• Puzzle 6 Winners

Big thanks to everyone who put this contest together, as well as the prize sponsors for making it well worth my time to put in an entry.

I wrote a tool for my entry, pcapline.py, which generates an HTML report for a pcap file that an investigator can use to navigate around the various conversations and inspect the data being sent back and forth.  Here are some of the features I describe in my writeup:

• HTML reports that allow for easy navigation/importing into a larger report
• Generates a summary of flows between hosts on the network
• Flows are broken up by segments representing parts of the conversation
• Segments are dissected, carved, hashed. Currently, Pcapline supports HTTP GET requests and responses and the malware file transfers seen in challenge #6

While pcapline is developed and tuned for answering the questions from this challenge, it’s still a very useful starting point for examining other packet data as well.  You can view the report generated by pcapline here:

(NOTE: Files and data are carved out that some signature-based IPS will detect as being malicious.  I observed this on one computer where Sophos blocked access to this site on that computer after clicking the wrong link in this report.  You’re not likely in any danger, as pcapline renames things in such a way that they shouldn’t be executed or viewed in their native formats, but do take care)

• Sample Report

Here’s the script itself.  It’s a slightly newer version than the one on forensicscontest.com .  I fixed a couple of places where it was generating terrible HTML that non-firefox browsers choked on.

• pcapline.py

Enjoy!

• Training law enforcement agents to respond to and investigate crimes involving digital evidence
• Giving wounded veterans digital forensic training, to give them a useful skill set and experience as they transition to other roles and jobs
• Providing equipment for “Mini-Labs” throughout the state of Mississippi to distribute the case-load of digital forensic investigation here

The training provided by the NFTC is free for the students that qualify for it.

Now that I am working at the NFTC, I will be wearing many hats:

• I will be updating the curriculum for classes we are currently teaching, and developing material for new classes (I am especially excited about adding a network forensics course later this year)
• I will be teaching the courses that we have developed to law enforcement and veterans, in our teaching lab at MSU, and wherever else we travel to teach our classes
• I will be working to build up a research focus at the NFTC, using our time between classes to develop and publish new digital forensic techniques and tools, free for use by our students and the digital forensics community as a whole.

I’m very excited about bringing my background with security, vulnerability assessment, and penetration testing to the forensics field in this job, and I’m looking forward to publishing more of our efforts in this area.  I will be blogging about forensics more often here, although it will always have a slant that will be interesting to security professionals.  We’ll also be unveiling a new NFTC website soon that will have better information about upcoming classes, and forensics news, whitepapers, and tools that will be of use to those outside of the community of our students too.

I participated in this contest and wrote a small Python script that generates a .CSV summary of Apple TV activity on a network and extracts .plist files from that traffic. It was a lot of fun to tinker around with, and it looks like I just managed to land in the list of finalists. You can check out the finalist entries, including mine, at the following links:

• Puzzle #3 Winners
• My Entry: atvsnarf.py and my writeup

These competitions are fun to participate in, and I’m hoping that I’ll have time to finish up my entry for Puzzle #4 before the deadline.

As most of my readers here know, my research area is control systems/SCADA, specifically human-machine interface (HMI) software. Being involved in a field that involves elements of our critical infrastructure, I know how serious an incident involving a hospital’s HVAC system can be. Screenshots taken by the attacker showed an HMI that gave the user control over many elements of the hospital, including pumps and chillers in the operating room. Messing around with a system like this can seriously impact the health and safety of the patients.

I spent a large amount of time that weekend gathering up information on GhostExodus, and his hacker group, the “Electronik Tribulation Army”. Monday, I met with my major professor at Mississippi State University’s Critical Infrastructure Protection Center, where I work as a Ph.D. research assistant. I presented the information I had found, and we contacted the Texas attorney general’s office and the Jackson, MS FBI office, where we already had contacts. For the rest of the week, I cooperated with the FBI by sharing the information that I had found. GhostExodus was picked up by the FBI on Friday night.

I plan on sharing more, because there’s a huge amount of interesting data, images, and video involved with this case. The alleged attacker uploaded many videos of his actions to Youtube and other sites, and when I put it all together into a coherent lecture, it should be pretty informative and entertaining. Until then, there’s plenty of media coverage of the arrest:

• http://dallas.fbi.gov/dojpressrel/pressrel09/dl063009.htm
• http://www.google.com/hostednews/ap/article/ALeqM5hGIxH-4yZGtIwfRX4kk3oYkhkvsAD995A5H82

Google News shows over 170 related stories.

The best and most accurate thing to read, however, is the criminal complaint against “Jesse William McGraw”. I have been informed that this is part of public record, however I have taken the liberty of editing out SSNs, DLs, VINs and such on this copy:

• http://viewer.zoho.com/docs/ev6li

(Edit: moved it offsite, because it was chewing bandwidth a lot more bandwidth than you’d expect.  You can read it online or download it from the above link)

If you’re reading the above, I’m “CW-1″.

I plan on keeping you updated on further developments and more information as this progresses. There will also likely be some very interesting multi-media talks and lectures I can give on this, so if you want me to take the show on the road, get in touch.

For now, though, I’ve had a long day, and I shall rest :)

Dale Beauchamp – DojoSec January 2009 from Marcus J. Carey on Vimeo.

It’s a 50-minute class, and pretty strictly so, since the Information and Computer Security class is held immediately afterwards :).  Due to the limited time I have, I’ve scaled back my coverage of these two chapters to what you see in the following slides.  I’m focusing on the basic data structures used by “extx” to point at files and metadata, such as the superblock, group descriptor tables, and inodes.  I’ve included an example of finding a file on a filesystem using only dd piped through xxd and less, and some discussion of what a forensic examiner or someone tasked with data recovery should be on the look-out for.

Unfortunately with this PDF version of the slides, you won’t see the slick Keynote animations I’ve worked into my lecture.  I’m considering expanding the detail and coverage of this, and recording the slideshow as a video with narration for this site:

• Slides – PDF Format (through the “Reduce File Size” Quartz Filter)
  

Enjoy!

Edit: Wow, that filter really killed the screenshots, uploaded the full-res version

The Princeton tools are now available here.

The key-finding code is definitely of interest, and ought to work with msramdmp images as well (although I haven’t tested the code at all, yet).  From what I’m reading of the memory dumping code and docs, if msramdmp is currently suiting your needs, you may not need to change over, especially if you’re taking advantage of the fact that msramdmp will let you dump a few computers before having to pull the images off and reset the partitions.  If, however, you’re wanting to dump more than 4 gigs on a 64-bit machine, dump over a network, or dump an EFI-based machine, the Princeton tools are definitely what you’ll want to start playing with now.

Very cool work, Jacob!  Hope the talk goes well!

The sexyhacking.com videos are not safe for work, however they’re probably even less arousing than you’d think.  They are hosted on YouTube, after all.  You might want to have a look, though, since they’re funny (intentionally and unintentionally), and who knows how long they’ll actually be around.

In the second video, described as Episode 1 in a series called “Naughty Script K1dd13″, basic compilation and usage of nmap is covered by a somewhat disinterested teacher.  It must be hot in the classroom, since she’s unbuttoned her shirt about halfway down.  Strangely enough, while nmap is displaying its scan, they censor the IP addresses involved with COPS-style pixelization:

If you’re paying more attention to the terminal than the girl, you’ll notice that they’re not very thorough.  At 3:49, we catch the video editor asleep at the wheel as the traceroute pops up :

…and at 3:50, the censor wakes up :) :

I’m not even sure why they’re attempting to hide the IP address.  It’s stated in the narration that sexyhacking.com will be used as the target, and the IP address revealed above is simply what you’d get doing a DNS lookup of sexyhacking.com…

(so long as Dan Kaminsky isn’t angry at you)

So, to sum it up:  If you’re redacting information out of a video you’re publishing, you not only have to worry about people being able to reverse engineer your pixelation (just black it out!), you’ll also have to make sure you blot it out of every frame :) .

This particular bad-guy IP is a great example of an IP address that has really made its mark on Google, so I’ll link the results here:

* Google search results for “196.3.61.4″

Off the eastern coast of Madagascar, there’s an island called Mauritius.  On this island there’s the city of Ebene.  In this city, there’s this building, the “Cyber Tower”.  According to Whois, on the third floor of this building, there’s a computer being used for all sorts of phishing and fraud.  

It would be “just another scammer”, but this one has a great sense of humor.  Check out this diff on an edit made from that IP address on the Wikipedia entry for Advance fee fraud:

Very nice.