Wednesday, July 3, 2013

Windows 8 Thesis DRAFT

This has been a little over a year coming, while I have enjoyed everything I have learned on this topic I have until the end of the month to finish it up and submit it for graduation. Feedback on what I might be missing or things that I need to clarify would be great.


One of the most difficult processes of digital forensics is understanding how new technology interacts with current technology and how digital forensic analysts can utilize current Digital Forensics technologies and processes to recover and find information hidden. Microsoft has released their new Operating System Windows 8, with this new release Microsoft has added some features to the Operating System that will present some interesting complications to digital forensics.

               Since the initial release of the Windows 8 Release Candidates there have been some research released that focus primarily on the new user created artifacts and a few artifacts that have been added by the operating system that might contain valuable information. In this paper I will look at the new recovery options that have been introduced in Windows 8, and the impact that have on the artifacts.

               The first thing that I plan to look at is the artifacts discovered by the research of Amanda Thomson. Once I have analyzed these artifacts and then verify the locations on the disk I will create a baseline dataset to compare the impact of the recovery options on these artifacts. I will also use artifacts of new features that I have researched for this baseline.

               The second thing that I will look at is how the various recovery options impact the artifacts that are found on the operating system. This will be done by installing Windows 8 in a Virtual Machine environment and taking snapshots of a base image and then utilizing the various recovery methods. Once the recovery method has been successful I will take the Virtual Machine and mount it into FTK and Encase for analysis.

               The final thing that I will include in this paper is a detailed walk through on where the artifacts will reside on the machine after a recover option has been completed. I will examine the locations on a live machine as well as on a forensic copy. I will show what artifacts are easily recoverable, what artifacts need a little time to recovery and what artifacts that will not be recoverable. 

My Thesis

Wednesday, April 17, 2013

Malware Roulette

When I started my move into malware incident response my training options entailed 3rd party, on the job, or utilizing a piece of malware from a trusted source. I was limited to what I could afford, what I encountered through my work or already knowing the malware I was analyzing. While these are all valid options I wanted more.

I was impressed by the different DFIR challenges that were available online, but quickly noticed the limitations that were imposed on these. You were working with artifacts and clues that that creator felt was important. While this helped baseline where you should focus your attention, but never giving the responder the ability to determine where they should look.

I wanted to take this to the next level and see what it would take to create a malware challenge that would allow a wide range of analysts the ability to utilize and learn. This solution needed to be robust, modular, and somewhat random so it could be used more than once.

With that I am proud to announce the release of Malware Roulette. This application allows analysts to build and test their malware incident response skill set without knowing the actual malware being installed. This application can also create other random artifacts that would be considered false positives as well as non related but potentially malicious network behavior. In total at the most challenging level there are over 12000 unique artifact combinations that could be discovered on a machine.

Malware Roulette is written in the AutoIt scripting language, with all the malicious binaries packaged within the executable. To update the packaged malicious binary all that is needed is to recompile the executable with an updated malware directory. This would quickly allow a new Malware Incident Response challenge to release in a timely manner.

I will be publicly releasing this tool at GFIRST, but before I do that I am looking for people interested in testing this out and helping flesh out current features. If you are interested in testing, please send me an email with the subject MALWARE ROULETTE

·        What is Malware Roulette?
o   Malware IR training App built in Autoit
o   Easily updated
o   3 challenge levels, over 12000 unique artifact combinations
o   Randomly generated directory for malware
o   Malware Directory randomly placed in 7 system folders
o   12 active malware samples
o   12 non destructive system changes
o   12 unique network traffic behaviors

Sunday, April 7, 2013

BSIDESIOWA 2.0.13 Recap

BSidesIowa 2.0.13
Conference in Review

When I started to write this post I wasn’t sure what I wanted to say, how I wanted to take this conversation and what I wanted to share. BSidesIowa 2.0.13 has been one of the more interesting and chaotic events I have had the opportunity to be involved with.  

I should have realized that after the Rainbows and Unicorns that happened around the first BSidesIowa that I shouldn’t expect the 2nd BSidesIowa to be as easy. The first event was in Ames, great budget, and some good speakers. As fate would have had it, the 2nd BSidesIowa was a high stress, chaotic organizational cluster.

With this being my last year for my Masters, and BSidesIowa was going to happen in my final Semester I wasn’t sure what my organizational capabilities would be. I went to find help, Phil Polstra, a professor at University of Dubuque stepped up and said he would help, and UD would possibly host it. After a few more discussions we had a date, facility and a few student volunteers. Things were starting to run smoothly, until right around the first of the year. At this time Phil started to pick up more responsibilities at work and I was preparing for relocation to Chicago. Luckily Phil was able to get help from Kayla Sieverding, a student at UD. There was honestly a time we had the discussion if we could pull it off.

As the event continued to progress we had a lot of far reaching stretch goals on what I wanted to provide at BSidesIowa, looking back to I might have been a little too aggressive on what I wanted. We started to see some great talks coming in; we had confirmation for some incredible training, and had some great door prizes. About the 1st of March the realization kicked in that we had no financial sponsorship…. With less than 5 weeks before the event we started to look at options to reduce costs and what we could cut. Over the next few weeks we had a couple of Sponsors step up and offer some support. Thank you SANS for covering the networking party, and to the donors that wish to remain behind the scene, Thank you, your generosity helped us pull it off.

Day of the event was a cloudy weekend, 60F, still a gorgeous day, although there was some rain in the morning, it turned out to a pretty nice day. The talks were amazing, the training classes were incredible, and the shirts were cool.

So let us look at some data:
Lockpick Villiage
# Registerd
# Check in
Attendee %

Yes, you read that right. We had less budget, we offered more and had almost 3x the attendees. These numbers don’t show the whole story. Out of the 175 that were registered 25 were for the lockpick village, and the rest was for the Conference itself. I personally know multiple individuals that were unable to attend the conference that was registered. So looking at the numbers we actually had 17+% of our attendees as last minute walk-ins.

With the overall comments of the attendees and the data above I feel that this event has been extremely successful. While I would love to see the same growth rate next year, I am ok with keeping the same size and continue to focus on quality of our presentations training for our Attendees.  

The Future of BSidesIowa Conferences:

So what does all this mean for BSidesIowa?

With a 3x growth in attendees over last year, we will continue, the local attendee support for this conference is incredible.

We will be back next year, likelihood will put us in the Davenport Iowa area, although there is interest to hold this event in Western Iowa.


                We need to learn to engage potential local sponsors and look outside the normal Information Security Companies. Local sponsors should understand the value that we bring to the community and to their organization in training, speakers and networking opportunities.

                We need to engage potential national sponsors and change the preconceived notion that Iowa is just farm country. We need to show them that there is incredible talent, training and potential clients in the 
area that could potential utilize their products.

                We need to re-evaluate what we want in sponsorship and our sponsorship packages. Yes I aimed high and wanted to grow big and fast, I was humbled this year.

                We need to open a dialogue with those sponsors that declined us this year and figure out what we need to change, what they want for sponsorship and what we are comfortable in giving them.

                We have been lucky with college campuses for donated spaces. As we grow and want to add more we are going to need to make sure that the space can handle us.

                For workshops we need to make sure that we have the infrastructure in place to handle everything. While there were some issues, we were still successful.

                We have an incredible selection of speakers in the Midwest, the range of the topics were incredible. If I can have a similar lineup every year I would be happy. 

                We would like to help strengthen the Mentor track to give new speakers the encouragement and resources to grow.

                I have always known what I wanted to see the BSideIowa brand grow into. Yet it took talking to one of the Metasploit trainers to actually make it click. We have Hacker cons, we have DFIR cons, but we have very limited, if any cons that primary purpose is to cater to both tracks and give cross training. Alissa Torres brought up in the 2012 SANS DFIR Conference that DFIR professionals need to get out of our lanes and learn what the Red Team is doing. I would love to see that BSidesIowa grow into that type of community driven conference.

                I would also like to see talks showcasing research from local professionals and students. Show the talent that we have in Iowa and the Midwest. We had some great talks this year that helped.

                These went off incredibly well, the attendees all loved them. They helped make the conference this year. I want more next year.

                If we are able to promote the Red Team/Blue Team tracks I would love to be able to have 2 training sessions for each track. Give each specialization the ability to learn from each other.

                We will invite TOOOL back, this time we will plan a little further in advance and hopefully not have any shipping issues.

                Are you interested in organizing a 4hr or even longer training session?

                This was one of the best events that I have ever had the privilege of working on, the support we have received from the community, sponsors and the Trainers are humbling. The fact that our trainers and the Lockpick Village leaders;  Ryan (Metasploit), Heather(Metasploit), Hal(Linux Forensics) and Dave(Lockpick) came to Dubuque on their own expense and offered incredible training for free to our attendees is awesome.

I was also impressed that my daughter attended her first Infosec Conference and survived the entry level Metasploit class. Considering her first experience in linux was 2 days before the conference. Heather, thank you, she still talks about what she learned.

      We are going to need to start working on next year, planning and organizing. Who wants to help?


Thursday, February 14, 2013

So Long, And Thanks for the Fish

As I sat down to write this blog post I wasn’t sure exactly how I was going to communicate my thoughts, my experience and the journey I have undertaken to get where I am. Then I came across this quote, and it seemed to fit perfectly.

“When we least expect it, life sets us a challenge to test our courage and willingness to change; at such a moment, there is no point in pretending that nothing has happened or in saying that we are not yet ready. The challenge will not wait. Life does not look back. A week is more than enough time for us to decide whether or not to accept our destiny.” 
Paulo Coelho, The Devil and Miss Prym

For me that happened just 9 days shy of a year ago, when I received confirmation that I was presenting at the 2012 SANS DFIR Summit. That day was a bag of mixed emotion filled with excitement, fear, pride, terror and disbelief. It was also when I realized that people wanted to hear about what interest me. By the end of 2012 I had presented at 3 different conferences on Windows 8.

The biggest turning point for me last year was networking with other peers in the industry, expressing my interest, my passion, and my desire to grow. From the SANS Summit I walked away with an incredible expanded network of peers. The network that I built from SANS Summit allowed me to interview for a couple of exciting new career opportunities.

The process has been extremely long and rewarding. It showed me the opportunities that were out there, where I was in my current career and where I wanted to go. The decisions that needed to be made were not easy, but the decision was made.

As of today I am leaving an incredible group of information security professionals and a company that believed in me and helped build my skill set over the last 6 years. As of this morning I have said good bye to my team at Principal Financial Group. The members of my team have been some of the most intelligent, passionate and dedicated members of the community I have encountered. I have honestly learned so much from each of them over the 3 years I have been part of the team.  My Co-workers at Principal made the decision to leave difficult.

As of Monday, February 18th I will be joining the Chicago Office of KPMG and will be following my passion of forensics and incident response. It is an opportunity that I have been looking forward to, and I am excited about the possibilities that this will bring.

I would like to close this out by offering a few well deserved overdue public thank you’s.

Rob Lee, thank you for giving an unknown, unproven DFIR practitioner a stage at the 2012 Summit. Thank you for believing in me.

David Nides for convincing me that I should apply to KPMG and seeing something in me that I didn’t. Thank you for pushing at me to jump into this headlong and never giving up.

Thank you for everyone else who had reached out to me over this last year with support, advice and welcoming me into the community, I cannot thank you enough.

Thank you to my team at Principal, I have learned so much from everyone, and I hope that you will always be successful in the endeavors to improve the capabilities of the team.  Heather and Chris thank you for being there as a sounding board and making me realize just how incredible Principal was.

To my new team at KPMG, I look forward to learning from each of you, can’t wait until Monday.

To my wonderful wife, thank you for taking the lumps for me to follow my dreams. I know that this wasn’t what we expected when we signed on for this adventure, but I know that I can do anything if you believe in me. 

So where does this leave things?
  • BsidesIowa will still happen. I believe that the local community can keep it going. 
  • Principal Financial Group is still an incredible place to work. 
  • I am relocating to Chicago, anyone know of a place to stay?
  • I am terrified of this risk, but that being said let the adventure start. 
Thank you for all the well wishes and support. 

Wednesday, January 9, 2013

FakeAVLock - FedEx Shipping Issues - Revisited

This is continuation of the FedEx Malware Overnight Posting. I had considered putting this in the same post but there has been some changes in what was being seen. Will update with more as I find it.

** 1/14/2012 Updated with more Initial Landing Points, and new Subject Characteristics. **
The current infection process is the same:

  • Receive a Phishing Email about a Package
  • Download Zip file with Receipt.exe in it
  • Open Malicious EXE and Svchost.exe is injected and calls home
  • Calls home for the 2nd Stage, Multiple IPs until one successfully connects
  • Finishes infection 
  • Machine is unusable. 
Characteristics of the email:
  • Different Sender
  • Different Subject
    • Starts with:
      • Tracking IR
      • Tracking Number
      • Number
    • 1 Letter in ()
    • 2-3 letters following
    • No space between last character and numbers.
      • Subject: FW: Tracking ID (t)hia53 120 120 5339 5339
  • URL for receipt is somewhat unique. 
    • where # random numbers
  • Order Number in Body is different. 

External Link Data: 
Anubis  PostalReceipt.exe
UrlQuery  for the call home site of

Malicious IPs:
You may also see request for the following files: 

Initial Landing Links for the ZIP file:
The .php?reciept=79 has been seen among all links received.