Friday, January 20, 2012

Funny keyword search results

This cracked me up.  A friend of mine is doing a forensics analysis of a laptop that belonged to a software developer in a company.  He was told to do a search for suspected pornography on the machine, and to include the actual word "porn."  What came back in the search?


Saturday, January 14, 2012

Command Cyber Readiness Inspection

In the coming weeks I will be traveling to a base in order to help them prepare for a Command Cyber Readiness Inspection.  I have never participated in one of these, typically I am auditing a system for certification efforts.

As far as I understand, DISA picks the unit/system that is undergoing the inspection.  There are a series of checklists that they will use and that must be completely filled out.  It also appears that they will Retina scan the entire system.  In addition to helping the unit prepare by running a "pre-audit" we will be ensuring that documentation is complete and up-to-date.  Our only "true" deliverable will be a POAM so that the unit knows what they need to fix or update before the actual inspection takes place.

I would be interested in hearing more about the mechanics of a CCRI; who gets selected, why, etc.

Monday, January 9, 2012

Sharepoint 2010 and Apache STIGs have been released for January 2012

I received an email that DISA has released the Sharepoint 2010 and Apached Web 2.0 and 2.2 checklist for Windows and UNIX.  The requirements for both of these STIGS are effective immediately.

Thursday, January 5, 2012

Tr3Secure Data Collection script

The other day, I saw a post on Corey's blog (Journey Into Incident Response) that was really cool.  He released a script that quickly grabs volatile information from a possibly compromised machine.  His post documents the why's, the tools, and the framework of the tool; so I'll let you read the post rather than summarize.

What I'll add is that this script does a lot of great things.  I pulled down the dependencies and started testing the script out on some of our test laptops.  The laptops that I've used have been a mix of Windows XP and Windows 7 machines with various amounts of RAM.  The script has run quickly, and efficiently formats the output for analysis after the fact.  Some of the tools I was familiar with, and there were some new tools there that I will give further study to.

I will be using this script (as I get more familiar with it) on machines that I receive when collection of volatile data is paramount.  Further, after learning some new tools, I will be incorporating some of the methodologies into DoD auditing.  Certainly, I see the potential to replace some of the WMI calls I use when grabbing information from machines we are auditing due to improved output.

Another plus I see in the usage of this script is that the script runs from a .bat file.  Most of my scripts have made heavy use of cscript/wscript; and I've found that cscript/wscript is not installed on all machines.  Batch files tend to run on all machines.