any questions about the course use the comment section below or email me at andrew [at] memoryanalysis.net. While the course is primarily offered online, we also have the ability to give the course to in-person groups.  If you have a group that is interested in these private offerings then please contact us as well.

Thanks,
Andrew (@attrc)

Tuesday, July 16, 2013

Results of the 4cast Awards Nominations

As previously announced, I was nominated for 'Digital Forensics Examiner of the Year' at the Forensics 4cast Awards. The awards ceremony was held last week during the DFIR summit, and I voted the winner in the category. I am very grateful for this award and recognition and hope to have another strong showing next year!

Monday, July 8, 2013

Interview on the Healthy Paranoia podcast

I was recently interviewed on the Healthy Paranoia podcast about memory forensics during DFIR as well as other related topics. It was a really fun time, and I hope to be on the show again in the future. Read about the interview and listen to the MP3 here:

http://packetpushers.net/healthy-paranoia-show-14-digital-forensics-and-incident-response-with-andrew-case/

Please contact me if you any feedback or comments about the show.

Thanks,
Andrew (@attrc)

Thursday, June 13, 2013

Final Week of Month of Volatility Plugins II is posted

We are writing as the final week of the second installment of the Month of Volatility Plugins is now posted. Volatility 2.3 is currently in beta, and the blog posts are focusing on new features in this version. 

This week's posts discussed a number of new and updated plugins used to analyze Mac systems. 

The first post demonstrated leveraging process cross-view analysis for Mac rootkit detection: 

http://volatility-labs.blogspot.com/2013/06/movp-ii-41-leveraging-process-cross.html 

The second post covered dumping, scanning, and searching process memory:

http://volatility-labs.blogspot.com/2013/06/movp-ii-42-dumping-scanning-and.html 

The third post discussed how to recover networking information:  

http://volatility-labs.blogspot.com/2013/06/movp-ii-43-recovering-mac-os-x-network.html 

The fourth post showed a number of artifacts in Mac kernel memory:  

http://volatility-labs.blogspot.com/2013/06/movp-ii-44-whats-in-your-mac-osx-kernel.html 

The fifth post analyzed the Rubilyn kernel rootkit and detected it in a number of ways:

http://volatility-labs.blogspot.com/2013/06/movp-ii-45-mac-volatility-vs-rubilyn.html 

We hope you have enjoyed this month's posts and will be trying 2.3 when its released!

Thanks,

Andrew (@attrc)