Re: CANVAS Lightning Demo: D2 Drosera Live Forensics

[DSquare Security <info () d2sec com>]

Hi Ben,

First when we claim that we do not modify anything, it means that Drosera, as a
*live* forensic framework, does its best to manipulate/change the least amount
of data on the system its running on.

> From now on we only need to get a driver in kernelland (of course with previous
system checks), and also write the logs into the application's folder. We mean
that we're not providing a software with full setup install, uninstall,
dependencies and DKOM.  It's a clean standalone solution that creates a
process, loads a driver, reads what it needs and unloads everything.

Finally, EnCase or FTK searches for files in hard drives, whereas Drosera
searches for malicious activities (userland and kernelland rootkits) on a live
production system in memory (and also in hard drives for some modules).
Drosera is a modular tool, similarly to the D2 exploitation pack, which will
have regular updates based on emerging threats.

Sincerely,

-- 
Dsquare Security


On Wed, Oct 20, 2010 at 04:32:12PM +1100, Dexter, Ben wrote:
> Hi all.
>
> Just watched the Drosera demo, does anyone know if they have they
> grabbed someone from the CF industry to validate the tool independently?
>
> I see claims like "Does not modify anything on the system (no new files,
> no hooks, no registry entries, ...)" and I get scared... any files that
> are touched in any way on the target system need to be listed in the
> tools' doco otherwise you're likely to encounter major credibility
> hassles in court (opposing legal will be most happy to take a claim like
> that and use it to completely discredit the tool). For example, under
> Windows, you're going to change the USBSTOR entries just by plugging in
> a USB key, not to mention possible prefetch entries, etc.
>
> The price point also seems very high for such a specialised tool when
> compared to fully featured tools such as EnCase or FTK. There's a
> definite niche for a tool like this out there, just not sure the current
> approach is going aid it getting a decent share of the market.
>
> Just my 2 cents..
>
> Happy to get any additional info anyone has on the tool - I'll put it
> through to the ISFCE CCE lists.
>
>
> Regards,
> Ben.
>
> -----Original Message-----
> From: dailydave-bounces () lists immunitysec com
> [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Alex
> McGeorge
> Sent: Wednesday, 20 October 2010 2:55 AM
> To: dailydave () lists immunityinc com
> Subject: [Dailydave] CANVAS Lightning Demo: D2 Drosera Live Forensics
>
> List,
>
> Dave asked me to work a bit of his character's special move* on the list
> today. One of our long time CANVAS Exploit Pack developers has released
> a pretty interesting tool that's a bit outside the usual scope of what
> people expect with CANVAS. Drosera from D2** is a live forensics toolkit
> that fits on a USB drive (with gigs to spare) and is completely self
> contained. It's a handy thing to have in your incident response toolkit,
> it is completely independent of CANVAS so fewer worries about setting
> off your AV/HIDS/HIPS/HOPS when you use it. Aimed at rootkit detection,
> it has a variety of methods to determine if something sneaky is going
> on. Come check it out and see it in action against the CANVAS HCN
> Rootkit.
>
> ---------
> * http://www.immunityinc.com/immunityclash.shtml
> ** http://www.d2sec.com/products.htm
>
> Immunity will be holding a Lightning Demo on, October 19th at 3:00p
> EDT (UTC - 4), we expect the demo to last between 15 and 20 minutes.
> Space is limited to 20 and invites will be issued on a first come /
> first served basis. All invites will be sent no later than 2:00p today,
> October 19th.
>
> To request an invite please send mail to:
> lightning.demos () immunityinc com with the subject of 'D2 Drosera'
>
> If you're unable to attend or wish to see previous demos please see:
> http://www.immunityinc.com/webex.shtml a recording will be posted after
> the demo is concluded.
>
> If you'd like to check that your config is compatible with WebEx please
> visit: http://www.webex.com/lp/jointest/
>
>
> Cheers,
> -AlexM
>
>
> --
> Alex McGeorge
> Immunity Inc.
> 1130 Washington Avenue 8th Floor
> Miami Beach, Florida 33139
> P: 212.534.0857
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
> -----------------------------------------------------------------------
> This email, and any attachments, may be confidential and also privileged. If you are not the intended recipient, 
> please notify the sender and delete all copies of this transmission along with any attachments immediately. You 
> should not copy or use it for any purpose, nor disclose its contents to any other person.
> -----------------------------------------------------------------------
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

-- 
DSquare Security, LLC
http://www.d2sec.com

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave