Nov 13, 2012

Changes to NHT Consulting


Effective November 1st 2012 NHT Consulting is no longer accepting clients. Existing NHT clients will be transitioned to a sister company and still will be handled with the quality and professionalism they have had in the past.

The reason for this is that I have accepted a full time postion with TrustedSec as a Senior Security Consultant.  Here is a little background on TrustedSec:

Company History:
TrustedSec, LLC was founded on the belief that the information security industry is in need of extremely tailored and niche services aimed around maturing a company’s security program. The founder, David Kennedy, started off his career working for the National Security Agency (NSA) and then went on to become the Chief Security Officer (CSO) for a Fortune 1000 company. At this company, he built one of the industry’s cutting edge security programs from the ground up.
We understand the nature of business and the hurdles needed to develop a security conscience culture within an organization. Having built a number of security programs and matured organizations’ security posture, TrustedSec is one of the leading security consulting firms in the nation. Instead of being “just another vendor”, TrustedSec prides itself on establishing a long-term relationship with our customers by establishing trust and making sure we are only offering services that will enhance the security of our clients.

Our team is made up of highly-skilled and technical leaders in security that have the ability to communicate to the business in a way that everyone understands. Our goal isn’t to provide just a penetration test or a risk assessment, but to ensure that the company progresses in a maturity model towards successfully defending against attacks. Successful security programs are built with the idea that the entire organization promotes security. 

We continuously contribute to the open-source community and the betterment of security in general. David Kennedy developed “The Social-Engineer Toolkit (SET)” and “Artillery“, two leading open-source toolsets in the security community with over two million downloads from across the globe. TrustedSec’s President / CEO was one of the founding members of the Penetration Testing Execution Standard (PTES), one of the most popular frameworks and standards to leverage for penetration testing methodologies. In addition to open-source development, TrustedSec consultants speak at a number of security conferences around the world including Blackhat, Defcon, ShmooCon, DerbyCon, Hashdays, InfoSec World, BSIDES, Hack3rcon, Information Security Summit, ISSA, ISACA, Infragard, and many other conferences.

I am looking forward to being a part of a very dynamic and professional team.

For more information check out http://trustedsec.com

Posted by at

Mar 29, 2012

RAM Forensic Analysis - Useful in Penetration Testing?

I recently had the privilege of attending an Advanced Live Forensic and RAM Analysis course taught by a close friend of mine, Nick Furneaux, while in England a few weeks ago. Nick is an amazing teacher and an expert on digital forensics. He has been used in investigations from private corporations to law enforcement and other government entities. Recently he was "involved in a prosecution of a man who was accused of various forms of grooming, sexual assault, voyeurism etc of several teenage girls in his community centre." Using some amazing forensic visualization techniques, the pedo-creep defendant was found guilty. More on that in Nick's blog. (link below)

Going into the course, honestly I was thinking it would be a blast and the info would really get my hacker juices flowing, but in a practical way, based on my current job, would I be able to apply it? Being a pen-tester by trade and digital forensics being a small part of what I do, I was skeptical, although very excited to attend. Could I use this in pen-testing?

After the first day I knew the answer. YES! I can use this in pen-testing, primarily, in internal pen-tests with physical access to machines or even remote external post exploitation scenarios. The course focusses on what can be acquired from dumps of live memory before a system is shutdown. It's interesting to note that the de facto method in digital forensics to date, as the way I had been trained previously in the case of a criminal investigation or even corporate espionage , was to power the system off, DD image the drive, lock the drive in a vault and then perform your forensic investigation on the raw image file you have retrieved and maintain chain of evidence.

But what about RAM? What exactly is stored in RAM that could be of use in either a criminal investigation or, from my point of view, what can I dump from RAM that I can use in a pen-test?

Basic fact: If it's running, it's in the RAM! Programs, services, registry, etc etc etc.
Like what?
Let's see…
  • Internet history/typed URLs
  • saved passwords & even leaked passwords from disk encryption products. (i.e. BitLocker, TrueCrypt, etc)
  • IM logs (Skype, MSN, AIM, etc)
  • Running processes/programs --> malware analysis? yup
  • DLL handles
  • Windows Registry (Yes the whole windows registry is loaded to RAM during OS operation)
  • Network connections, remote IPs, ports, PID of the socket initiator, etc.
  • Windows system & SAM hives. I repeat …system & SAM hives! Hash dumps my friends.(Useful in a pen-test, no?)
  • And so much more……
A wealth of juicy info ripe for the picking. Fun times await!!

With internal pen-tests, we sometimes over think entry points or ways to gather information during an engagement. How many times have you used social engineering to access someones workstation? Can you get a few minutes alone on the system or even have the user run a small utility to dump the RAM on the machine? Most likely yes.

As a test, I used a small 202kb windows exe called dumpit on a Win7 2ghz 2gb RAM machine to dump the memory of the machine. Total time needed to accomplish this? 48seconds. Granted this wrote it to local disk, which reduced the time needed to write the raw file. Then using the same exe and running from a USB 2.0 drive the time was 2:58. But still, under 3 minutes and you have a raw image of the memory IN USE on the system. And of course there are several other transport methods that could be used and keep in mind the larger the amount of RAM the larger the image dump and this increases the needed time to dump the image.

The course showed practical use of commercial tools such as Helix Pro and F-response. But it also made use of OSS tools like Bulk extractor and the AMAZING Python based Volatility framework. All in all, for me, this solidified the correlation between pen-testing & proper digital forensics. Looking back, I don't think that there was one pen-test that I performed where I couldn't have "made use of the forensic techniques I learned in this course.

Malware analysis is another area in which the use of these techniques has application. Nick provided real RAM image dumps of stuxnet & zeus infected machines and we analyzed these to find the infected processes as well as dissect and understand the logic behind the malware itself. It was very enlightening and educational. This has sparked a new interest in this type of research in me.

In closing, if you want to properly perform digital forensics on a target, as well as have your mind blown, take Nick's course if possible. And stay tuned, you may see it coming to the US in the near future.

Presently, and with permission from Nick, I am putting together a talk on this subject and plan to present it at DerbyCon 2.0 this year. http://derbycon.com


More info:
Nick Furneaux
Company site: CSITECH http://csitech.co.uk
Twitter: @nickfx
Posted by at
Labels:
Subscribe to: Posts (Atom)