Thursday, August 9, 2007

Black Hat USA 2007

I just returned back from Black Hat and I wanted to give an update in case you weren't able to attend. There were a number of really good talks this year and I was able to catch up with a lot of old friends.

One of my favorite talks of the conference was "Smoke'em Out!" by Rohyt Belani and Keith Jones. In this talk, they discussed the challenges involved in performing digital investigation when dealing with malicious insiders. This talk was particularly interesting because they discussed these issues within the context of real world investigations they conducted. Both, Rohyt and Keith, are extremely knowledgeable and are also engaging presenters. Take advantage of any opportunity you have to hear these gentlemen present!! On the same note, if you are looking for e-discovery and incident response services, I highly recommend Jones Rose & Dykstra Associates! They are really good people and I enjoyed the opportunity to finally meet these guys.

Unfortunately, I was unable to attend the talk "Breaking Forensics Software: Weaknesses in Critical Evidence Collection" by Chris Palmer, Tim Newsham, and Alex Stamos. I heard from a number of people that this was a very interesting talk and made a number of valid points about the assumptions that are built into forensics products. I agree with the fact that more work needs to be done on improving the robustness of the forensics tools. Most forensic tools inherently trust the data being analyzed. In the Volatools paper, we emphasized that many of the tools being designed for volatile memory analysis also do not consider the malicious adversary and are susceptible to a number of data hiding techniques. This talk is an important reminder that we cannot depend entirely on the results of a single tool and tools need be designed with the malicious adversary in mind.

The final briefing that I want to discuss is "Black Out: What Really Happened" by Jamie Butler and Kris Kendall. Some of you may have heard that I had gotten a little upset at the end of the talk and I thought I would take this opportunity to let you know "What Really Happened". Let me begin by saying that none of my comments were directed towards Kris Kendall and I apologize to him if he took offense to them. I have never had the pleasure of meeting Kris but I have heard from mutual friends that he is a good guy.

This briefing began by discussing the basics of code injection. First, Kris discussed the techniques for performing user mode injection and how these techniques were used in tools such as Metasploit and Poison Ivy. Next Jamie discussed how to perform "kernel process injection". Much of this material is the same that is presented in many rootkit classes and books. After the primer on code injection techniques, Jamie proceeded to present about "Memory Analysis". He began by discussing how APIs can be subverted and the importance of memory analysis. Then he proceeded to relate what he believes are requirements for performing memory analysis. During this time he also made a number of claims about the functionality that his new tool provides. Then he discussed a number of "patent pending" techniques for determining the operating system version and detecting injected DLLs. Then he finally performed a demo detecting an injected DLL using the Virtual Address Descriptors. A "patent pending" technique!!

Let me briefly discuss the issues that I had with the "Memory Analysis" part of the presentation. First, the slides contain no references to any of the prior research that has been done in this area within the last four years, despite the fact that Black Hat requires it. Many of the "patent-pending" techniques are based on techniques that can be found in open source projects and published research. Despite what was claimed, I can prove this work was not done in parallel. He declined the challenge to demonstrate the capabilities he claimed in the presentation. The more I think about this situation it makes me think back to a blog post . Similar to author of the blog post, I would not purchase nor trust forensics tools written by those who have a vested interest in the continuation of the problem.

See you at DFRWS!!

No comments: