Thursday, June 4, 2009

Book Review - Perl Scripting for Windows Security

Syngress was kind enough to give me a copy of Harlan Carvey's book, "Perl Scripting for Windows Security" while I was visiting the Syngress booth at Techno-Security this week.  After reading the book, I have to say that I was really pleased with the content.

This is not a Perl tutorial.  However, if you happen to be using any of Harlan's tools that he has written in Perl to perform live response, post-mortem forensics or network security administration, the book gives good insight into exactly what the scripts are doing and why.
While I am not a Perl programmer, I have over 25 years of experience programming in various computer languages.  Based on what I saw in the book, anyone with fairly basic programming knowledge can understand what Harlan is doing with the scripts and if they want to learn Perl, could use them as an excellent method for advancing their knowledge into writing specific scripts later on.
For someone who is an experienced programmer who wants to dive into Perl scripting, once you have gained an understanding of the Perl syntax and coding rules, Harlan's scripts and advice in the book for additional resources are  an excellent way to get deeper into coding Perl for specific security tasks.
The foundation of programming is basically the same, no matter what language you choose to use.  What differs between the different languages is primarily features and syntax.  In other words, how you have to structure your coding for the interpreter or compiler to understand what you are trying to do.
The book is organized into three parts, with Part 1 covering how to use Perl for incident response and troubleshooting live systems.  Part 2 covers post-mortem forensics and Part 3 covers monitoring application processes, Web services and log files.
While it is not a huge tome like many programming books, it is important to bear in mind that this is not a programming book.  This is a book that demonstrates specific scripts for specific tasks.  If you are a long time coder like me, you will appreciate a book that deals with a specific subject matter without trying to teach you everything and nothing about a programming language.
If you are interested in coding your own security or forensic tools, I would highly recommend this book.

Tuesday, May 26, 2009

F-Response Field Kit Edition Review

I purchased the field kit edition of F-Response to use in a specific case. I had a fully encrypted hard drive I needed to acquire and even though I had the password to boot the computer, acquiring it forensically was a real challenge.

So I turned to the F-Response tool as a solution. Before I used it in the actual case, I tested it on one of my lab computers to make sure that it worked as advertised and also that I fully understood the process for using the tool.

In the field kit edition, you have to place the license dongle on the computer to be acquired. Since the dongle is recognized as a HID (Human Interface Device) it does not require any weird drivers, but is recognized quickly and painlessly.

To begin the process of using F-Response, you install it on the computer that is going to do the acquisition. You do not install anything on the subject computer.

While I found the documentation to be pretty good, it was a little sparse in the actual use of the product. For one thing, it should be very clear that the executable that you are going to use on the subject computer is located in the installation directory of the F-Response product. You can write the executables to any media that the subject machine can read, such as a CD or USB stick. I prefer to put it on a CD as I don't want the subject machine to load drivers for a USB stick or portable drive.

F-Response supports Windows, Linux and Mac. That is pretty awesome.

Here is a quick walk through on using the product, step by step, without screenies.

1. The subject computer has to be booted up in its native operating system. In my case, since it was a fully encrypted hard drive, this was the only practical way to get the image.
2. Place the license USB dongle in a USB slot on the subject computer.
3. Write the executables from the F-Response installation folder to a CD.
4. Place the CD in the subject computer's CD drive and execute the proper host program, (Windows, Linux or Mac.)
5. Once the F-Response host program opens on the subject machine, fill in the proper fields. (This is covered in detail in the manual.) Note: If you are using a crossover cable, like I was, you will have a host IP address on the subject computer in the 169 range if it is set to obtain its address via DHCP. This works fine.
6. Start the i-SCSI initiator on your acquisition computer. (If you are running Windows XP you will need to download this from Microsoft.)
7. Complete the fields as shown in the user manual for the product.
8. Connect to the subject computer.

I have to say it worked flawlessly. I was able to connect to the subject computer with no problems, and could see both the physical hard drive and logical drives on the subject computer.

I then started up Encase 6.12.1, created a new case and added a device. I selected local drives and VIOLA!, there was the subject hard drive conveniently identified as FRES.

I then started the acquisition and it worked without a hitch. This is a great tool for getting to those encrypted drives if you can boot the computer with the password or you find the computer already running and can grab the image without shutting it down.

While I did not have an opportunity to review the consultant or enterprise editions, (Too expensive to buy just to do a review,) I feel certain they work just as well.

At a low price of under 300.00 for the Field Kit Edition, I would recommend it for every examiner's tool box.

Monday, April 13, 2009

New Reviews coming soon.

I have not dropped off the face of the planet.  But I have been terribly busy.  I should have some new reviews up in a few days.

Saturday, March 14, 2009

Computer Forensics for Dummies


"Computer Forensics for Dummies", by Linda Volonino and Reynaldo Anzaldua.

I picked up a copy of this book and read through it.  I have to say, I was pleasantly surprised.  However, most of the "Dummies" books are well written, this one stands out for tackling a fairly  exotic subject matter and pulls it off.

The authors do an excellent job of providing a beginning framework for conducting computer forensic investigations and the book has a lot of practical advice.  Especially in the area of the process.

The authors also do an excellent job of explaining in plain language, the concepts of computer forensics and the methods used to both hide and recover data.

While the book does not go into technical depth, that is actually a good thing.  If I were teaching an introductory course in computer forensics, I would probably select this book as my course textbook.

I would also recommend this book to attorneys who want to know enough about computer forensics to hire and work with an expert.

For those who are looking for a general process for investigating computer evidence, the book is a very good resource.  Better than the majority of the computer forensics books on the market in that respect.

The problem with most computer forensics books is that they assume a level of knowledge.  Computer Forensics for Dummies only assumes that you have a little understanding of computers and does an excellent job of providing introductory concepts in computer forensics.

If you approach the book as I think it is intended, as a survey of computer forensics, then I think you will be very pleased with the information in the book.

If you think it is going to make you a computer forensics expert, it can only serve as a starting point for a lot of future training and education.  It is not intended to be a highly technical or legal or investigative book.  As far as I can tell, it does just what it sets out to do; give a very solid overview of computer forensics.

However, don't sell it short.  Some of the advice in the book is excellent.  And the process outline for conducting computer forensic examinations is quite good.

The other plus about the book is that it is written very well and is an easy read.  For students or anyone for that matter, who is interested in the computer forensics field, it is well worth the  price.

Sunday, February 15, 2009

WebCase - Vere Software - Updated

I recently downloaded and spent some time running WebCase through its paces.

A couple of things you need to know right from the start: It will not run in a virtual machine. It will not install properly on Vista 32 unless you turn off User Access Control. It does not run on Vista 64 at all.

You definitely need to re-boot after installation for it to hook up all of it's DLLs and paths and database connections.

The software is designed to be an on-line investigative tool for anyone who conducts internet investigations, including undercover chats, web page and social media site investigations.

The software offers the ability to capture screens, capture video, IP addresses, do on the fly whois lookups and and provides undercover identity management as well as suspect information management.

While you can accomplish all of these things using discrete tools, WebCase brings them all together into a single, easy to use interface.

I was impressed with how easy the software is to use. It has a very short learning curve and even people who are not used to using computers could be trained to use this tool very quickly.

While the interface is a little clunky, it is easy to get used to.

You can view screenshots at the company's website here.

One of the things the program does is save the screen captures and video captures with an MD5 hash. I am not sure what purpose that really serves, since how would another party verify them?

I can just as easily do a manual screen capture using some other tool and then create an MD5 hash for it. Once again, it would not be verifiable by another party.

I originally wrote the above.  However, after thinking about it, the MD5 hash does serve the purpose of providing a way to see if what was captured had been modified after the capture.  Since the MD5 is embedded in the case data, it should be protected from tampering.  If that is the case, then the MD5 hash is a good idea and is useful.

The reporting feature for the program is very good on one hand and disappointing on another.

The program generates a very nicely formatted HTML report that you can burn directly from the report screen to CD/DVD.

That is the good news. The bad news is that you cannot print the report as a single operation, but have to print each page individually. The software is really designed to provide a CD/DVD based HTML web browser report.

Hopefully in future updates they will figure out how to produce a report in PDF or RTF format as a single operation.

The LE price is 595.00 and the Corporate price is 745.00.

Sadly, they have adopted the same practice as Guidance Software and many others where people like me have to pay a higher price than law enforcement. Like corporate customers have a magically higher budget than law enforcement agencies.
I personally dislike this two tier pricing model, but it seems that nearly everyone in the "forensics tool or training" business does it.

Overall it is a nice program with some cool features. I am not sure it is worth 745.00 to a corporate investigator.

I know I don't do enough on-line investigations to buy a tool this expensive when I already have the means to do all of this with other tools.

However, if you are LE and you do a lot of these types of investigations, and they do, then the price for them is a good deal.

Since I am doing a review, I guess I need to rate the software. So here goes:
Installation 9/10 (It needs to detect Vista 64 and refuse to install.)
Ease of Use 9/10 (Interface is a tad clunky in places.)
Learning Curve 9/10 (It really only takes a few minutes to get going with it.)
Reporting 6/10 (It needs to be able to print or export a report in one shot)
Value LE 8/10 (The price is a little high in my opinion.)
Value Corp 5/10 (Too expensive to buy as an additional tool.)

Overall 8/10 (For what it is designed to do, it does it well.)

Friday, February 6, 2009

Cyber Crime Investigations - Book Review



"Cyber Crime Investigations - Bridging the Gaps between Security Professionals and Law enforcement and Prosecutors."

Anthony Reyes with Kevin O'Shea, Jim Steele, Jon R. Hansen, Captian Benjamin R. Jean and Thomas Ralph.

Cyber Crime INvestigations gives the reader an overview of cyber crime investigations in language that everyone can understand. It is an enjoyable read if you are interested in computer forensics and cyber crimes from a law enforcement perspective.

Anthony and his co-authors do an excellent job of explaining investigative techniques, legal issues and the impact that IT departments and corporate management can have on an investigation.

The chapters on forming a working relationship between law enforcement and business management is especially important if you have an IT department and want to know how best to interfact with the police.

The coverage of the legal issues is well done and should be studied by anyone who is working privately as an IT person or in computer support, to make sure that you do not get yourself into legal trouble when asked to partipate in an internal investigation.

There is also good coverage of wireless communications and the issues of having a wireless network running that is unsecured.

With sage advice on preparing for testimony and working with prosecutors, Reyes does a good job of giving useful information on these topics. Bear in mind that this is strictly from a prosecutorial perspective.

The one failing of the book, and understandably so, is that it assumes that the defense will not be prepared to mount a technical defense when confronted by computer forensics evidence. While that is still the case in a lot of cases, the use of defense experts may change that in the future.

It is a worthwile read and should be in the library of anyone who comes in contact with crimes involving computers and digital evidence.

Wednesday, February 4, 2009

What is this all about?

I decided to start this blog to do reviews of the tools and books out there to try and help out my fellow forensics people.

I am currently testing and will be posting a review shortly on several Voom Technologies products.

If you make software or hardware, or you have a book you want me to review, please contact me so we can make arrangement for you to provide a sample of the product for a limited time for me to test.

Chances are, I will also start talking about my reviews on my radio show in the future.