The Time Factor Traces are the “metadata” of an act, a course of action, a communication or even a presence or having been there. They show us that something happened, but often also how something happened. We consider traces always in retrospect, because they have to be there first in order to be considered. The time interval between the emergence of traces and their observation can vary. In 2017, for example, researchers investigated how Ötzi, a mummy from the ice of the Ötztal Alps, came to his death about 5,300 years ago and thus solved a murder with a slight time delay. But some traces also disappear. Not only the well-known traces in the sand … Also we can’t detect e.g. knockout drops in the victim’s blood already 24 hours after they drank them.
[This is the first part of a five-part article series describing analogies between the world of IT security and research in other fields. Analogies are often used to deflect and conceal missing arguments. Didactics uses analogies as a powerful tool to explore your own understanding and to help you use your knowledge from other fields. Please use the articles of the Murderboard series (our name for the five-part article) for educating IT-affine people about information security. It’s never bad to have allies who understand what to look for in time of trouble.] It was a warm summer day when I got a call from an acquaintance who wanted to hire me for data protection coaching with one of his clients. Besides crime writing, I also work in data protection, helping self-employed people and small
Our friends from BSidesLondon have set up a challenge for you. It’s a little ELF binary with some odd properties. That’s all we will tell you. Have a look for yourself. In case you are forensically inclined, we might have a little Call for Papers email for you. There is a lot of strange code around in the Internet and other networks. Decoding what code does without getting your san(d)box blown apart is a fine art. We are interested in getting in touch with researchers in the field of malicious software and digital forensics. Software developers need to know what you have seen. So if you got some ideas, research, or interesting content, drop us your email address.
Popular culture totally loves forensics (judging by the number of TV shows revolving around the topic). When it comes to software a detailed analysis can be very insightful. Most malicious software isn’t written from scratch. Some components are being reused, some are slightly modified (to get past the pesky anti-virus filters). This means that (your) malware has distinct features which can be used for attribution and further analysis. In his talk at DeepSec 2013 Michael Boman explained what you do with malicious software in order to extract information about its origins. Use the traces of its authors to attribute malware to a a individual or a group of individuals. It gives you an idea about the threats you are exposed to and is a good supplement to your risk assessment.
In the light of the recent news about the collection of call detail records (CDR) the term metadata has come up. Unfortunately the words cyber, virtual, and meta are used quite often – even as a disguise to hide information when not being used in a technical context. We have heard about all things cyber at the last DeepSec conference. The word virtual is your steady companion when it comes to All Things Cloud™. Now we have a case for meta. Actually metadata is what forensic experts look for – a lot. Metadata usually lives in transaction logs or is part of a data collection. It describes the data it accompanies. Frequently you cannot make sense out of or use the data without the corresponding metadata. A well-stocked library seems like a labyrinth if
If you have ever been in the position of analysing the remains of a compromised system, then you will probably know that a lot of forensic methods rely on data stored in file systems. Of course, you can always look at individual blocks, too, however sooner or later you will need the logical structure of the data. The question is: Do you rely on the file system to be honest with you? What happens if the file system (with a little help from the OS around it) tricks you into believing false information? The answer is easy. Your investigation will fail. Christian Wojner from CERT.at has a presentation for you which describes the stunning „WOW Effect“ stemming from Microsoft’s WoW64 technology. WoW64 is the abbreviation for Windows 32-bit on Windows 64-bit. It allows 64-bit
Malicious software is the major tool for attackers. It is used to deliver the payload so that compromised systems can be exploited and secured for executing further tasks by your adversaries. Getting to now this malicious software and finding traces of the breach is very important for dealing with a security event. Proper incident response must be part of every state-of-the-art defence strategy. So this is why we offer the Malware Forensics and Incident Response Education (MFIRE) training at DeepSec 2012. Ismael Valenzuela will be your teacher for this course. The workshop is a proactive weapon to help you normalize your environment after a negative event has occurred. Your opponents have increasingly sophisticated tools and backdoor programs at their disposal to steal your intellectual property and expose sensitive information – all with the ability