Setting up an O.MG cable for keystroke injection attacks, and then forensically dumping the firmware for analysis.
As I lie here having finished another SANS Course this time the 508 Advanced Computer Forensic Analysis and Incident Response, it occurs to me that everyday is and always will be a learning day! No one person within our chosen specialisation will ever be able to proclaim that they know it all (although some certainly come close!) Even our instructor Chad Tilbury (Forensic Guru) admits that he picks up something new from every course he teaches.
it has solidified my opinion that to defeat the evil minions trying to steal our data or indeed trying to hide their own, we as a community need to be as collaborative as possible, sharing our knowledge and experience as much as we can.
It is one of the reasons I enjoy attending SANS courses, the instructors I have encountered so far have been in the trenches as practitioners, they have literally all been there got the T-shirt and been back for more. It is their real life experiences alongside the slides of information that add real benefit. On top of that the participants within the room add their own experiences but also become contacts, dare I say it friends you can call on in the future when you hit a brick wall in your latest investigation. Every person has their own niche area of the forensic scene, which they enjoy that little bit more than others and therefore become that goldmine of information on the subject that might just help you break open the case!
This weeks course has made me realise that I need to spend a lot more time on my memory analysis ninja skills, it has also shown me that there are some amazing tools out there which will make life a lot easier! Two tools that I really like the look of and will hopefully become a lot more familiar with in the coming months are:
- Mantaray – Quite simply a brilliant project which pulls together numerous open source forensic tools and automates the process giving you outputs for analysis.
- Plaso – This is replacing log2timeline and when all of the plugins have been ported over will be the go to tool for creating super timelines. I now ask myself how I ever managed forensic analysis without the use of super timelines! Plaso is based on the python scripting language.
That brings me nicely onto my last point for now which is something a friend of mine has been constantly harassing me about for a very long time now! I really need to learn Python and to be honest its not until now I realised just how right he was (just don’t tell him that). The ability to create scripts to carry out some of our very mandrolic tasks is worth its weight in gold! It wasn’t the only thing he harrasesd me about, the other was blogging! He may come to regret that one though.
I hope you have enjoyed reading my first blog and that over time I will be able to build on this and maybe it will help others new to the field in the future.