BSides Cincinnati 2017 - 1:00 PM - Joe Gray Caroline Stephens - Data Carvey

so our next speakers Joe gray and Caroline Stevens Joe's from Knoxville Knoxville Knoxville the UL is how you spell that Joe is a passionate professional that works as a consultant and also blogs and podcasts and is just a general lover of InfoSec and Caroline is entrenched in the world of risk management while trying to hone her technical skills so guys welcome Joe gray and Caroline Steven how's it going absolutely Bob there's a little bit of a stick to it we didn't think about the dynamic of wearing a hat and a wig through this so we've got to get our jokes out early that being said party on Wayne epoch so a little bit of backstory on that I was

talking to a friend about data carving and I had a sinus infection they're like why are you telling me about Dana Carvey so this was born so with that being said so yep I'm Jo gray I do work at sword and shield prior to InfoSec I navigated submarines for seven years I used to teach at a couple of colleges in Georgia before I moved I do have a blog a podcast right for anybody that's willing to publicly everything is uh under the advanced persistent security umbrella for that do that they said kind of the objectives of this talk this is going to be a little bit basic entry level type stuff on data carving it sounds a lot more

complicated complicated than it is when you're using tools if you're doing it manually then we're really not going to get into that because it's we can be here for hours it's a lot to learn in a short period of time so we're going to talk about what it is why you would do it how it works we'll talk a little bit about types and tools offensive in defensive use cases and then we'll do some demonstration periods so so we're talking about carving don't worry there's no severed heads so it's about what it is so I mean as you can see I'm not going to read the slides to you but you know it's an analyst you want to be able to provide

you know some best findings to the powers that be to let them know you know if your system is infected and one thing with data carving it can be done really quickly and taking packet captures rather than having to go through a whole system alternatively you can also use like a disk image like a DD or an IMG file and use a tool to reconstruct an operating system so you may have a forensic image of something and you want to see what files exist on that system that is definitely a way to do so as well which we'll see a little bit later and basically it's all going to revolve around specific key principles and

aspects of files and the properties of the file but at the end of the day it's all about saving time and got a little surprise here just just because I Chris I do [Laughter] because we are not worthy Chris all right well if you want to know about data carving with packet captures you should read chapter 12 of a third edition of practical packet analysis on sale now and while you're at it you should enter your pockets and send any change they like checks to word so basically so basically to understand this we needed to talk about like how things are going to work and this is basically deconstructing a file in terms of you

have your magic number that's going to talk about what kind of file it is it doesn't it doesn't matter if the file type says exe or if it says JPEG or word whatever it says the magic number is going to dictate what it does you may remember around the time of hack the Pentagon there was a vulnerability called image tragic and basically that allowed people to upload executables as image files and it allowed it to basically perform remote code execution and it was found in bug bounty programs someone was making a killing doing this and just absolutely destroying bounty programs and it finally groups like hacker one and bugcrowd were like wait a minute you're doing this on every single

thing what's going on here so they did a little bit of research and that's what came from it but with it basically we just find out things like the length of it the packet data that's what's really important and it's been precise art at times as well knows that basically you wanna handle this aspect well there's a whole lot of cool tools out there I mean yeah shows real big and command-line so those are usually the ones pieces but for you know as a noob there's a lot of duties out there as well there's like the four different types that we're just kind of kind of gloss over for this particular talk is just a cluster based

sector based byte based and hash space again I'm he can read I'm not gonna read them specifically out to you one of the things did you want to show them a list of the magic numbers sure let's do that so we've talked about magic numbers and kind of how it works so in that sense we have the meet not really so an Arby's commercial before you head it over but with this we can see various file types have these magic numbers you're going to see these within the header of the file like for example if you see FF because it's a zero from here might be a d8 that's definitely going to be like a

JPEG alternatively like flash which is something we're seeing a lot with ransomware right now you'll see the strain the string FWS in there as well so this is the hexadecimal representation of that this is also how you can have a little fun with that so here's FWS 46 57 53 or alternatively you have you have this aspect as well so whenever you're running a tool it's looking for these types of strings so they can say hey this is this type of file and it will look for the footer of the file as well say this is where we need to stop that's where it becomes an imprecise science and in that in that regard a few weeks ago I was doing some

carving on a forensic image as part of incident response and I thought I'd hit the motherlode I was like yes here's all these flash file they've been pwned yeah absolutely which never good but it's somewhat vindicating when you're doing the incident response and you think you're finding something like this come to find out whoever wrote the java code for it sprinkled the letters FWS throughout their code left and right it'll clash for us today no but that just goes to amplify the thought process that the tool might give you something but tools are not everything you have to perform that level of human analysis that goes along with it go line by line look at it use

various analytic techniques to actually determine is this legitimate then do things like get a hash of the Phi check it against something like virustotal which we'll talk about a little bit later when we deal with peak apps but it was something to validate it if you have a malware analysis environment try to move the file over as we'll see whenever we play with scalpel here it a little bit you can you can very easily extract files and then if you have something you think may be malicious or something that warrants further analysis you can move it to that environment and have a better look at it get more analysis beyond the scope of just the hash the file name and what

virustotal says so moving it back to the presentation did it on my side so with that it's a good time to start talking about scalpel so there used to be a tool called foremost and the author of foremost is actually if I'm correct speaking in oullette on this weekend and it's dr. golden and basically it kind of started to die off so scalpel came along it's maintained by the same organization that does sleuth kit and autopsy which is a ridiculous toolkit that just allows so much analysis on so many levels we're not going to get into that on this one we mentioned those and volatility later on but yeah yeah have it to have an hour-long talk with the demo there's

no way it's a very robust framework with kit being the back end autopsy tingly gooey but with it we have capabilities as shown on the screen and then basically think about it how does all is all just done the next to last bullet sums it up it's regular expressions looking for magic words for the headers and the footers and that's where you can get messed up that's why I thought I was finding flash files in code written in Java when you see FWS three lines below something dot class it's a pretty good indication probably not it's not the drunk or the droids you think you're looking for so with that another one would be ftk

forensic tool kit we're not going to really get too heavy into that one either we wanted to try to stick with a very small tool set as opposed to just playing a tool roulette but it's considered industry standard there is a free imager imager light that you can use it has a lot of capabilities alongside scalpel it's just a matter of choice ftk is more GUI based obviously here you can see that there are capabilities of command line operation but it's not really what it's known for their our capabilities to integrate with other tools volatility is using plan LAN and pythons autopsies and tips man line and those are all OS so and then if you

want to know more about volatility it's definitely a very robust product andrew case is heavily involved in that I think he's also speaking into lacan today I know he's active in besides New Orleans as well so let's think for a moment kind of about use cases what we've talked about so far has been solely defense so you have a packet capture you want to know what people in the network we're doing so you have the packet capture you can carve things out ok well this is how this ransomware ended up on our network here's the host that came from so forth and so on or we have a forensic image what kind of files were there what can

we reconstruct ok so thinking about this and this was before wanna cry brought everyone to tears but up did I really wonder what Tears for Fears have to say about it to be honest but anyway so what if you were in a situation where you had achieved some men in the middle so you've some sort of ARB flooding you've found a span poured you've got physical access to their gigamon something to that effect so in theory couldn't you use this for it of purpose couldn't you get between a file string between a workstation and say a file server capture the SMB packets and then boom you have the file we'll go over this in just a little bit

but it's definitely not just a defensive tool it's a lot it's not something like a UAC bypass that you're going to see in an offensive scenario but it's definitely something that you could use offensively if you are in a situation have required it so I guess in summation on that one carving and pcaps aren't just for defense anymore they really never work so I think it's given an old Wayne here a headache so that means that we're going to shift to the demo period I hope we've appropriately sacrificed to the demo gods but you know it's truly a thing shifting the screen here for a moment

come on there we go so with this I'm going to show a tool called network miner and through my research over the past few weeks I have determined that this is one of the greatest thing since sliced bread Chris is nodding so that means you should go download it there is a paid version but absolutely so with this let's start out with something simple so we're going to take a peek app here I've downloaded some peak apps oh I forgot I don't want to get a peak bap let's open the peak app so I've downloaded a few pcaps I'll show you where they came from here in a moment but uh let's go with something

here hey anybody heard of this there's no file to pull from so I I desperately tried yesterday to get my hands on a peak app of one I cry but it just wasn't in the cards so we're going to play with neutrino exploit kit so here we've got a packet capture that talks about all the data the hosts that communicated I understand the fonts small I can't zoom in or out in this app so just bear with me for a moment I'll talk you through it will be fine so here we see the hosts we can actually further enumerate things like the MAC address sometimes the operating system we can see the the senton received packages so that gives

us a lot of really good context but alternatively here we see files so this is neutrino it's an exploit kid keep that in mind so let's just do it by file size and right here is a giant SWF file this is a flash file or an exploit kit so what's going on here is this is this malicious could it be well absolutely so the beautiful thing about this specific tool is we can actually calculate the hashes so if you're going to conduct analysis in this sense this is certainly a way to go so there's a few methods we can go about analyzing this to determine if it's truly malicious or not so what I'm looking for so we could very

easily go to virustotal there's the hash I'll search for the hash see what standard oh look so based on the hash alone it tells us this we don't want to do it by hash okay there's another way for that so let's go back here and let's move over to the miner again so from here that's out so very simply we can open the folder so it's already got the files on your workstation I will warn you if you're doing this you probably want to put an exception in your antivirus rule or your machine is going to go bonkers if you have automatic backup setup you're going to want to put an exception on that directory too or do it on a malware

analysis station that's another option as well so we move back to virustotal we're going to choose the file so in this case we're already there it's the same file we'll go with the one from today and we'll scan it so 23 or 56 Chris do you think that's a high enough number would you say with your competence is it delicious there you go so this also can kind of give you a little bit of idea about the quality of your antivirus as well I'm not on the I'm not on the payroll of any antivirus vendor but I did find it rather interesting that some of these right down here may or may not say this

is fine so ya know hey just just facts so but that's definitely something to take into account another way that you could actually do the same thing going back with the the hash for a moment let me close this part out so we wanted to run with the hash a little bit more and do something else so instead of using md5 we'll use a different one because it provides various hashes so here we'll just copy it again paste I'm a huge fan of alienvault otx the company I work for is an alien vault partner so we like alienvault products I write blogs for them as well I did that before I started so it's a

decent product in terms of free threat intelligence it's definitely worthwhile but here we put the hash in and all of a sudden we see it really can't so but this is based solely upon whether someone's actually submitted something for not in this case I think I'm actually yep I'm the one that submitted it some people submit a lot to people down is it does this mean it's truth right intelligence not necessarily to kind of echo the conversation that Ben Shipley and myself had it besides Nashville you know does it indicate threat intelligence not necessarily here's some of the data that we've got with it just to go from it I took the data that I collected in

network miner and got a little bit of additional data from sans but for the most part you know right here we get this from that miner we get I P address there's another hash there's another hash and we got this data out of it as well so honestly that right there is enough to say yeah you've got this someone's connected to a known hostess peddling some neutrino we've seen the hash come across so you definitely want to take a closer look so especially if you some of those a viruses that had a green icons next to so where can you get these captures well there's a beautiful place it's contagious calm and basically search here for a collection of PCAST

anything you want to analyze I've already checked want to crys not there I tried all right it'll send you to this Dropbox page and from here you can you can do it by apt by crime or public so let's just look at this look at exploit it's just for the sake of argument come on think it a lot of exploit it

and would you know the Internet's going to get a little wonky on us if you're not though let me go ahead and search for see Fred's so to move to like filesystem level data carving this has a project called see Fred's and here's a beautiful thing about this if it loads I'll tell you about it until it loads if it doesn't load then there's the URL where it's loaded so with it if you're going to test a tool and you want to determine the validity of does it work or you're trying to learn how to do this because you're just starting out so like I said I've been in InfoSec for quite a while but I've not been doing

this stuff in InfoSec for a very long time so I come across a lot of resources to learn so in doing so you have your stuff here - again it's a tool testing equipment check out staff training proficiency training so here you can actually look and see there's some file carving images so with these there's your DD file which we'll discuss in a moment and it tells you exactly what file types you should expect to see in that and this is a means that you could use to validate ftk you can use it to validate the sleuth kit autopsy all that fun stuff as well as scalpel or if you're running your own application using your own regular expressions this

would be a means for you to validate your data because you already know what it's supposed to be there so you just grab one of these I've already got one in a virtual machine so I'm not going to download any here but you see there's various file types so you can actually hone hone your tools to make sure that you're hitting the header of the footer and the right location based on your regular expression work again the tool or you're just trying to learn to do something so let's check the drop box again okay so it's up so here we see various types of malware and and it's grouped by year and month and all kinds

of stuff there I really don't want to download one of these and have to unzip it till victory

yeah so it's grouped that way so you're not gonna be able to index it by the name of the actual malware but if you search through contagious website you can actually find everything here as well and find the peek app download it and work from there this is definitely not the only resource out there it's one that I found to be one of the most helpful if you're looking for samples so I highly encourage you to take advantage of it if you need a password because all these are password protected and it is not your standard infected password you'll need to actually email me Lee to get the password so just a short email hey I would like the password framework

for your website here's my intention and you'll get a reply fairly quickly so that's basically the packet capture side and we'll come back to that in a moment but so here we have our old pal remnants so here we see that within the home director we have all sorts of like really cool stuff going on and here we've got the command line because she told you all I like the command line so we're gonna take a look at a file and we're gonna see what we can get out of it see if there's any validity to it so let's see what files we have here alright so we have three zip files here eleven twelve and seven we did a little

testing with the neutrino and got a lot of false positives out of that because it's a peek app not a disk image so let's deal with the eleven carve so [Music] scroll up here so now we're in the 11 car fat directory the reason it's a fat directory is because it's using fat for the filesystem file allocation table as opposed to NTFS it's no reference to my posture whatsoever although my mom said that I could be anything I wanted so I chose to be Buddha so to do it the command is actually very simple so it's scalpel and then you give it the target file and then we want to define an output file we can so we're just

going to call it 11a just because well I let it's already taken so it's going to run it's doing a saying golden Richard it's on foremost again so done its first pass is doing a second pass we can see that it's identified some headers and footers above so there's definitely some success going on here so it's there so let's verify there's directory 11a so here we are we have all these awesome directories so here we see doc gif JPEG movie and so on so now we have these files can we validate that they're real and this is the reason why ramdux is a good option for this so as much as i like to be command-line all the time

sometimes you have to just have to go GUI so we're doing so let's go into the 11 directory again so here we go so in order to do the tight install a few pieces of software libre office let's see what else nick is a pretty man with a document so the person who created this file his name was Nick and he wrote an academic paper in 2003 so that's where the reference to this comes from but in that same sense VLC PDF Reader and Libre Office was the three things that I needed to install on top of this to be able to get this analysis out of a vanilla rim ducts installation so there's a document file

here's a movie perhaps come on

Surf's Up dude so here we have recovered a movie so we have that so we see that file type what's this oh no that's it that's what it is it's a shark so obviously whoever had this image they like the ocean they could have been in Hawaii all sorts of fun stuff there take a look at some PDFs here anyone need some light reading here you go so yeah so this was within the file system as well and all these things were recovered using scalpel again sometimes it's a far more accurate than other times it just depends on how well the regular expressions have built within the code actually work so moving beyond that example let's go back to network miner

for a moment let's stop looking at William will clear everything out here so show of hands who in here is in a more offensive security type role red team type stuff okay cool so there's something you take back to the office square you a man in the middle and then let's uh work for kids right here so here we have SMB buddy expert so we already know SMB one is work of the devil we don't need Bobby Boucher's mom to tell us that but so upgrade to SMB version - you'll be safe they say right you have attained man-in-the-middle status already so notice on the bottom of the screen I do have putty installed putty is not

currently running but look we've carved putty out of this communication

oh now we got pudding so so in theory if you were able to interact with a session that was transferring say I don't know nefarious document talking about sensitive business practices that could be potentially damaging if found on Wikileaks for the sake of argument that's the file name I don't know who would do that but just a case you know there's a few companies that may have heard of that website before um but with that being said you come across this and and you want to make sure that hey you know we might want to do something about this or alternatively hey this is a pen test this looks really juicy I bet they'd like to see this in your report

so you carve it out if you have the right software you can open it you can look at it and be like dude they're cutting their pin test budget next year I might want to keep this quiet I'm just kidding always divulge but that's just what you can do with it could be a word file the PDF executable whatever so a question you might have though seeing as I have packet captures for like eternal blue as well we can take a look at that as well and kind of see how it goes let's look at it on an unpatched Windows 7 machine I forgot to delete everything out hang on

eternal blue on unpatched didn't okay sure let me clear everything alright now we're good let's do this again eternal blue success unpatched so here we have the host so this was obviously done in someone's lab environment using VMware all kinds of stuff we'll see all that situational data this is stuff typically we're using something like Wireshark or TCP dump or another packet capture tool or utility especially if you're doing the labs out of practical packet analysis you can look at the data there as well but here we see that there are no images there are no files there's nothing to be gathered from this so so this is not going to protect you against something like eternal blue itself or

double pulsar itself if there's an actual file transfer in progress it won't protect you but it will at least give you some sort of indication of what's going on in that type of environment we do see sessions here we could potentially see credentials if that happened I mean there's this level of analysis but that's more geared towards a more forensics heavy discussion beyond the scope of just data carving then we have some parameters here of course why you block your inbound uh TCP port 445 folks and I would say at least to monitor your internal host and host but let's look at another one may I clear this out so I've got another piece of malware we can take

a look at really quick so this one right here is a magnitude exploit kit from Albert izing it's coming up one about a year old so it's somewhat dated but it's still relevant as well with this there's a lot of traffic so lots of lots of things to sample most of things defined so we'll talk a little bit about the strategy and like kind of how I would go about determining what to actually look at obviously you're going to start with your file times so things like JavaScript files HTML files PDFs macro enabled office documents flash files of course so as soon as it finishes it's pretty ginormous because you can see there's a lot of credentials pumping in

here so with the same packet capture you could actually put together a password list or just brute-force it and use a tool like Cain and Abel to enumerate all the passwords as well so again outside the scope of this but valuable nonetheless and this is loaded like turtle racing and peanut butter I know

I've got more not have children I have a lot of dad jokes so while we're waiting for it to load I'll tell you a funny dad joke you'll inherit what do you call a fish with no eyes he'll be here all day so here we have all these files so what's going on with these files so we see where they're coming from we see where they're ultimately going to I would start down here with the largest file size who here has seen an HTML file of that size an HTML file of that size did more legitimate than illegitimate not saying they don't exist but and that's a pretty big jpg as well so let's do a virustotal has to say so

here's our folder again so I go visit our friends again

and we'll choose our file very simple processing I mean just based on doing this alone it's definitely prompted me to try to step up my game and learning more at actually getting into things like malware analysis so every purpose my old laptop as a malware analysis station I'm not fully complete with it but I'm there 5461 so there we go a pretty safe assumption that that may be one of them and it's associated with server ransomware anybody want some server ransomware don't be confused with like Gerber baby food or servers but yeah so you have that aspect where's another place you can actually get these types of samples well I might just have a place so assuming it actually loads

there it goes so I've set up a honeypot network so I use digitalocean this is very low cost really it's only as expensive as you make it better way to put it and I deployed some honey pots I used mhn to do this so got a bunch of sensors and you'll you'll see there's a lot of the host names are very original so everything is either vanilla or logging Makua gerson the purpose of logging McClure Gerson that is the host that's actually doing this so that's where this GUI is from but in addition to this log you mclarson actually upholds all the vanilla servers daily and pulls data that i've written scripts to parse IP data out of for IP

reputation data the next step to that is I'm going to be correlating that the IP data with specific ports so these are the ones going after SMB these ones are going after secure shell here someone's looking for telnet here's the ones going for my sequel so forth and so on I just haven't had the time to put that together quite yet but that's definitely the next step here's another cool thing here at the bottom we see this thing called DNA I think that's pronunciation not sure anybody familiar with this okay so here's a cool thing about it the name is actually I don't think it's the species it might be the family or the phyla of which the Venus flytrap comes

from so there's there's definitely a little method behind the madness of the name it's not just a bunch of jumbled characters like we too often see and obviously it's too well thought out to be from NSA or CIA it's not eternally anything or extra anything so from here we can actually analyze the data so here's the types of attacks that that bhutani pots have seen so here we have there's the Bell probably offering us a little mouse what good so you know you have it it tells you where it's coming from so forth and so on and with this this is the st. data that I'm polling to actually make the IP reputation list and specific firewall

rules that I'm using within the architecture so really low overhead but here's another really cool aspect of this and this is all in github if you look up mhn modern honey pot honey Network that's where you'll find it I'll show you how to deploy this stuff it is ridiculously easy my mom is is anti technique techie as possible and I think she probably could deploy this it's as easy as copy and pasting so with it we can look at the filters for snort sericata I have a when running stir ricotta so we get the data on that as well and these just based on snort or terra-cotta rules so just giving us a little bit of

insight but here's the one that I'm particularly fond of here we have a malware sample so if you go to the file structure of this actual host and go to the VAR DNA ax binaries directory you can actually extract the file out move it to another system or if that system if you so choose and conduct your analysis on it so that would be your analysis not your analysis I realized after I said it that I kind of fumble up doing the words but with that here we see here's the source port or source address destination port so this is SMB as soon as I saw it was SMB I was like oh boy I have hit the jackpot I

have got some want to cry and then I cried when I found out it was I took the hash I went to virustotal I checked ot X as well there was nothing in ot X at that time and then took the md5 here and let's see what it is because this this leads for quite the rabbit-hole if you so chose to do so you can definitely wait at least an entire afternoon so it wouldn't be a proper talk if I didn't make a reference to it so if you're going to do this make sure you have plenty of Cheetos and a lot of mountain dew so but here we see it's just trojan all of this fun stuff you

can get some relationship data on it so it's also in this bundle here's some additional information on it through further analysis based on this and clicking the other stuff I determined data was actually associated with a worm called big yellow so and what do we have with big yellow big yellow one and here's the data that was collected based on the stuff that I'd found within the honeypot obviously here you can see there's the ipv6 address if as expressed in the honeypot obviously that's probably not the only ipv6 address since that's basically just tumbling ipv4 in it we have the ipv4 addresses as well we have the file hashes and then I was able to score a hostname but I think that was

through either virus hole or Internet storm center but either way it's relevant data something pretty cool this is it if you subscribe to it'll ask you every time something new comes on absolutely so with otx you subscribe to people you subscribe to specific feed so if you subscribe to a person you'd get a notification every time they post something new if you subscribe to a specific feed you only get notifications when it updates you change all those settings but like with the wanna cry ones those things have just been changing left and right because as new iterations cannot new samples are required people are coming across them and actually updating the feeds and it's actually being very useful with this

kind of independently of the file carving aspect of it if you use alienvault USM you can plug this directly and if you don't you can actually use the API to write it in I believe taxi format and import it into your sim that way if you so chose there's also direct communication with serratus snort I believe borough and perhaps Blanc not sure but there's a lot of things you can do with it but obviously otx is not the purpose of this talk but something to be cognizant of so this is actually the one that was related and it doesn't have quite the same detection rate either but now we see that it's a backdoor and they're

calling it so here's someone's called it a worm and we see that there's different names obviously I heard one of those I was watching some fake news a while ago we all will like fake news and fake statistics right you know Abraham Lincoln said that like 75% of the statistics on the internet were made up there was a number I believe so I heard a joke that there was only like 13 original lines of code in the world and everything else is just a modification of that so of course you're going to see some things that are going to say this is trojan this is a worm and it's really you know something completely different

but it shares characteristics or someone that's trying to write the code from scratch that's not as seen in the program or they're going to take something existing get the code and then start making their changes to make it work and that's going to provide that confusion as well so with that being said there's a lot of information here shift back to the presentation here if it's back to extending you don't need any work done

one moment

yes so logical next steps from here so given this information where could you go from here obviously you can use things like see Fred's you can use data carving challenges there's an organization that puts them out annually that's where the eleven the seven of the twelve came from those were annual challenges you can collect your own packet captures if you want to go that route you can download them I know Chris has a few Wireshark actually has a few as well so you can get those there and honestly if there's something specific you're looking for if you're active on Twitter just ask there's a good chance somebody I'll actually have something so don't be afraid to ask once you get a

little bit more in tune with this and once I get more in tune with this actually as well a good logical next step obviously as we've demonstrated threat intelligence feeds to some degree but then taking it a step further malware analysis and reverse engineering is definitely something within that same wheelhouse that would definitely have some level of bearing with this so you're going to get better samples in a more pure format obviously maintaining honey pots that's a good idea as well MH n is not the only one out there I mean John straining company they came up with ADHD which is basically a bunch of honey pots wired together within a single Ubuntu operating system trusted SEC of

course they have artillery acai pod as well so there's no right or wrong answer with that but that's a good place to get your samples as well so transitioning into contacting us how can they contact Hughes and she just slide in well my twitter handle is txt them or you can get ahold of me as bt fever and that's PA TNS hey no worries here to help so I'm at C underscore 3p Joe I also have a day TB for cystic for the podcast blog and all that fun stuff I'm on LinkedIn you can email me Jay gray at advanced persistent security net there's my sword and shield email as well be JG at sword shield you're

interested in contacting sword and shield email secure me at or call the number that's not on the screen but I if you want to see me afterwards I'll go to you I'm not here to sell but we are hiring for the most part we're looking for someone in the Knoxville Tennessee area but if you're qualified or feel that you're qualified send your resume and the idea of the idea of a removed worker is not lost at this time either another thing I don't have a slide for it October 17 is an eighteenth there's going to be the edge security conference in Knoxville Tennessee you may be in the room with two of the speakers perhaps

one may have something to do with a X fund and a book or several books not been announced yet but I know it's been formalized I feel comfortable dropping that hint I'm probably also going to speak there it is a kind of a pricey con all right if you're a college student you're interested we're going to be running a blog scholarship so we're going to take submissions and if you we like your blog we'll publish your blog on the edge security conference website and you'll be free admission to the conference the two keynotes actually three key notes we have Miller and Vlasic that guys who act beeps and his name is a lost upon me right now but he

was a major general at Cybercom he's keynoting day too so it's going to be a pretty good conference a little bit offense a little bit defense something pretty much for everybody be it technical and more managerial focus as well do you have anything else to add not a word any questions yes sir rim knocks that is a reverse engineering malware specific Linux distribution curated by fans so if you were to take sand forensics 610 reverse engineering malware a majority of the work is going to be from that operating system so it's got a lot of the tools built in to be able to conduct some level of analysis obviously in some cases you're going to

need Windows hosts to do certain things but that's basically what it for you can also seamlessly in great integrate it with the sands investigative and forensics tool kit sift you can install it on top of cysts or sift on top of it but they're both sands dfi are linux specific distributions so one more for forensics more one for malware but they're both free so if you just search for REM next for sift you can definitely get that pretty easily it's definitely a pretty good tool any other questions yes sir yes and even if if if it's not you can either build it from source or if you want an ubuntu platform it is in the

repo path so you could just ask it scalpel so I think you can do the same thing with fluid and autopsy but that's a little bit more advanced like I I tried to do a lot of work with sleuth kit leading up to this talk but thanks to want to cry and a large client of ours needing some additional time I've basically ran out of time to be able to actually get that together for them yes sir I'm sorry on a flow so it would have to be on the actual disk image if you're going to do something like when you say flow you're meeting like a packet flow with that one that's when you're

probably going to want to do something like Wireshark having a time to interval to where you can actually create a new peak app every five minutes every hour every whatever then that's when you're going to want to use a network miner for that because it's more impaired towards packet captures where scalpels more towards disk images any other questions all right thank you very much okay great [Applause]