Introducing Tim 'The tool man' Rains - PSS Security Techlead, fellow blogger, maintainer of WOLFv2
Folks it just occured to me that I haven't formally introduced you to a colleague of mine, Tim Rains.
Tim Rains is also a tech-lead on the PSS Security team and is an avid C++ coder (un-like me who despises the language).
In fact Tim has a long and distinguished track record of writing a number of useful utilities over the years (some even more well known than my Autodump+ vbscript! <G>) many of which are used every day by PSS and some of which are used every day by PSS Security.
He has recently released a new tool to the web - Promqry (we've gotta work on his tool name creativity).
You can read more about it here:
https://www.entmag.com/news/article.asp?EditorialsID=6557
Tim also maintains his own blog located here that I highly recommend checking out:
https://blogs.msdn.com/tim_rains/
In the future I'm going to try and get the other tech-leads on the PSS Security team to publish informative posts like the ones I have done on recent interesting hacking cases we've been involved in so that I do not become a single point of failure in the sharing process. :) Maybe I can convince them to start a dedicated PSS Security blog that anyone from the team can post to . . . hmmmm.
Tim is currently in the process of taking WOLF (Windows Online Forensics - our live response toolkit that we use to collect data from customers systems) to the next level with numerous improvements that only moving to compiled code can give you (it will no longer be a batch file).
As a finaly FYI before you ask - no, WOLF is not available for public download for many reasons. One of the better reasons is that we redistribute numerous 3rd party tools (with permission of course) and per the terms of our licensing agreement we are allowed to send WOLF to customers on an as-needed basis but we are not allowed to post WOLF for public download. As we continue to improve the data collection piece of our incident response process this may change in the future but right now we are not allowed to distribute WOLF broadly or post it for public download - sorry.
Comments
- Anonymous
February 07, 2005
The comment has been removed - Anonymous
February 07, 2005
Ah Susan - the goddess of SBS. :)
So this is a lot to comment on via a comment and most of this would be addressed in some sort of IR training my team would provide if we provided IR training to the outside world (I'm pushing for this).
Okay to start with I think you have a misunderstanding of WOLF and its use. WOLF doesn't 'detect' anything - WOLF is a data collection agent that's actually fairly stupid - it doesn't have any AI or built-in expert system / detection etc. It just collects stuff I tell it to collect, no more, no less.
Its up to the analyst to do the analysis and draw conclusions about the scenarios you describe above.
1. Alternate admin accounts - these are trivial to spot using a variety of tools, many of which are automated by WOLF. We dump the accounts, their privilege level, their properties, the password policy, the event logs and all sorts of stuff that would allow us to determine whether an account with admin rights was abused. We sometimes can tell you WHICH account was abused, other times we can't. We draw these conclusions based on the evidence in the security event log if its there, or we do it emperically based on conclusions we draw from other sources. For example we may be able to see that some malware was dropped at X time and Y account was last logged in to at that time (based on the properties of the account stored in the SAM, not on event log data).
The only challenge we would face here is with rootkits that can modify the token of an account on the fly making it an admin without the account actually being in the admin group.
As for rootkits - any live response toolkit that is not able to detect the presence of all of the well known rootkits is useless. I assure you our IR toolkit has multiple tools that we've developed specifically for the purpose of detecting the presence of well known rootkits (and the way they work even allows us to detect rootkits that aren't well known either). - Anonymous
February 07, 2005
The comment has been removed - Anonymous
February 07, 2005
It's always hard, if not impossible to prove a negative. Especially if you're like me and aren't an expert. Robert would be able to say a system hasn't been compromised far more conclusively than me, but even then there would still be a slight chance that he could of missed something for whatever reason. In the end I think you would have to look at how strong the evidence that suggests it has been compromised is, as well as your ability to find evidence that refutes it, and then determine if it requires increased monitoring.
I'm interested in this question also since even skiddies will attempt to get passwords covertly by key loggers or capturing traffic instead of trying to brute force a login. That makes it much harder to both detect and investigate. The Tao of Network Security Monitoring briefly touched on this... - Anonymous
February 07, 2005
The comment has been removed - Anonymous
February 08, 2005
> Tim Rains is also [...] and is an avid C++
> coder (un-like me who despises the language).
Actually it is possible to be an avid C++ coder and despise the language concurrently. That's not much different from being an avid computer forensic expert while despising the fact that the need exists for computer forensice experts. - Anonymous
February 08, 2005
LOL - you are wise beyond your years my friend. :) - Anonymous
February 08, 2005
The comment has been removed - Anonymous
February 09, 2005
I can imagine that a lot of people asked about WOLF: when you talk of something cool, you make people interested in that, they get curious, and they would like to see it...
But even if people can't use WOLF, I would like to tell them that IMHO there's a lot of things out there (available for the masses) to start doing forensic analysis with:
Harlan Carvey was putting down a list of the best tools for this task:
http://windowsir.blogspot.com/2005/02/tools-of-trade.html
There are also several CD-based projects.
"FIRE" is one of those, and it looked like a nice project, I've used it in the past - but it has been quiet and not really updated for a while now:http://fire.dmzs.com/
It is aimed at both linux AND windows forensics. IMHO the linux part is including more things than the windows counterpart, but it still can be handy.
There's an italian Incident Response project (http://www.iritaly.org) that has been using FIRE as a base (for their version 1 forensics CD), and later they changed it for Knoppix (http://www.knopper.net/knoppix/index-en.html) instead:
http://iritaly.crema.unimi.it/
...even if, unfortunately for everybody who's not italian, NOT EVEN the README file is provided in english! :-(
This CD is also linux-based, but (same as FIRE) provides also a collection of "trusted" win32 binaries to perform analysis on a machine where you can't trust the executables you have.
I was actually thinking that something based on WindowsPE (http://www.microsoft.com/licensing/programs/sa/support/winpe.mspx) would also be nice to have - something similar to "ERD Commander" (http://www.winternals.com/products/repairandrecovery/index.asp?pid=ap#erdcommander2005)...
...often what works for system recovery also works for forensics! ;-)
For example, a lot of other scripts that are useful to dump system configurations are also used by Microsoft PSS when troubleshooting "standard"(=not security related) issues, and those ARE a public download:
http://www.microsoft.com/downloads/details.aspx?FamilyID=cebf3c7c-7ca5-408f-88b7-f9c79b7306c0&DisplayLang=en
Again - these are meant for troubleshooting, but they can (and do) help for forensics too, IMHO. - Anonymous
February 17, 2005
Tim hardly needs an introduction - he's a real hero!!