Dailydave mailing list archives
Re: CANVAS Lightning Demo: D2 Drosera Live Forensics
From: DSquare Security <info () d2sec com>
Date: Thu, 21 Oct 2010 12:00:59 -0500
Hi Ben, First when we claim that we do not modify anything, it means that Drosera, as a *live* forensic framework, does its best to manipulate/change the least amount of data on the system its running on.
From now on we only need to get a driver in kernelland (of course with previous
system checks), and also write the logs into the application's folder. We mean that we're not providing a software with full setup install, uninstall, dependencies and DKOM. It's a clean standalone solution that creates a process, loads a driver, reads what it needs and unloads everything. Finally, EnCase or FTK searches for files in hard drives, whereas Drosera searches for malicious activities (userland and kernelland rootkits) on a live production system in memory (and also in hard drives for some modules). Drosera is a modular tool, similarly to the D2 exploitation pack, which will have regular updates based on emerging threats. Sincerely, -- Dsquare Security On Wed, Oct 20, 2010 at 04:32:12PM +1100, Dexter, Ben wrote:
Hi all. Just watched the Drosera demo, does anyone know if they have they grabbed someone from the CF industry to validate the tool independently? I see claims like "Does not modify anything on the system (no new files, no hooks, no registry entries, ...)" and I get scared... any files that are touched in any way on the target system need to be listed in the tools' doco otherwise you're likely to encounter major credibility hassles in court (opposing legal will be most happy to take a claim like that and use it to completely discredit the tool). For example, under Windows, you're going to change the USBSTOR entries just by plugging in a USB key, not to mention possible prefetch entries, etc. The price point also seems very high for such a specialised tool when compared to fully featured tools such as EnCase or FTK. There's a definite niche for a tool like this out there, just not sure the current approach is going aid it getting a decent share of the market. Just my 2 cents.. Happy to get any additional info anyone has on the tool - I'll put it through to the ISFCE CCE lists. Regards, Ben. -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Alex McGeorge Sent: Wednesday, 20 October 2010 2:55 AM To: dailydave () lists immunityinc com Subject: [Dailydave] CANVAS Lightning Demo: D2 Drosera Live Forensics List, Dave asked me to work a bit of his character's special move* on the list today. One of our long time CANVAS Exploit Pack developers has released a pretty interesting tool that's a bit outside the usual scope of what people expect with CANVAS. Drosera from D2** is a live forensics toolkit that fits on a USB drive (with gigs to spare) and is completely self contained. It's a handy thing to have in your incident response toolkit, it is completely independent of CANVAS so fewer worries about setting off your AV/HIDS/HIPS/HOPS when you use it. Aimed at rootkit detection, it has a variety of methods to determine if something sneaky is going on. Come check it out and see it in action against the CANVAS HCN Rootkit. --------- * http://www.immunityinc.com/immunityclash.shtml ** http://www.d2sec.com/products.htm Immunity will be holding a Lightning Demo on, October 19th at 3:00p EDT (UTC - 4), we expect the demo to last between 15 and 20 minutes. Space is limited to 20 and invites will be issued on a first come / first served basis. All invites will be sent no later than 2:00p today, October 19th. To request an invite please send mail to: lightning.demos () immunityinc com with the subject of 'D2 Drosera' If you're unable to attend or wish to see previous demos please see: http://www.immunityinc.com/webex.shtml a recording will be posted after the demo is concluded. If you'd like to check that your config is compatible with WebEx please visit: http://www.webex.com/lp/jointest/ Cheers, -AlexM -- Alex McGeorge Immunity Inc. 1130 Washington Avenue 8th Floor Miami Beach, Florida 33139 P: 212.534.0857 _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave ----------------------------------------------------------------------- This email, and any attachments, may be confidential and also privileged. If you are not the intended recipient, please notify the sender and delete all copies of this transmission along with any attachments immediately. You should not copy or use it for any purpose, nor disclose its contents to any other person. ----------------------------------------------------------------------- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-- DSquare Security, LLC http://www.d2sec.com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- CANVAS Lightning Demo: D2 Drosera Live Forensics Alex McGeorge (Oct 21)
- Re: CANVAS Lightning Demo: D2 Drosera Live Forensics Dexter, Ben (Oct 21)
- Re: CANVAS Lightning Demo: D2 Drosera Live Forensics DSquare Security (Oct 21)
- Re: CANVAS Lightning Demo: D2 Drosera Live Forensics Dexter, Ben (Oct 21)