Profile cover photo
Profile photo
Gregory Pendergast
195 followers -
Don't Panic
Don't Panic

195 followers
About
Posts

Post has attachment
This is an interesting post on the Sketchymoose blog comparing and contrasting a Supertimeline approach to analysis vs. a Sniper Forensics style examination of the Master File Table (MFT).

I'm looking forward to Part 2.
Add a comment...

Post has shared content
Leaving aside the obvious plug for Red Sky Alliance, there are some interesting nuggets in here about the present state of the Info Sec fight. Also, some frightening statistics if they are anywhere near true.

Anyone with more metrics care to weigh in on the quality/accuracy of these stats? Anyone members of Red Sky and care to comment on its value?
"In any given enterprise, when you run those host based tools to look for these indicators of compromise (IOCs), any given company is going to be inundated with results --and most will not be false positives"
Add a comment...

Post has shared content
I've become a big fan of Internet Evidence Finder (IEF) lately, but this blog post goes beyond the benefits of IEF. The key take away, regardless of what tool you use, is that you should be collecting your own intelligence to apply across cases. This is a brilliant usage of IEF, but it couldn't have happened if the analyst hadn't maintained an ongoing list of strings associated with key loggers and spy ware.

I will say that IEF makes this kind of thing easier than most tools I've seen because it gives you the ability to alert on keywords and view results while the search is still running.
Add a comment...

Post has attachment
Virginia Commonwealth University is hosting and sponsoring the 2nd annual RVAsec Conference in Richmond Virginia. The conference, including one day of training classes, will be held May 30 - June 1. Please visit the web site for more details.

http://rvasec.com

Also, the Call for Papers is open, so if anyone is interested in presenting, please consider submitting a proposal here:

http://rvasec.com/2013-cfp/

Add a comment...

Is anyone aware of away to determine a time frame for artifacts in Pagefile.sys, when those artifacts are not accompanied by any time stamp information in the pagefile?  Either my Google-fu is failing me, or the answer isn't quite out there.

To be a bit more specific, I have some URL artifacts of interest retrieved from Pagefile.sys. If possible, short of a definitive timestamp, I'd like to be able to report something along the lines of:  "The presence of X artifact in the pagefile indicates recent activity within Y days/weeks of the last computer usage."

However, I haven't found any way to confirm definitively that the activity is really as recent as I think it is, nor any way to establish at least a rough time frame around it. This is of interest because there is similar activity in the browsing history, but there are artifacts in Pagefile.sys that are not duplicated in the browsing history.

So what does everyone think of the Python 3.3.0 release? I'm not a python dev, but it seems to me I still see a lot of stuff requiring 2.6 or 2.7. Am I the only one annoyed by the need to keep multiple versions around?
Add a comment...

Security Onion 12.04 beta is now available. Very much looking forward to trying this release!

http://securityonion.blogspot.com/2012/09/security-onion-1204-beta-available-now.html?m=1
Add a comment...

Post has attachment
I recently commented on this post by +Richard Bejtlich  over on his TaoSecurity blog (Google borked the authentication and listed me as "Unknown"). Richard lists the pros and cons of disclosing vulnerabilities in attacker tools, such as the recently revealed vulnerability in the Poison Ivy RAT. Richard tends toward the side on non-disclosure, and I see his point. I haven't fully made up my mind on this.

But as I was reading, I saw a parallel to the frequent debates about sharing threat intelligence and indicators of compromise. I see both sides of the argument there as well, but one thing I don't recall having ever seen discussed is the class system the lack of sharing creates among defenders. As I mentioned while commenting on Richard's post, there are effectively two tiers of defender that result from this. The first tier, those "in the know" who have access to all manner of shared intelligence, are far better able to defend their networks and systems. On the flip side, those defenders who aren't privy to such privileged information are left to cull what they can from public sources and hope for the best. Now, I don't pretend to know what the answer is in terms of bridging that gap. But there's no way this can lead to better security for our country or any country. The only answers I see are to make threat intelligence and indicators of compromise more widely available (firms like +Mandiant who monetize that data will object) or to put more of the nation's Information Security defense in the hands of the federal government and/or ISPs. I can see all manner of objection to that as well.
Add a comment...

Post has attachment
My Review of Network Flow Analysis is up at InfoSec Reviews. This is an excellent, highly technical book for both security professionals and network administrators. It is slanted toward the network administration angle, but some of the case studies are applicable to security. Security professionals who read this should easily see the relevance and recognize other possible uses beyond the provided case studies.

Full packet capture on a network can be unfeasible for various reasons (frequently, cost is one), but if you're not at least collecting and anlyzing NetFlow (sFlow or jFlow), you're really flying blind.
Add a comment...

md5deep gets an update to fix critical bugs.

http://jessekornblum.livejournal.com/278069.html
Add a comment...
Wait while more posts are being loaded