If you spot any errors, typos or mistakes please let me know, as I spent endless hours dealing with “cross-compiling kernel modules for Android” headaches. Actually the aim of this post is to save you from “some” of that pain when compiling LiME.

Enjoy and stay tuned for Part II!

• Últimos avances en Análisis Forense de sistemas Android (PDF – 3,8 Mb)

One of the most interesting parts of this presentation (at least for me) is the section that covers Android Memory Acquisition and Analysis, since there is not much investigation available about this. That is definitely changing now, especially since Joe Sylve presented the first tool that is capable of doing a full capture of RAM contents in an Android device. The tool was presented at Shmoocon 2012 as DMD, although its name has now been changed to Lime Forensics.

As I said at the conference, the installation of this Loadable Kernel Module is not trivial. Hence, I plan on posting the steps I followed to successfully compile, install and use this tool together using the latest version of the Android SDK and emulator. Stay tuned!

I believe all the presentations and even the videos will be available at the conference site soon, but in the meantime you can also check the slides for the HACME Android talk presented by my colleague Melissa Augustine. This is another awesome application that follows the successful HACME saga and that you can download from free from:

• http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx

Hacme Bank™ Android is designed to teach mobile application developers, programmers, architects and security professionals how to create secure software and evaluate their own software to identify vulnerabilities. Hacme Bank simulates a “real-world” web services-enabled mobile banking application, which was built with a number of known and common vulnerabilities. This allows users to attempt real exploits against a web application and thus learn the specifics of the issue and how best to fix it.

I also recommend that you visit the Open Security Research channel on Youtube where you’ll find a walkthrough all the Lessons and Exercises. I leave you here with a sample for the first Lesson:

But time has been scarce, with lots of new developments and challenges both in my personal and professional life, including spending a month in New York (thanks to the Foundstone crew in Manhattan for their hospitality!), teaching Malware Analysis along with Christiaan Beek, Melissa Augustine and the rest of the Foundstone EMEA team in BlackHat Abu Dhabi and catching ‘chombies’ and other malware on various Incident Response engagements across Europe.

I feel really proud to be part of a team with such a strong pedigree and that has built a reputation as enterprise network security experts though the publication of numerous books and articles for the benefit of the security community since 1999 (i.e. Hacking Exposed, HACME series, forensics tools, etc…). I will list some of the URLs/Twitter accounts you want to keep an eye on at the end of this post.

As things come back to normality (if that ever existed) I hope I will be able to take more time to share some of the stuff that I come across at work, the projects and research that I’m working on and some other random IT Security ideas.

Why of this change? I guess it all comes down to the fact that I wanted to be back on the trenches and this was a great opportunity for doing so. After 6 years focusing on establishing and leading the IT Security program for a large company while going through multiple acquisitions, I found myself ‘stepping up the management ladder’, something I wasn’t sure I wanted to do at this point. Talking along these lines, I feel identified with this post from Mark Curphey, founder of OWASP, and now part of the Foundstone Services team too. In summary, although working for iSOFT has been one of the greatest experiences in my life, I thought it was time for me to move on and find out what the future at McAfee holds for me.

I can’t finish this post though without a big THANK YOU to all my colleagues that worked with me in iSOFT for their hard work, their passion and their commitment to the security program we built together over the years. I am genuinely grateful and proud for the opportunity I’ve had to work with and learn from such a world-class team. All the best!

• Foundstone Free Tools: http://www.mcafee.com/us/downloads/free-tools/index.aspx
• Foundstone Whitepapers: http://www.mcafee.com/apps/view-all/publications.aspx?tf=foundstone&sz=10
• Open Research Security Blog: http://blog.opensecurityresearch.com/
• Hacking Exposed Series: http://www.mcafee.com/us/campaigns/hacking_exposed/index.html
• Twitter: @Foundstone / @FSEMEA

When Prevention Fails, Extending IR and Digital Forensics Capabilities to the Corporate Network (PDF – 6,2 MB)

Speaking at SANS Boston

Thanks to Barbara Basalguete, Stephen Northcutt and the rest of the SANS crew for the opportunity to participate in such a great event, as well as to all the attendees that preferred to stay around after a long training day instead of heading off to Harvard Square for Friday party!

When Prevention Fails: Extending IR and Digital Forensics capabilities to the corporate network

2011 is being a big year for cybersecurity incidents with high profile attacks reported against large organizations including HBGary Federal, RSA, Lockheed Martin and several Sony companies among others. With smarter intruders that can make use of both very sophisticated attacks and simple, yet effective, phishing attacks against our users, everyone should assume that at some point their preventive measures will fail, and that sooner or later you will have to recover from a future intrusion. Based on this assumption several questions arise: When prevention fails, what is left? Am I ready to detect, react and recover from an intrusion? What can Network Security Monitoring and Digital Forensics do for me?

Ismael’s talk will address these questions, describing the latest trends in computer attacks and intrusions, including the use of Botnets and what has been called the Advanced Persistent Threats (APT). Lastly, Ismael will show how Network Security Monitoring (NSM) and Digital Forensics methods and tools can be extended to the corporate network to assist in the early detection and investigation of these threats. Best practices and techniques on how to do NSM, full packet capture, network forensic analysis and data carving will be discussed, along with some live demos using tools that are available to any security practitioner.

A full description of the event can be found here:

http://www.sans.org/info/74514

Registration is still open but you have to be quick. It might be also a good idea to drop me an email if you’re planning to be there

See you in Berlin!

Part 1 of my post on Mac OS X memory acquisition and analysis has been posted at the SANS Forensics Blog. I’ll try to publish Part 2 early next week. Stay tuned!

http://computer-forensics.sans.org/blog/2011/01/28/mac-os-forensics-howto-simple-ram-acquisition-analysis-mac-memory-reader-part-1

Update

Part 2 is published now:

http://computer-forensics.sans.org/blog/2011/02/04/mac-os-forensics-howto-simple-ram-acquisition-analysis-mac-memory-reader-part-2

Thanks for all your positive comments.

If you haven’t heard of Community SANS courses before, I encourage you to have a look at this new format (new outside the US, where it’s been running for years). This is a great way of bringing the popular SANS courses to your local security community at a reasonable cost, especially for those that can’t attend the major events.  It’s worth mentioning that unlike the SANS Mentor  sessions, these are delivered over a six-day period, just like it is at a larger SANS event, including the full set of books and access to audio files. They are just delivered in your own community, in a small classroom setting and at a discounted cost for tuition and travel expenses.

I’ve already described my experience with SANS, both as student and facilitator, so I won’t go over that again. Also, you can find a further detailed description of the Security 503 track on SANS website, an outstanding course that I’ve already described as the “most valuable course I’ve ever taken”. However, I want you to listen to Mike Poor, instructor at the SANS Institute and co-author of this course (along with Judy Novak and Guy Bruneau), describing it on YouTube. Mike Poor is both an amazing professional and a great guy that I had the opportunity to meet at SANS Sydney in 2008, when I took his Penetration Testing class. As Mike would say, this IDS course is simply “awesome”!

I’ve been also authorised to post them on my website, so feel free to download them from the updated “Papers & Presentations” page, where I have also posted some of the comments I received from several readers, as well as an interesting reference to my article from Harlan Carvey.

Happy reading!

You can download it from the following location:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/

The following information is extracted from Doug’s Security Onion blog:

What is it?

The Security Onion LiveCD is a bootable CD that contains software used for installing, configuring, and testing Intrusion Detection Systems.

What software does it contain?

The Security Onion LiveCD is based on Xubuntu 9.04 and contains Snort 2.8.4.1, Snort 3.0.0b3 (Beta), sguil, idswakeup, nmap, metasploit, scapy, hping, fragroute, fragrouter, netcat, paketto, tcpreplay, and many other security tools.

What can it be used for?

-The Security Onion LiveCD can be used for Intrusion Detection. Simply boot the CD and double-click either the Snort-Sguil or SnortSP-Sguil desktop shortcuts. The Snort and Sguil daemons will then start, listening on eth0 for any suspicious traffic and creating alerts in the Sguil console.

-The Security Onion LiveCD can be used to test an Intrusion Detection System. Simply boot the CD and use the included tools (such as nmap, metasploit, idswakeup, scapy, hping, and others) to test your existing IDS or to test the included Snort 2.8.4.1 and Snort 3.0 Beta 3.

-The Security Onion LiveCD can be used to install an Intrusion Detection System. Simply boot the CD and double-click the Install desktop shortcut. For more information about installation, please see the README desktop shortcut.

I haven’t had a chance to download it yet, but I will definitely give it a try over the next few days. I’m very interested in trying out the IDS installation feature and see how it compares to other Sguil installation scripts like NSMnow. I’m currently working on the deployment of a good number of Sguil servers/sensors and NSMnow has reduced significantly the time needed to get them up and running. Hence, any new development on this topic is more than welcome.

I will keep posting my findings on this new exciting tool!

… and if you think you are a competent programmer, please don’t flame at me and listen to Ron’s last sentence!

Enjoy and happy Friday!