Chris Gerling

Yeah I haven’t blogged in a bit.. haha.  I’ll get around to some updates this weekend.

I just got up after sleeping a good bit of the day.  I had to red-eye it and fly all night to get home last night.

If you didn’t know, I was up in Portland, OR this week for e-fense’s E103 Live Forensics & Incident Response course.  I had a hell of a time actually getting there, it seemed the travel gods just wanted me to suffer, so after an unexpected overnight stay in Dallas on Monday, I made it into the class at 2pm pacific on Tuesday.  I didn’t miss much, and the fact that I had recently attended the SANS GCFA course made this more of a refresher course with the bonus of getting some goodies.

I was a bit skeptical before about Helix going commercial, but I see who the target audience was with the move, and honestly it looks like the stuff that will be in Pro (due out in May) is worth the subscription cost.  If I recall correctly, dc3dd is the default imaging tool when utilizing the Windows Live Acquisition part of the CD.

Eric Smith was a great facilitator, and the learning environment was great.  I loved the classroom they had setup, there were very few glitches, and the workstations were configured correctly, so diving right into some hands on was very very easy.

Portland is a pretty cool place.  I lucked out and @Jerod on twitter showed me around town Tuesday night.  McMenamins had great beer, and Papa Haydn’s had the best cake I have ever eaten.

Now to get some more sleep.

Just a quick post regarding forensics.

I’ve gotten some IM’s and feedback asking for some good links/blogs dedicated to computer forensics. If you head over to http://forensics.sans.org you’ll find a wealth of information and many links to forensics blogs/sites. You can thank Rob Lee of SANS for it.

Hey guys,

Darren was nice enough to include the full notes I sent to him in the actual posting on Rev3, but here’s a copy in case you wander over this way.
If you’re ever in a position where you have to perform forensic imaging duties on a machine, this segment may be useful to you!  The overall goal is to be able to load a forensic .dd image into an environment where you can interact at the user level with it, and perform some initial analysis that may help to paint the overall picture of what happened later on.

Requirements:  A Helix live CD (any of their versions should work, but I recommend 2.0)
Any machine that has an OS which is compatible with VMware
Either a removable drive, or enough free space on a network share in order to push the .dd image out to it.
Live View
Having VMware Workstation is a plus, but if not, Live View will automatically download and install VMware Server and the DiskMount utility for you, if you so choose.

Helix is a forensic Live CD with loads of tools.  We’re focused on just the image acquisition part today.  For the most part, the default options are fine, just specify where you are outputting the .dd image to and you’re on your way!

Install Live View and make sure you either let it install the necessary components, or already have VMware installed ahead of time.  It tends to not like the absolute newest version of VMware Server, so ideally use the older one that it suggests.  Open the .dd image with Live View, and either Start it directly or Generate the config files.  Should you encounter problems with Starting it directly, use the generate config files option and then manually open the .vmx/.vmdk file from within VMware itself.  Don’t forget to check the settings on the new VM and make sure the operating system is set correctly, the program does not always autodetect it.

In layman’s terms, this takes the forensic image and converts it to a virtual machine format, so you can interact with it as if you were the user.  It does not write anything to the .dd image at all, but obviously I suggest using this with a COPY of the original .dd image you make of the suspect machine.

Have fun!

I’ll be talking about the knoppix-based forensic live CD called Helix on the next Hak5 episode which we’re shooting this coming weekend.  It’s been out there for quite awhile, and as a security guy I have gotten the opportunity to use it in an incident response role a couple of times.  I believe a 2.0 release is coming in the next couple of months, but no official word yet.

I need some geek roommates so I can delegate some of this network stuff to them .  I’ll eventually get things online, I just stay fairly busy.  Sorry!

In the computer world, credentials have always been a little bit different from most other industries. Lawyers, Engineers, Teachers, Doctors, and similar professions have some sort of structured peer-reviewed and enforced system for distributing and maintaining credentials for the work that they do. It is a way of protecting people from illegitimate practice and giving them an avenue of redress should they experience any problems with a particular individual or entity.

Many professions within the computer industry umbrella do not have such credentialing bodies, especially within computer engineering and computer security. There are degrees, vendor and vendor-neutral certifications, however there is no such thing as the equivalent of a bar exam, or a license to practice. I believe that while this should not be necessary for most situations, however, if one is going to testify in a courtroom as an expert, they should have some sort of credentials to prove what they claim to know that aren’t possible to obtain with a credit card and a couple of hours taking a test online.

Continue reading

Recently I have been taking various training courses and tests covering different aspects of computing and network security.  I’d like to share some of my experience and opinions here.

Brainbench:  I took the free Computer Forensics, and Network Security tests they offered.  These were fairly comprehensive tests, and I thought they gave me a pretty decent representation of my knowledge.  As far as the applicability of the tests though, there does not appear to be very much merit as far as a bullet on your resume, so I would reccomend these purely for self-assessment purposes.

SANS:  In prepration for the GSEC test I have taken the practice exams, and they seem to be pretty much what they are advertised to be, not quite as difficult as the real thing, but definitely required knowledge of the material.  I feel more confident in taking my test after taking these practice exams.

CERT VTE:  I completed the Forensic Specialist course on here, and while there is no test, the sheer volume of information is staggering.  There are also extremely detailed labs available which actually put you into virtual machine and let you accomplish a set of tasks.  Absolutely wonderful stuff.

A hectic schedule and general lack of manpower has kept me from updating this as often as i’d like.

Instead of a spare time sort of hobby project, this got shuffled around behind the scenes, and gave birth to another project.  We are starting an actual company to offer our services, although this website may undergo some alterations in order to feed off of that.  I believe this will become a sort of voice of the company into the general populace of the security focused individuals on the web.

More will be announced soon, the company we are starting will be primarily focused on data recovery, network penetration/vulnerability scanning, and forensics to a degree.  However, we will also offer the usual services you might find at Geek Squad or what not, just on more of a footnote basis.  The primary focus will be providing businesses enterprise solutions for the aforementioned.

The website is http://www.digifixsolutions.com and will serve as our banner to the world.  Advertising will ramp up in the real world, with some being devoted to online solutions.  Hopefully we will be successfull in our endeavour.

It’s been awhile since we posted anything here. Things have been busy in my personal life, and I haven’t had time to sit down and work on much.

I am looking for ideas as far as methods and concepts for Intrusion Detection go. Right now my short-term project is to finish building a few servers with parts I have laying around and setup a small network to test out various concepts on, as well as forensics.

Another thing i’m trying to get started on is something that allows easier tracking of events stemming from an alarm on the IDS.

Is there a way to self-train in forensics without spending a couple firstborn children on Encase?

-Chris