2013 DerbyCon Friday Notes

The keynote opened with a we are family theme. I wasn’t quite sure if being welcomed into the family would require taking a name suffix based on a body part. You know something like sam “the thumb”. The chief scientist from Rapid7 hdmoore opened as first speaker. His discussion of zmap was very interesting. I was vey interested in the data analysis that was done regarding ssl certificate revocation. Trying that data into breach reports and finding that companies lie. The project sonar information was also interesting. The data sets are online and look like a awesome project. I could use that data set in my cloud and network forensics course. The data sets can be found at scans.io.

The talk as keynote by Ed Skoudis had me so much back into what john Saunders was doing at NDU.edu. John and I had talked about Ed a few times. I’ve planning on building a model like they have but I want to be able to use it for forensics. Thre was a lot of energy in the talk by Ed and I found a lot of it stuff I already know. My students were afterwards talking about all the stuff I’ve talked about I our classes. It really had me wanting to uncork the classes and go ore technical. What would happen in a course that requires programming to do the forensics? Reality says this is a requirement but would my classes then be empty. Lots to reflect on from what was said.

Dave Marcus gave a great briefing and presentation too. Unfortunately at the back if the room it was hard to hear. I got the gist of the analysis they were doing with statistical anomaly analysis to get a very small false positive rate. I’m not sure how lossful the process is when removing samples. Would be a good question. I hope I can get Dave to talk later about this

Int0x80 anti forensics talk involving adult beverages. This session starts with the best way of installing GTA5. I really liked the idea of tool tampering. The idea of competitive inhibition where memory is polluted by random data. His poor liver for having forensics, troll, and memory as his drink words. If you use key words in your talk you must take a drink of an adult beverage. The start of the talk had a great overview of memory forensics. His use of the ram disk program to foul the memory forensic process. The deallocation process wipes the ram where it might be found in normal memory dumps.
The us e of PDFs to pollute memory also seemed interesting. The tool wharrgarbl (spelling?) appears to be an old style memory eater. That means the memory is rapidly polluted removing other things you might want to cover up. Similarly targeting tools with the kill -9 or I imagine init 0 would work. The kill going after the tool process and init going after the machine. The hunter2 tool is even better. The hunter2 app grabs or uses enumprocess to kill preregistered or known applications. The idea of killing the investigators tools is pretty cool. Even better was the demo of trojaning the tool in progress (while being loaded).

Bart Hopper gave a talk on malware. His intro on why defense is cool by using Bruce Lee was excellent. They don’t make movies about 200 guys beating one guy to a pulp. An excellent point towards why defense is awesome. The story about Ken Thomson and the backdoors in Unix gave an instant understanding of supply chain protection. Spondulas looks like an interesting tool for finding black hole exploits. I really need to find the pdfstreamer app and put that into an infosec course. Converting these kind of tools into a course is going to take a very special organization and student body. I would be interested in knowing if there is a peviewer for windows in osx. It might just be easier in Linux. One of my favorite tools he demoed was the bytehist program from CERT. The large number of tools demoed show a work flow for the malware analysis. Somebody taking that flow and analyzing it might be interesting. Hopper gave a three minute discussion on assembly that had me from ebp. I wasn’t so happy with the least signicant bit discussion but it explained vey well. From the talk I guess I will have to learn ollydebug. I have IDA pro but I can’t afford that for an entire class.

Leave a Reply