Chris Gerling

Yeah I haven’t blogged in a bit.. haha.  I’ll get around to some updates this weekend.

I just got up after sleeping a good bit of the day.  I had to red-eye it and fly all night to get home last night.

If you didn’t know, I was up in Portland, OR this week for e-fense’s E103 Live Forensics & Incident Response course.  I had a hell of a time actually getting there, it seemed the travel gods just wanted me to suffer, so after an unexpected overnight stay in Dallas on Monday, I made it into the class at 2pm pacific on Tuesday.  I didn’t miss much, and the fact that I had recently attended the SANS GCFA course made this more of a refresher course with the bonus of getting some goodies.

I was a bit skeptical before about Helix going commercial, but I see who the target audience was with the move, and honestly it looks like the stuff that will be in Pro (due out in May) is worth the subscription cost.  If I recall correctly, dc3dd is the default imaging tool when utilizing the Windows Live Acquisition part of the CD.

Eric Smith was a great facilitator, and the learning environment was great.  I loved the classroom they had setup, there were very few glitches, and the workstations were configured correctly, so diving right into some hands on was very very easy.

Portland is a pretty cool place.  I lucked out and @Jerod on twitter showed me around town Tuesday night.  McMenamins had great beer, and Papa Haydn’s had the best cake I have ever eaten.

Now to get some more sleep.

I never did do my full Shmoo writeup. Let’s just say you had to be there, and what happens at hacker cons tends to stay there.

I passed my GCFA the other week, barely. Worst I have ever done on a GIAC exam so far, but really was my own fault for not tabbing my books out or doing much in the way of studying.

Hackerspace planning is in full swing. If you’re local to the Richmond area hit up hackrva.org (currently redirects to hacrva but that’ll be getting fixed soon) and help us plan . We’re looking for help in getting organized as a nonprofit and all the things that go along with that.

SecuraBit is rolling along nicely. We had G Mark Hardy on last week who is always a pleasure to talk to. I learn so much everytime I run into him. We’re having Jayson Street on this week, and the guests just keep coming courtesy of Bart Hopper, who does so much for us in that area.

SUMO Linux will be releasing a beta for the future 2.0 release soon, so we can all get testing and providing feedback in order to make ourselves a bonified Helix replacement and perhaps do a little expansion in the process.

It’s about time to hit the hay and help the fiancee’ make the bed. Till next time!

Hey guys,

Darren was nice enough to include the full notes I sent to him in the actual posting on Rev3, but here’s a copy in case you wander over this way.
If you’re ever in a position where you have to perform forensic imaging duties on a machine, this segment may be useful to you!  The overall goal is to be able to load a forensic .dd image into an environment where you can interact at the user level with it, and perform some initial analysis that may help to paint the overall picture of what happened later on.

Requirements:  A Helix live CD (any of their versions should work, but I recommend 2.0)
Any machine that has an OS which is compatible with VMware
Either a removable drive, or enough free space on a network share in order to push the .dd image out to it.
Live View
Having VMware Workstation is a plus, but if not, Live View will automatically download and install VMware Server and the DiskMount utility for you, if you so choose.

Helix is a forensic Live CD with loads of tools.  We’re focused on just the image acquisition part today.  For the most part, the default options are fine, just specify where you are outputting the .dd image to and you’re on your way!

Install Live View and make sure you either let it install the necessary components, or already have VMware installed ahead of time.  It tends to not like the absolute newest version of VMware Server, so ideally use the older one that it suggests.  Open the .dd image with Live View, and either Start it directly or Generate the config files.  Should you encounter problems with Starting it directly, use the generate config files option and then manually open the .vmx/.vmdk file from within VMware itself.  Don’t forget to check the settings on the new VM and make sure the operating system is set correctly, the program does not always autodetect it.

In layman’s terms, this takes the forensic image and converts it to a virtual machine format, so you can interact with it as if you were the user.  It does not write anything to the .dd image at all, but obviously I suggest using this with a COPY of the original .dd image you make of the suspect machine.

Have fun!

I’ll be talking about the knoppix-based forensic live CD called Helix on the next Hak5 episode which we’re shooting this coming weekend.  It’s been out there for quite awhile, and as a security guy I have gotten the opportunity to use it in an incident response role a couple of times.  I believe a 2.0 release is coming in the next couple of months, but no official word yet.

I need some geek roommates so I can delegate some of this network stuff to them .  I’ll eventually get things online, I just stay fairly busy.  Sorry!