Friday, June 4, 2010

Forensics contest #5 results

Well NetworkMiner is getting a huge amount of use in these forensic contests these days. By my count 6 of the 10 finalists used it this time around (still reading through all 10 of them, just did a quick term search, so some may have just mentioned it and not actually used it).

Reading through the winners entry, as noted by the contest owners was very well done, it provided a very nice walk through and is well worth the read.

He did his analysis on a windows box also (like I did), but the more I think about it, the more I think we should be looking at doing this on Linux. A lot of it is a comfort level, what tools you have available etc, but if you know you are working with something that is going to be attacking windows, doesn't it make sense to do your analysis on a system you know it can't infect? I went to great lengths to run mine in a sandbox, on a VM I was willing to scrub, and with no outside network, but the more I think about this the more I think doing analysis on the OS that the infection is going to go after is a bad idea.

With that said, I'm still working on contest #6 on a windows system currently because I'm writing a program that will specifically carve exe's out of a tcp data stream, but hey, I'm more comfortable on windows, give me a break!

On the other hand, you don't always know what payload you are going to find, and driveby malware is everywhere, so is any system actually safe these days!

No comments: