[et_pb_section admin_label=»section»]
[et_pb_row admin_label=»row»]
[et_pb_column type="4_4"]
[et_pb_text admin_label=»Text»]
It's becoming a tradition; every year on the eve of the FIC, the Conference on Incident Response and Digital Forensics (CoRIIN) takes place. Here's a look back at the three presentations from the 2018 edition that we enjoyed the most.

Full packet capture for the masses

Xavier Mertens

The speaker presents his treatment of the problem "how to set up a network capture infrastructure?" while respecting some constraints, including using open and multi-platform solutions.

It relied on Moloch for indexing and visualizing streams, tcpdump for capture, and Docker to ensure cross-platform compatibility and ease of deployment. The final architecture remains relatively simple, based on an "indexer" container running Moloch, one or more "sensor" containers running tcpdump, and an SSH service configured to dump captures into the Moloch instance.

Docker configurations are freely accessible on GitHub. The speaker also posted his own account of the event (in English) on his blog.

Analysis of BITS jobs

Morgane Celton and Morgan Delahaye, ANSSI

BITS, or "Background Intelligent Transfer Service," is a Windows component that manages asynchronous downloads. It is notably used by Windows Update, and its key feature is to remain as transparent as possible to the user in terms of bandwidth consumption. Its discreet nature makes it attractive to malware seeking to conceal its activity; therefore, it is important to consider BITS activity during a digital forensics investigation. Some possibilities include:

• On a running system, use PowerShell cmdlets or the bitsadmin tool (even though the latter is at the end of its life, it has additional features compared to cmdlets); ;
• Analyze the Microsoft-Windows-Bits-Client/Operational logs, but they record relatively fragmented information; ;
• Analyze the queue files (QMGR) used by BITS to coordinate its tasks.

The problem with this last option is that, prior to Windows 10, the format used for QMGR files was not publicly documented by Microsoft. The ANSSI teams took the time to analyze the format and decided to make their findings available to everyone: their bits_parser tool was... published on GitHub and PyPI (therefore deployed by a simple pip install bits_parserWe can only applaud this kind of initiative!

Lessons learned – WannaCry & NotPetya

Quentin Perceval and Vincent Nguyen, CERT Wavestone

The speakers presented their incident response experiences related to the WannaCry and NotPetya crises, as experienced by their directly affected clients. It was a very informative conference, from which we primarily noted the following points:

• A crisis management organization is essential (well beyond the "cyber" aspects), both for coordinating containment/reconstruction actions of the IS and for communication – especially considering the speed with which the press seizes upon the subjects of IT crises these days.
• Anticipating the worst-case scenario (destruction of the IT system) helps prevent highly debilitating situations. For example, without paper copies of crisis management plans, employee directories, or infrastructure diagrams, crisis management can be paralyzed for a period of time.
• It is practically impossible to guarantee the total security of an information system, but the accumulation of best practices and hardening measures can act as an effective defense in depth and limit the spread of destructive malware: applying security patches, controlling the use of privileged accounts, segmenting networks, disabling superfluous features that present a large attack surface, etc. Without aiming for exhaustive coverage of measures across the entire information system, making progress where friction is minimal allows for the initiation of continuous improvement processes.

[/et_pb_text]
[/et_pb_column]
[/et_pb_row]
[/et_pb_section]