Fileless malware forensics

This weekend I’ve been watching videos about forensics to look for labs for my students of the Digital Forensic course. I would like to highlight one of them. It’s a fileless malware forensics talk that I will use for the training course. What’s really interesting in this talk is the fileless malware analysis because this kind of malware doesn’t store any file into the operating system but it’s able to execute instructions through the command line while operating in memory. Therefore, it’s really difficult to acquire evidences to know how the malware works.

How a Fileless Attack works

Actually, there are three talks I would like to highlight. The first one is about acquisition in complex incidents. The second one is acquisition in the cloud, which is also really interesting because we can learn how to acquire digital evidences of AWS. The third one is about fileless malware forensics, which shows, step by step, how to analyse the Windows Prefetch folder, web history, event logs, memory, etc from the memory acquisition and triage. It’s an interesting forensics to learn how to analyse a fileless malware.

Keep learning and keep studying my friends!!

A basic computer forensics

There are people who think forensics is a small part of Security. That’s right, but this small part is very big. Usually, there are two kind of computer forensic investigators. The guy who acquires the digital evidences and manages the laboratory, and the specialist who analyses digital evidences. The role of this last one is very important because he must have deep knowledge about the technology which is going to be analysed. For instance, if a video game console has to be analysed, the case will need a video game console specialist. Therefore, computer forensics need lots of specialist with deep knowledge in specific fields.

This post is not going to be about a difficult and specific computer forensic analysis but about an easy one. You will be able to watch in the next video how to look for encrypted files as well as virtual machines volumes. In addition, we’ll recover deleted files and we'll check file extensions to look for alterations. We’ll also analyse the disk partition and the file system with the aim of knowing what operating system and applications were running in the digital evidence. What’s more, system and security events will be analysed to look for interesting facts as well.

This is a basic computer forensics where we have used six tools. AccessData FTK Imager for mounting digital evidences. Passware Encryption Analyzer to look for encrypted files. Autopsy, which is a digital forensics platform that I really love, to look for virtual machines volumes, files, mail accounts, etc. Active Disk Editor for analysing the disk partition and the file system. Windows Registry Recovery to know applications installed, operating system version, IP address, etc. The last tool I’ve used is Event Log Explorer for searching windows event logs.

Do you think it’s difficult? Keep learning and keep studying!!

Forensic - Data recovery and metadata analysis

My first step into Forensics was 9 years ago when I was studying a master’s degree about System Administrator with Open Source Operating Systems. This master’s degree had a subject about Forensics. Later on, I’ve taken training and I’ve tried challenges about Forensics such as the CyberSecurity Challenge in the ForoCIBER 2018. Today, I’m writing about data recovery and metadata analysis because I’ve recorded a video, which will be the next laboratory, for my students of the Forensics Training Course at FEVAL in Extremadura.

Edmond Locard

We can watch in the next video how to recover data and analyse metadata of a memory stick where there were 10 pictures but only three of them are interesting. First, we verify the SHA hash to check image hasn’t been modified. Secondly, we have to mount the image in read-only for keeping image safe. Once image is mounted, we can work with it. We analyse the file system. We can also recover data. Finally, we can even know where pictures were taken and what camera took the pictures. I think this is an easy and interesting laboratory for beginners.

There are lots of Digital Forensics Tools. You can watch some of them in the video. There are also lots of information on the Internet to deep down in Forensics. What’s more, there are certification such as the Computer Hacking Forensic Investigator (CHFI), which could be the starting point to Forensics. Therefore, you just have to want learning and looking for the time for training.

Keep learning and keep studying my friends!

RDMA over Converged Ethernet (RoCE)

I didn’t know anything about RoCE till weeks ago when a sales engineer told me about this technology. It’s amazing. Actually, I’m studying these days how to configure RoCE and I will end up installing and deploying this technology. However, I’ve realised RoCE uses the Data Center Bridging (DCB) standard, which has features such as Priority-based Flow Control (PFC), Enhanced Transmission Selection (ETS), Data Center Bridging Capabilities Exchange Protocol (DCBX) and Congestion Notification. All of them useful for RoCE.

If we want to understand RoCE, firstly, we should know about InfiniBand. The first time I heard about InfiniBand was two or three years ago when Ariadnex worked for CenitS in a project of supercomputing. They have 14 Infiniband Mellanox SX6036 switches with 36 56Gbps FDR ports and 3 InfiniBand Mellanox IS5030 switches with 36 QDR ports 40Gbps for computing network. Therefore, we will see most InfiniBand networks in High-Performance Computing (HPC) systems because HPC systems require very high throughput and very low latency.

CenitS Lusitania II

RoCE stands for RDMA over Converged Ethernet and RDMA stands for Remote Direct Memory Access. This last technology, RDMA, was only known in the InfiniBand community but, lately, it’s increasingly known because we can also enable RDMA over Ethernet networks which is a great advantage because we can achieve high throughput and low latency. Thanks to RDMA over Converged Ethernet (RoCE), servers can send data from the source application to the destination application directly, which increases considerably the network performance.

RDMA over Converged Ethernet (RoCE)

 

Clustering, Hyper-Convergence Infrastructure (HCI) and Storage solutions can benefit from performance improvements provided by RoCE. For instance, Hyper-V deployments are able to use SMB 3.0 with the SMB Direct feature, which can be combined with RoCE adapters for fast and efficient storage access, minimal CPU utilization for I/O processing, and high throughput with low latency. What’s more, iSCSI extensions for RDMA, such as iSER, and NFS over RDMA are able to increase I/O operations per second (IOPS), lower latency and reduced client and server CPU consumption.

RDMA support in vSphere

In addition to RoCE and InfiniBand, the Internet Wide Area RDMA Protocol (iWARP) is another option for high throughput and low latency. However, this protocol is less used than RoCE and InfiniBand. In fact, iWARP is no longer supported in new Intel NICs and the latest Ethernet speeds of 25, 50 and 100 Gbps are not available for iWARP. This protocol uses TCP/IP to deliver reliable services, while RoCE uses UDP/IP and DCB for congestion and flow control. Furthermore, I think it's important to highlight that these technologies are not compatible with each other. I mean, iWARP adapters can only communicate with iWARP adapters, RoCE adapters can only communicate with RoCE adapters and InfiniBand adapters can only communicate with InfiniBand adapters. Thus, if there is an interoperability conflict, applications will revert to TCP without the benefits of RDMA.

RoCE and iWARP Comparison

To sum up, RDMA was only used for High-Performance Computing (HPC) systems with InfiniBand networks but thanks to converged Ethernet networks, and protocols such as RoCE and iWARP, today, we can also install clusters, Hyper-Convergence Infrastructures (HCI) and storage solutions with high throughput and low latency in the traditional Ethernet network.

Keep reading and keep studying!!