Latest presos and blog posts: Malware traffic analysis with “Bro” and Catching “Bayas” on the wire

I don’t have to tell you how quickly life goes by. But I’m just amazed at the fact that it’s been more than 2 years without writing an entry in my blog! Not that I haven’t done anything interesting during this time though. Let me see… I moved to the “other side of the pond” (yup, that’s kind of a change!), I decided to take up my guitar lessons after many years… hey, I even took some cooking lessons for a few months! Hmm.. I wonder if this is a kind of pseudo early midlife crisis :)

Anyhow, on the professional side of things it’s been quite a productive time too. Although I already updated sections of my site to include some of this work, I wanted to share it here:

1. The slides from my talk “Catching Bayas on the Wire: Practical Kung-Fu to Detect Malware Traffic” presented at the 2013 SANS European Forensic Summit, are available on the Papers & Presentation page. A link to the updated version of this talk, presented in a BrightTalk Webinar on March 11th 2014 is there too.

2. My blog post “Identifying Malware Traffic with Bro and the Collective Intelligence Framework (CIF)” is posted on the Foundstone’s Open Security Research site. I’m specially happy and honoured to see that some of this work was more recently included in the latest version of the SANS 503: Intrusion Detection In-Depth class, after I had the privilege to teach the Bro section with Mike Poor and Judy Novak at SANS Orlando 2014. The pcap samples referenced in the post can be downloaded from my Github account.

3. More recently I was invited to participate as Guest Lecturer for the California Polytechnic State University in San Luis Obispo, teaching the Advanced Computer Forensic Methods & Tools class (part of the “Defense Against The Dark Arts” malware research course by McAfee/Intel Security). It was such a rewarding experience to teach to these motivated students!

Finally, I know quite a few people has been asking about Part 2 of the Android Memory Forensics post. Unfortunately something came up that prevented me from completing my work on this topic for more than a year. And by the time I had the opportunity to come back to this, so much had already changed that it didn’t make sense to continue writing the post along those lines. So my apologies for this. I promise I’ll get back to this topic, because it’s definitely a fascinating one.

Best I can probably do for now is to recommend a couple of good resources for you to check:

Talk to you soon!

Slides from my Android Forensics talk at the Symposium for Android Security in Malaga

I have just uploaded to the Papers & Presentations section the slides for my talk on “Latest Advances in Android Forensics” (in Spanish) at the 1st International Symposium for Android Security held in Malaga last week:

Continue reading Slides from my Android Forensics talk at the Symposium for Android Security in Malaga

A follow up on the Indian embassy issue

It’s been a busy two weeks trying to put together the training material I’ll be using to teach Incident Response and Computer Forensics to some of my colleagues in other geographies across Europe, Asia and Australia, and that will kick-off in Leiden in approximately 10 days. Meanwhile, the latest news about the Indian embassy reported earlier on this blog, spread quickly on the Internet.

Many sites reported on the issue, from antivirus vendors to security professional’s blogs and online magazines. Whilst most of them just echoed what others said, some shed more light on it posting some interesting notes and only a few did an in-depth analysis worth of mention, the most relevant being:

Continue reading A follow up on the Indian embassy issue