Friday, April 02, 2010

Thought of the Day

I've been working on writing my latest book and got to a section of the first chapter where I talk about analysis and what that means. As I was writing, it occurred to me that there are some basic concepts that some analysts take for granted, and others simply do not understand. Keeping these concepts in mind can help us a great deal with our exams.

Locard's Exchange Principle
Edmund Locard was a French scientist in the early part of the 20th century who originated the principle that when two objects come into contact, material is transferred between them. This is as true in the digital realm as it is in the physical world. When malware reaches out to find other systems to infect or to contact a CnC server, there is information about these connections on the system. When an intruder accesses a system, there is information about the system their connection is coming from as well as information about their activities on the compromised system. In many cases, the information may be degraded due to temporal proximity to the event, but it will have been there.

Least Frequency of Occurrence
I credit Pete Silberman of Mandiant with this phrase, not because he was the first to use it (some searches indicated pretty quickly that it is used in other fields), but because his use of it was the first time I heard it applied in a profound manner to the IR community. At the SANS Forensic Summit in 2009, Pete used this to describe the occurrence of malware on systems, and looking back over other exams I'd performed, it occurred to me that the same thing is true for intrusions.

The concept is amazing in its simplicity...given normal system activity, malware and intrusions occur least frequently on that system. Say, malware is installed as a Windows service set to launch at system startup as part of the SvcHost process...you've got one file (DLL on the drive), a few keys/values in the System hive, and one in the Software hive.

Okay, so the practical application of this is that we're NOT looking for massive toolsets being loaded onto the system. Listing all of the files on the system and sorting by creation date (in the absence of modification of time stamps) is more likely to show you OS and application updates than it is when the malware was installed. The same sort of thing applies to an intrusion.

Goals
In short, goals are the beginning and the end of your exam. What are you looking for, what questions are you trying to answer? Your exam goals drive your analysis approach and what tools you need to use...and it should never be the other way around. Tools should never drive your analysis.

HTH.

7 comments:

Anonymous said...

Can you give any more details on what your book is going to be about?

H. Carvey said...

This is the Windows Registry Analysis book. I've already started writing on it...

Anonymous said...

Oh yeah! I'm glad to see that's the topic you ended up choosing. Sounds like it will complement WFA nicely...

H. Carvey said...

Not sure what you mean...that's what I've been planning since last year...

Unknown said...

Harlan,

I want to get your book Windows Forensic Analysis Dvd Toolkit 2nd edition in a Kindle format, but how can i get the DVD toolkit with that ?

Thanks,

Jack T

H. Carvey said...

Jack,

You'd need to check with the publisher about that.

thanks.

Unknown said...

Thanks unfortunately Amazon does not offer it with the Kindle edition.