Tuesday, September 27, 2011

BSides Iowa, Where Else would you want to be?

What is BSides?
Each BSides is a community-driven framework for building events for and by information security community members.  The goal is to expand the spectrum of conversation beyond the traditional confines of space and time.  It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.

What is BSidesIowa?
BSidesIowa is starting out to fill a gap in central Iowa for the technical knowledge sharing that seems to be lacking. While we have numerous user groups in the area we do not seem to have a collective event for members to come together and share the knowledge that represented in the area. Des Moines and the Central Iowa location are home to numerous organizations that could benefit from this event. This area is home to multiple financial companies, DMACC and its High Tech Crime Program, Iowa State University, multiple IT security companies, State, Local, and Federal government agencies, and numerous user groups. With all that potential Central Iowa still is missing a cohesive event that brings professionals together.

How can you help BSidesIowa?
We are looking at sponsors willing to assist in getting this event off the ground. With the belief that the event should be free for participants, we are in need of corporate sponsors willing to help offset some of the cost required to run and organize this event. We are specifically looking for some help with the following:
  • Facility Rental (we are needing a space that can hold 70+)
  • Audio/Video Equipment Rental (Projector, Screen, Microphone)
  • Printing Needs (Speaker Handouts, programs, signage and other as needed)
  • Event Catering (Breakfast, Lunch and Snacks)
  • Event Recording (Would like to record the talks for those unable to make it)
  • T-Shirts (to promote the event, optional)
  • Post Event Catering (Supper, optional. Would allow the discussion to continue)

What benefit do you get for being a sponsor at BSidesIowa?
With the format and philosophies of BSides we are unable to allow vendor specific talks, if your organization would like to have a talk then the speaker will need to submit a request like other speakers when we do a CFP. Sponsors will gain the following benefits:
  • Being part of the media conversation: as people talk about us they talk about you or at least see you.
  • Big Fish in a Small Pond: For some, sponsoring large events is not within their price range leaving them with no option for communicating their message. BSides is just the place for you! This small, community atmosphere brings together active and engaged participants who want to absorb information. Sponsoring a BSides event enables to be that big fish in a small pond and better communicate your message to an active audience.
  • Stay in touch with the industry: BSides enables its supporters and participants to identify and connect with industry leaders and voices. These participants represent the social networking of security. They are the people who you want to engage to solicit feedback and bring voice to your conversation.
  • Targeted and Direct Audience: You didn't enter the security industry selling your product to everyone the same way, so why approach events that way?  Instead of marketing to the broader "security" community connect directly with the security professionals who write about, talk about, recommend, and implement security products and services.
  • Be associated with the next big thing: Nobody knows what the “next big thing” will be, but these events are community driven with presentations voted upon by the industry. There is no magic to how it works, but we believe that listening to the underground can help prepare you and help identify what the next big thing might be.
  • Sponsorship listed on Programs, Signage and other marketing materials used to promote the site. This includes t-shirts if they are produced.
  • Sponsors will have the ability to network with event attendees. Vendor area if space is available. 

Sunday, September 25, 2011

Forensics Term Paper - Windows 8 Registry

I have been tossing around a few ideas for my term paper this fall. And yes, I am still alive..

Part of me wanted to do Malware Analysis and finding unknown evil in the enterprise by investigating interesting traffic, processes, communications and just plain dumb luck to find something. Then utilizing multiple methodologies and utilities to track down the infection and remove it.

Then I read an article on Windows 8 Beta and Jump Lists (Thanks Harlan) and that got me to thinking a little more on the subject of finding out what I can in that OS in regards to the Jump List and Registry. .

A few minutes ago I submitted my initial proposal to my professor on my work. Hopefully I will be presenting this at BSides Iowa in 2012..

Proposal that was Sent:

One of the most difficult processes of digital forensics is understanding how new technology interacts with current technology and how we can utilize current Digital Forensics technologies and processes to recover and find information hidden. Recently Microsoft released the Developer Beta Preview of Windows 8, with this release Microsoft has added some features to the Operating System that will present some interesting complications to digital forensics.
The first thing I plan to look at is the way that Windows 8 handles the Registry Hive Traditionally the registry has been known to house a myriad of useful information for the digital forensic investigator. This information has contained but not limited to; removable media that is plugged into the device, current configuration of the machine that the operating system is installed on, recently accessed files by users, orphaned artifacts of uninstalled software, as well as potential identifiers of malware infection.

To analyze the Registry data variances from Windows 7 to Windows 8 it will require utilizing multiple virtual machines to create useable environements and the creation of a baseline file to compare the changes against. Once these baselines have been established then we can compare the registry files between the two versions and see what is different between Windows 7 and Windows 8. We will then install various software versions and compare the changes to the registry from these installs across the environment. After we have installed our software we will uninstall them and compare the registries to see what artifacts have been left behind because of the uninstall process. This will allow us to see what Registry entries remain across both versions. Finally we will infect both virtual machines with malicious code to see how the registries handle malware infection across both versions of the tested windows operating systems.

The second thing I intend to look at is the Jump Lists. This was a new artifact that was found in Windows 7. The Jump List allows quick access to recently accessed files, or most frequently access files[1]. There are other capabilities in the jump lists in Windows 7 that should carry over. From my initial look at the Windows 8 operating system it appears that you can customize the jump lists. I am interested to see if customizing it to a small jump list amount, if there is more stored in the registry.  

In investigating the Jump Lists it will require setting limitations on the data retained by the jump lists and seeing how the operating system reacts. We will need to understand how these changes would impact the registry and the jump list if the jump list is turned off, and told to remember nothing, told to remember less, or if the limit is increased. This will require analyzing the registry as we make the changes to the jump list to compare against the baseline and the modified versions.

By understanding how the registry behaves within the Windows 8 operating system this will allow us to know what tools currently can handle the new operating system, what tools would need to be modified and what options are missing from the current tool sets that are deployed by digital forensic investigators. This research will give us a chance to understand the changes that we are going to be faced with as well as share our knowledge with the others in the field.