Profile

Cover photo
Gregory Pendergast
187 followers|2,421 views
AboutPosts

Stream

Gregory Pendergast

Shared publicly  - 
 
This is an interesting post on the Sketchymoose blog comparing and contrasting a Supertimeline approach to analysis vs. a Sniper Forensics style examination of the Master File Table (MFT).

I'm looking forward to Part 2.
1
Harlan Carvey's profile photoDavid Cowen's profile photoErik Musick's profile photoGregory Pendergast's profile photo
11 comments
 
+Gregory Pendergast I was making the same assumptions and line of thought. You don't have to be an ass by yourself. ;)
Add a comment...

Gregory Pendergast

Shared publicly  - 
 
I've become a big fan of Internet Evidence Finder (IEF) lately, but this blog post goes beyond the benefits of IEF. The key take away, regardless of what tool you use, is that you should be collecting your own intelligence to apply across cases. This is a brilliant usage of IEF, but it couldn't have happened if the analyst hadn't maintained an ongoing list of strings associated with key loggers and spy ware.

I will say that IEF makes this kind of thing easier than most tools I've seen because it gives you the ability to alert on keywords and view results while the search is still running.
3
2
Harlan Carvey's profile photoGregory Pendergast's profile photo
5 comments
 
Greg,

I understand.

"...I want to find all of the plugins that gather "Most Recently Used" artifacts..."

I think maybe this is something we should discuss offline.  Again, there are a number of MRUs in the Registry...TSClient, VNC, files, folders, etc.  One way to approach this might be to add an "MRU" category or identifier of some type.

I'd be happy to discuss this with you and see what can be done to address this, but again, this is something that any RegRipper user can accomplish themselves, if they choose to do so.
Add a comment...
 
Is anyone aware of away to determine a time frame for artifacts in Pagefile.sys, when those artifacts are not accompanied by any time stamp information in the pagefile?  Either my Google-fu is failing me, or the answer isn't quite out there.

To be a bit more specific, I have some URL artifacts of interest retrieved from Pagefile.sys. If possible, short of a definitive timestamp, I'd like to be able to report something along the lines of:  "The presence of X artifact in the pagefile indicates recent activity within Y days/weeks of the last computer usage."

However, I haven't found any way to confirm definitively that the activity is really as recent as I think it is, nor any way to establish at least a rough time frame around it. This is of interest because there is similar activity in the browsing history, but there are artifacts in Pagefile.sys that are not duplicated in the browsing history.
1
Harlan Carvey's profile photoGregory Pendergast's profile photo
5 comments
 
> The amount of context is variable, and I'm not sure why that is.

It's always good to ask, and get an understanding.

Years ago, when I was doing PCI exams at IBM, we ran into an issue with the default EnScript for locating credit card numbers in our images.  Specifically, we knew that there were Discover and JCB CCNs, which PCI said were "valid", but the isValidCreditCard() function seemed to be missing them.  I tried asking on the EnCase user forum and after a false start, got some information that was useful, and led to us getting some help creating a home-brew version of the function.

> ...I need to get to an understanding of the data structures...

It's SO awesome to hear you say that!  I've been trying to get folks interested in understanding the shell item data structures found in multiple Registry keys, shortcuts, Jump Lists, etc., but so far, no bytes.  ;-)  I think that what you're doing is the absolute right thing...let me know how it goes.
Add a comment...

Gregory Pendergast

Shared publicly  - 
 
Security Onion 12.04 beta is now available. Very much looking forward to trying this release!

http://securityonion.blogspot.com/2012/09/security-onion-1204-beta-available-now.html?m=1
1
Add a comment...

Gregory Pendergast

Shared publicly  - 
 
My Review of Network Flow Analysis is up at InfoSec Reviews. This is an excellent, highly technical book for both security professionals and network administrators. It is slanted toward the network administration angle, but some of the case studies are applicable to security. Security professionals who read this should easily see the relevance and recognize other possible uses beyond the provided case studies.

Full packet capture on a network can be unfeasible for various reasons (frequently, cost is one), but if you're not at least collecting and anlyzing NetFlow (sFlow or jFlow), you're really flying blind.
1
Paul Henry's profile photoGregory Pendergast's profile photo
2 comments
 
Awesome. I'm sure you'll enjoy it. It's a surprisingly easy read, but there's a lot of meat to dig into.
Add a comment...

Gregory Pendergast

Shared publicly  - 
 
Anyone have any thoughts on or experiences with LastPass? I'd prefer sticking with KeePass, but haven't seen a compelling KeePass app for iOS, which is just annoying.
1
Gregory Pendergast's profile photoTom Yarrish's profile photo
5 comments
 
Pretty much.

I don't think I was but they forced everyone to change their passwords anyway
Add a comment...
Have him in circles
187 people

Gregory Pendergast

Shared publicly  - 
 
Leaving aside the obvious plug for Red Sky Alliance, there are some interesting nuggets in here about the present state of the Info Sec fight. Also, some frightening statistics if they are anywhere near true.

Anyone with more metrics care to weigh in on the quality/accuracy of these stats? Anyone members of Red Sky and care to comment on its value?
 
"In any given enterprise, when you run those host based tools to look for these indicators of compromise (IOCs), any given company is going to be inundated with results --and most will not be false positives"
1
Harlan Carvey's profile photoGregory Pendergast's profile photo
3 comments
 
Maybe collaborating isn't the right way to characterize it.  I don't know...I haven't seen the data.  Several years ago, at a MS conference regarding botnets and cybercrime, two different presentations from USSS characterized what they were seeing as an "economy", where services and goods were bought and sold, and if you didn't stay relevant, you were out.  There was a sort of "survival of the fittest" type of approach.  Regardless of how it's characterized, however, I would suggest that it's more than enough to keep the victims on the ropes...
Add a comment...

Gregory Pendergast

Shared publicly  - 
 
Virginia Commonwealth University is hosting and sponsoring the 2nd annual RVAsec Conference in Richmond Virginia. The conference, including one day of training classes, will be held May 30 - June 1. Please visit the web site for more details.

http://rvasec.com

Also, the Call for Papers is open, so if anyone is interested in presenting, please consider submitting a proposal here:

http://rvasec.com/2013-cfp/


2
Add a comment...

Gregory Pendergast

Shared publicly  - 
 
So what does everyone think of the Python 3.3.0 release? I'm not a python dev, but it seems to me I still see a lot of stuff requiring 2.6 or 2.7. Am I the only one annoyed by the need to keep multiple versions around?
2
Gregory Pendergast's profile photoTom Yarrish's profile photoIsrael Torres's profile photo
5 comments
 
Thanks for the insight , +Israel Torres. Very much appreciated.
Add a comment...

Gregory Pendergast

Shared publicly  - 
 
I recently commented on this post by +Richard Bejtlich  over on his TaoSecurity blog (Google borked the authentication and listed me as "Unknown"). Richard lists the pros and cons of disclosing vulnerabilities in attacker tools, such as the recently revealed vulnerability in the Poison Ivy RAT. Richard tends toward the side on non-disclosure, and I see his point. I haven't fully made up my mind on this.

But as I was reading, I saw a parallel to the frequent debates about sharing threat intelligence and indicators of compromise. I see both sides of the argument there as well, but one thing I don't recall having ever seen discussed is the class system the lack of sharing creates among defenders. As I mentioned while commenting on Richard's post, there are effectively two tiers of defender that result from this. The first tier, those "in the know" who have access to all manner of shared intelligence, are far better able to defend their networks and systems. On the flip side, those defenders who aren't privy to such privileged information are left to cull what they can from public sources and hope for the best. Now, I don't pretend to know what the answer is in terms of bridging that gap. But there's no way this can lead to better security for our country or any country. The only answers I see are to make threat intelligence and indicators of compromise more widely available (firms like +Mandiant who monetize that data will object) or to put more of the nation's Information Security defense in the hands of the federal government and/or ISPs. I can see all manner of objection to that as well.
2
Add a comment...

Gregory Pendergast

Shared publicly  - 
 
md5deep gets an update to fix critical bugs.

http://jessekornblum.livejournal.com/278069.html
1
Add a comment...

Gregory Pendergast

Shared publicly  - 
 
I need a recommendation for an iOS forensics book. If any of you have read both "iOS Forensic Analysis" by Sean Morrisey and "iPhone and iOS Forensics" by Andrew Hoog & Katie Strzempka, I ask: which book would you buy if you could only buy one of them?
1
Gregory Pendergast's profile photoJoão Carvalho's profile photoJoe Garcia's profile photoBrian Moran's profile photo
10 comments
 
but I recomend the "Zdiarski Technique"! take a look pls to http://viaforensics.com/iphone-forensics/iphone-forensics-white-paper-zdziarski-technique.html
Add a comment...
People
Have him in circles
187 people
Work
Employment
  • Information Security Analyst, present
Links
Story
Tagline
Don't Panic
Basic Information
Gender
Male
Other names
Greg