It shouldn’t be going down again anytime soon.

I just got up after sleeping a good bit of the day.  I had to red-eye it and fly all night to get home last night.

If you didn’t know, I was up in Portland, OR this week for e-fense’s E103 Live Forensics & Incident Response course.  I had a hell of a time actually getting there, it seemed the travel gods just wanted me to suffer, so after an unexpected overnight stay in Dallas on Monday, I made it into the class at 2pm pacific on Tuesday.  I didn’t miss much, and the fact that I had recently attended the SANS GCFA course made this more of a refresher course with the bonus of getting some goodies.

I was a bit skeptical before about Helix going commercial, but I see who the target audience was with the move, and honestly it looks like the stuff that will be in Pro (due out in May) is worth the subscription cost.  If I recall correctly, dc3dd is the default imaging tool when utilizing the Windows Live Acquisition part of the CD.

Eric Smith was a great facilitator, and the learning environment was great.  I loved the classroom they had setup, there were very few glitches, and the workstations were configured correctly, so diving right into some hands on was very very easy.

Portland is a pretty cool place.  I lucked out and @Jerod on twitter showed me around town Tuesday night.  McMenamins had great beer, and Papa Haydn’s had the best cake I have ever eaten.

Now to get some more sleep.

I passed my GCFA the other week, barely. Worst I have ever done on a GIAC exam so far, but really was my own fault for not tabbing my books out or doing much in the way of studying.

Hackerspace planning is in full swing. If you’re local to the Richmond area hit up hackrva.org (currently redirects to hacrva but that’ll be getting fixed soon) and help us plan . We’re looking for help in getting organized as a nonprofit and all the things that go along with that.

SecuraBit is rolling along nicely. We had G Mark Hardy on last week who is always a pleasure to talk to. I learn so much everytime I run into him. We’re having Jayson Street on this week, and the guests just keep coming courtesy of Bart Hopper, who does so much for us in that area.

SUMO Linux will be releasing a beta for the future 2.0 release soon, so we can all get testing and providing feedback in order to make ourselves a bonified Helix replacement and perhaps do a little expansion in the process.

It’s about time to hit the hay and help the fiancee’ make the bed. Till next time!

I’ll post a full account of the event later on tonight or tomorrow, but I just want to say that I met some awesome people and I hope everyone had a great time partying with us.

See you next year!

It’s amazing how fast the first month of a new year goes by.  Those older than me probably recognize this better, but it’s definitely becoming more noticible as I get older.  One minute you’re toasting some champagne with your friends and the next, well… you’re on the fast track to the next year.

In any event, this month was pretty interesting.  We started the new year off near Baltimore with friends, and then I went out to Vegas to cover CES with Hak5.  I got the plague while I was there, and unfortunately didn’t get to do any partying with all the awesome people I met out there.

After recovering from the plague and spending a couple of weekends just enjoying Richmond, I went back down to the HakHouse last night and recorded a segment on USB device tracking, which I owe a great deal of thanks to Harlan Carvey for both his book, and his help in my understanding of the windows registry.

February’s looking to be a very interesting month.  Shmoocon this coming Friday, and my birthday 6 days later.  Valentine’s Day, and then a pretty busy rest of the month.  Looking forward to seeing everyone at Shmoocon and hopefully seeing some new faces.

Peace

Now that I have been out of the Navy 3 months, I have learned precisely how bad my time management skills really are. It’s a funny thing really, but something I now know about and aim to fix, though not this week, here’s the lineup from now till the end of the month:

- Tonight at 9:30pm EST I will be doing a quick SecuraByte with Rob Fuller (aka mubix), Tom Eston (aka agent0×0 from Security Justice) and geekgrrl (whose name I have just learned is Melissa), and perhaps some others.

- Wednesday is a normal SecuraBit show, with another one likely coming next Wed as well to make up for the holidays.

- Thurs-Sun is CES, which is going to be a very crazy fun time.

- I’m taking my GCFA exam hopefully a week from Saturday if we can crash at our friends’ place in Norfolk.

- More Hak5 segments, though my next one likely won’t be filmed until one of the last 2 weekends of the month due to the schedule.

I’m definitely going to be looking at some time management books, and perhaps trying some of the GTD (Getting Things Done) type stuff. I waste a lot of my time and although I am firmly a hedonistic creature, there is a point where some goals and tracking them are good for more than work related things.

I want to thank everyone who reads this blog, as seldom as I do update.

I’ve gotten some IM’s and feedback asking for some good links/blogs dedicated to computer forensics. If you head over to http://forensics.sans.org you’ll find a wealth of information and many links to forensics blogs/sites. You can thank Rob Lee of SANS for it.

Darren was nice enough to include the full notes I sent to him in the actual posting on Rev3, but here’s a copy in case you wander over this way.
If you’re ever in a position where you have to perform forensic imaging duties on a machine, this segment may be useful to you!  The overall goal is to be able to load a forensic .dd image into an environment where you can interact at the user level with it, and perform some initial analysis that may help to paint the overall picture of what happened later on.

Requirements:  A Helix live CD (any of their versions should work, but I recommend 2.0)
Any machine that has an OS which is compatible with VMware
Either a removable drive, or enough free space on a network share in order to push the .dd image out to it.
Live View
Having VMware Workstation is a plus, but if not, Live View will automatically download and install VMware Server and the DiskMount utility for you, if you so choose.

Helix is a forensic Live CD with loads of tools.  We’re focused on just the image acquisition part today.  For the most part, the default options are fine, just specify where you are outputting the .dd image to and you’re on your way!

Install Live View and make sure you either let it install the necessary components, or already have VMware installed ahead of time.  It tends to not like the absolute newest version of VMware Server, so ideally use the older one that it suggests.  Open the .dd image with Live View, and either Start it directly or Generate the config files.  Should you encounter problems with Starting it directly, use the generate config files option and then manually open the .vmx/.vmdk file from within VMware itself.  Don’t forget to check the settings on the new VM and make sure the operating system is set correctly, the program does not always autodetect it.

In layman’s terms, this takes the forensic image and converts it to a virtual machine format, so you can interact with it as if you were the user.  It does not write anything to the .dd image at all, but obviously I suggest using this with a COPY of the original .dd image you make of the suspect machine.

Have fun!

Thanks!