Part 1 of my post on Mac OS X memory acquisition and analysis has been posted at the SANS Forensics Blog. I’ll try to publish Part 2 early next week. Stay tuned!

http://computer-forensics.sans.org/blog/2011/01/28/mac-os-forensics-howto-simple-ram-acquisition-analysis-mac-memory-reader-part-1

Update

Part 2 is published now:

http://computer-forensics.sans.org/blog/2011/02/04/mac-os-forensics-howto-simple-ram-acquisition-analysis-mac-memory-reader-part-2

Thanks for all your positive comments.

You can download it from the following location:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/

The following information is extracted from Doug’s Security Onion blog:

What is it?

The Security Onion LiveCD is a bootable CD that contains software used for installing, configuring, and testing Intrusion Detection Systems.

What software does it contain?

The Security Onion LiveCD is based on Xubuntu 9.04 and contains Snort 2.8.4.1, Snort 3.0.0b3 (Beta), sguil, idswakeup, nmap, metasploit, scapy, hping, fragroute, fragrouter, netcat, paketto, tcpreplay, and many other security tools.

What can it be used for?

-The Security Onion LiveCD can be used for Intrusion Detection. Simply boot the CD and double-click either the Snort-Sguil or SnortSP-Sguil desktop shortcuts. The Snort and Sguil daemons will then start, listening on eth0 for any suspicious traffic and creating alerts in the Sguil console.

-The Security Onion LiveCD can be used to test an Intrusion Detection System. Simply boot the CD and use the included tools (such as nmap, metasploit, idswakeup, scapy, hping, and others) to test your existing IDS or to test the included Snort 2.8.4.1 and Snort 3.0 Beta 3.

-The Security Onion LiveCD can be used to install an Intrusion Detection System. Simply boot the CD and double-click the Install desktop shortcut. For more information about installation, please see the README desktop shortcut.

I haven’t had a chance to download it yet, but I will definitely give it a try over the next few days. I’m very interested in trying out the IDS installation feature and see how it compares to other Sguil installation scripts like NSMnow. I’m currently working on the deployment of a good number of Sguil servers/sensors and NSMnow has reduced significantly the time needed to get them up and running. Hence, any new development on this topic is more than welcome.

I will keep posting my findings on this new exciting tool!

Besides that, there are plenty of rumours about a possible Conficker attack on 1st April. I know you may think it’s all hype or scaremongering, and it might well be. But, if you run a large corporate network I’m sure you don’t want to sit down and wait until 1st April to find out.

If that’s the case, you have to know that the Honeynet Project has been working on a way to detect Conficker-infected machines and that they have just released a scanner for this task. The scanner is available as a python script and as a windows .exe executable, and can be used to scan a single host or a whole network range.

When run it on my mac the output looked like this:

# ./scs.py 192.168.1.1 192.168.1.254

———————————-
Simple Conficker Scanner
———————————-
scans selected network ranges for
conficker infections
———————————-
Felix Leder, Tillmann Werner 2009
{leder, werner}@cs.uni-bonn.de
———————————-

No resp.: 192.168.1.1:445/tcp.
No resp.: 192.168.1.82:445/tcp.
No resp.: 192.168.1.80:445/tcp.
No resp.: 192.168.1.81:445/tcp.
No resp.: 192.168.1.95:445/tcp.
192.168.1.99 seems to be clean.
192.168.1.101 seems to be clean.
192.168.1.85 seems to be clean.
192.168.1.97 seems to be clean.
192.168.1.106 seems to be clean.

Alternatively, popular scanners like nmap, Nessus and others have quickly updated their plugins to support Conficker detection. At the moment, Nmap 4.85beta5 has all the scripts included, and it’s now ready for download at http://nmap.org/download.html. If you’re are running a Unix-like system you probably want to update nmap from svn:

$ svn co –username=guest –password=” svn://svn.insecure.org/nmap
$ cd nmap
$ ./configure && make
$ sudo make install

Then run nmap using the new NSE script:

$ nmap –script=smb-check-vulns –script-args=safe=1 -p445 -d <target>

As of Nessus, use plugin #36036 to detect any variant of Conficker.

The Honeynet Project has also released Snort signatures to detect Conficker.A and Conficker.B traffic. Make sure you update your IDS sensors with these signatures and be ready to monitor your console over the next few days. If you don’t have any IDS technology in place (I will resist the temptation to ask you why by now) but you have access to a network span port, you can still plug any Unix-like box in and run ngrep like this:

$ sudo ngrep -qd eth0 -W single -s 900 -X
<insert shellcode string from here>
‘tcp port 445 and dst net <local network range>‘

Further details about Conficker fingerprint and the detection methods and tools can be found here: http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker

Good luck.

Whatever you did, and despite the amount of money you spent, one thing is for sure: if you are reading this it’s safe to assume that you are still interested in reading about good infosec stuff, aren’t you?

Keep reading then and have a look at the following links containing a few interesting security tools, new forensic challenges and even a new Multi-Boot Security Live DVD:

• DFRWS 2008 Rodeo (forensic challenge): The 8th annual Digital Forensic Research Conference was held from August 11 to 13, 2008 in Baltimore, MD. A key element of this conference is the “forensic rodeo”, a challenge where conference attendees form teams to solve a digital forensic problem. The DRFWS has made the materials for the 2008 Forensic Rodeo available on their website for educational purposes and to support further research in memory analysis and file carving. The scenario description and the image files can be downloaded http://www.dfrws.org/2008/rodeo.shtml
• The Open Computer Forensics Architecture (OCFA): OCFA is a modular computer forensic framework developed by the Dutch National Policy Agency meant to be used in large investigations. If you want to give a try you can download the required packages from their main site: http://ocfa.sourceforge.net/
• Splunk: Splunk is a log archiving product that allows to search, navigate, alert and report on all logs in real time. Plus it’s free and available for all platforms on http://www.splunk.com/download
• Multi-Boot Security LiveCD DVD: A new all-in-one multipurpose LiveDVD that combines some of the very popular LiveCD ISOs already available on the Internet:
  • Backtrack 3
  • Damn Small Linux 4.2.5
  • Knoppix 5.1.1
  • Ophcrack 1.2.2 (with 720 mb tables)
  • Puppy Linux 3.01
  • and a few more…

I’m currently downloading the 4GB MultiISO .torrent file and will it give a try soon. Shame that Helix is not part of the DVD, but still looks like a handy tool to have in your Incident Response jump bag.

Enjoy and good luck with you holiday blues!