Latest presos and blog posts: Malware traffic analysis with “Bro” and Catching “Bayas” on the wire

I don’t have to tell you how quickly life goes by. But I’m just amazed at the fact that it’s been more than 2 years without writing an entry in my blog! Not that I haven’t done anything interesting during this time though. Let me see… I moved to the “other side of the pond” (yup, that’s kind of a change!), I decided to take up my guitar lessons after many years… hey, I even took some cooking lessons for a few months! Hmm.. I wonder if this is a kind of pseudo early midlife crisis :)

Anyhow, on the professional side of things it’s been quite a productive time too. Although I already updated sections of my site to include some of this work, I wanted to share it here:

1. The slides from my talk “Catching Bayas on the Wire: Practical Kung-Fu to Detect Malware Traffic” presented at the 2013 SANS European Forensic Summit, are available on the Papers & Presentation page. A link to the updated version of this talk, presented in a BrightTalk Webinar on March 11th 2014 is there too.

2. My blog post “Identifying Malware Traffic with Bro and the Collective Intelligence Framework (CIF)” is posted on the Foundstone’s Open Security Research site. I’m specially happy and honoured to see that some of this work was more recently included in the latest version of the SANS 503: Intrusion Detection In-Depth class, after I had the privilege to teach the Bro section with Mike Poor and Judy Novak at SANS Orlando 2014. The pcap samples referenced in the post can be downloaded from my Github account.

3. More recently I was invited to participate as Guest Lecturer for the California Polytechnic State University in San Luis Obispo, teaching the Advanced Computer Forensic Methods & Tools class (part of the “Defense Against The Dark Arts” malware research course by McAfee/Intel Security). It was such a rewarding experience to teach to these motivated students!

Finally, I know quite a few people has been asking about Part 2 of the Android Memory Forensics post. Unfortunately something came up that prevented me from completing my work on this topic for more than a year. And by the time I had the opportunity to come back to this, so much had already changed that it didn’t make sense to continue writing the post along those lines. So my apologies for this. I promise I’ll get back to this topic, because it’s definitely a fascinating one.

Best I can probably do for now is to recommend a couple of good resources for you to check:

Talk to you soon!

Acquiring volatile memory from Android based devices with LiME Forensics, Part I

Android Memory AcquisitionMy first guest post on the Open Security Research Blog was published yesterday. In this post I walk through the steps required to install and compile LiME Forensics, a Loadable Kernel Module that allows you to dump the full contents of memory of an Android based device. The instructions have been tested successfully on Ubuntu 11.10, with Java SE Development Kit 6 Update 31, the Android SDK r18, NDK r7c and with the emulator running an Android Viritual Device (avd) based on Android 4.0.3 (API 15).

If you spot any errors, typos or mistakes please let me know, as I spent endless hours dealing with “cross-compiling kernel modules for Android” headaches. Actually the aim of this post is to save you from “some” of that pain when compiling LiME.

Enjoy and stay tuned for Part II!

When Prevention Fails: Extending IR and Digital Forensics to the Corporate Network (slides from SANS Boston 2011)

The slides from my @night talk at SANS Boston 2011 are available for download now:

When Prevention Fails, Extending IR and Digital Forensics Capabilities to the Corporate Network (PDF – 6,2 MB)

Speaking at SANS Boston

Thanks to Barbara Basalguete, Stephen Northcutt and the rest of the SANS crew for the opportunity to participate in such a great event, as well as to all the attendees that preferred to stay around after a long training day instead of heading off to Harvard Square for Friday party!

When Prevention Fails: Extending IR and Digital Forensics capabilities to the corporate network

2011 is being a big year for cybersecurity incidents with high profile attacks reported against large organizations including HBGary Federal, RSA, Lockheed Martin and several Sony companies among others. With smarter intruders that can make use of both very sophisticated attacks and simple, yet effective, phishing attacks against our users, everyone should assume that at some point their preventive measures will fail, and that sooner or later you will have to recover from a future intrusion. Based on this assumption several questions arise: When prevention fails, what is left? Am I ready to detect, react and recover from an intrusion? What can Network Security Monitoring and Digital Forensics do for me?

Ismael’s talk will address these questions, describing the latest trends in computer attacks and intrusions, including the use of Botnets and what has been called the Advanced Persistent Threats (APT). Lastly, Ismael will show how Network Security Monitoring (NSM) and Digital Forensics methods and tools can be extended to the corporate network to assist in the early detection and investigation of these threats. Best practices and techniques on how to do NSM, full packet capture, network forensic analysis and data carving will be discussed, along with some live demos using tools that are available to any security practitioner.