Book Review – Extrusion Detection

Security Monitoring for Internal Intrusions







Rating *****

Despite being over six years old now, this book is certainly not outdated in the slightest. While most network security books and guides would focus on perimeter defence from outsider threats, Bejtlich concentrates on attacks launched within the organisation. At the time of publishing, this book was unique in its approach to defensive practices and is aimed to go hand in hand with Bejtlich’s ‘Tao of Network Security’, picking up where Tao left off and concentrating solely on defence, where Tao started from the point of view of the attacker.

First thing to notice about this book is the foreword by Marcus Ranum, which, unusual to most books, consists of an interview with the author and highlights how different Extrusion Detection is from other Network Security Guides.

The book is aimed at all those who have an intermediate to advance knowledge of network security and so should be used by those just starting out in the industry, especially as Bejtlich talks about tools and techniques that, at the time of writing, were not common practices amongst professionals. However, it holds great potential value as an addition to anyone’s security/information assurance library.

Traditionally, the main focus of network security has been about keeping the hackers and malicious users out. The book is split into three specific sections, Detecting and Controlling Intrusions, Network Security Operations and Internal Intrusions, taking the reader on a journey from the reasons to look for Extrusions through to the various types of Extrusion, such as Malicious IRC Bots. Bejtlich uses various technologies, such as Proxies and IDS/IPS, as demonstrations using commands that can easily be adapted into organizations’ own technologies.

To those specifically interested in Network Forensics, Bejtlich devotes an entire chapter to just this and discusses the links between the security practices discussed throughout the book and the forensics practices used within the chapter. Incident Response is also explained prior to Forensics. Bejtlich gives a detailed introduction to Network Forensics and describes it as being different from Digital Forensics in that it is focused on Packet Capture, using tools such as Wireshark/Ethereal. The emphasis here, however, is the Network Forensics is a valuable and crucial part in the defence of a network infrastructure both from internal and external threats.

Followers of Richard Bejtlich’s Tao security blog will instantly recognise his unique method of describing and demonstrating the various tools and techniques required to put Extrusion Detection into practice. Throughout the book there are valuable diagrams, screenshots and actual packet captures that help the reader to fully understand each point that is made, a feature that is often overlooked in many security guides.


This book is a valuable read for anyone interested, or working, in the security and forensics industry. Betjlich provides a refreshing approach to defensive methods and illuminates the potential damage of insider threats. Highly recommended as a partner guide to ‘The Tao of Network Security’, which together provide an ultimate guide to Network Security.

Reviewer Name:   Willem Knot

Book Title:   Extrusion Detection

Book Subtitle:   Security Monitoring for Internal Intrusions

Author(s):   Richard Bejtlich (Foreword by Marcus Ranum)

Publisher:   Addison-Wesley

Date of Publishing:   8th November 2005

ISBN-13: 978-0321349965

Price: £39.99 (UK), $54.99 (USA)



I’m about to enrol on a forensics degree at university, can you give me any hints/tips on how to be successful in forensic IT?

The above question was sent to Digital Forensics Magazine and we thought it warranted a thoughtful answer so we asked Dr. Richard Howley who is the MSc Forensic Computing and MSc Computer Security Course Leader De Montfort University his views.

The suggestions below focus on the early part of your career, i.e., your degree and entry into the profession. Others may contribute suggestions regarding being successful as you join the profession.

1.    Get your degree from an established, respected and well connected institution. Ask your university who they work with, what visiting lectures did they have last year, what national and international initiatives are they involved in? Research into who these people are, what their organisations do and what the initiatives are. Building up your knowledge of the UK and USA forensic IT landscape is important.

2.    Get qualified. The importance of training and qualifications in this business is well known and documented. Academic awards are highly prized as is evidenced by the popularity of MScs amongst members of the profession.

3.    Get connected. Register with as many forensic IT professional bodies, forums and blogs as you can manage and monitor their work.

4.    Ask your university to provide you with some suggested preparatory materials and or activities. At De Montfort University we hope that you are already hungry for knowledge and motivated enough to seek it out; we expect you to be pushing us to provide you with work you can be doing before joining us. A list of technical skills that new entrants to our courses can develop prior to starting is provided at:

5.    If your university doesn’t provide pre-course guidance then  consider the following:

  • There are many very good text books on this subject and many come with an extensive set of investigative exercises. They take you through the process of ‘static’ PC based forensics very well. All the software, cases and evidence files you need are usually included on a DVD –a great resource. For recommendations email me.
  • Seek to understand ‘live’ forensics including malware analysis, reversing, live network forensics, memory forensics and virtualisation. Many good online and text based resources exist to support your study of these topics.
  • Other emerging concerns that you should seek information about include small scale mobile devices, e-discovery and massive data sets, the ‘cloud’, etc.
  • Mobile phone forensics is very popular and worth looking into – partly because some of the major software companies provide free trial versions of their software with online tutorials.

6.    Linking academic and professional practise include issues such as continued professional development, research design and implementation and report writing.

  • Your degree is the first step in a process of life-long learning; forensic IT never stands still and as such the learning you undertake prior to starting and during your degree will provide you with independent study skills that will serve you well throughout your entire career.
  • Whilst your course and profession may appear predominantly technical never underestimate the importance of the social, ethical and legal context of your work. You will cover this at university and your knowledge and consideration of it should be updated and applied throughout your career.
  • When you start work in the field you will quickly discover that the text books don’t have all the answers. You will need to identify and research new solutions to novel situations. This will involve designing experiments and implementing them to explore and inform your evidential hypothesis – this classic academic/research process has huge relevance to your later professional practise, so don’t underestimate it and take every opportunity to practice and develop these skills whilst at university and after.
  • Writing essays or reports and giving presentations at university are not just academic exercises. It is direct training in skills that the forensic IT professional needs. You must be able to write concisely, persuasively, accurately, with precision and in an evidenced based manner. The same is true of public speaking and presentation, i.e., giving evidence. The more frightening you find the prospect of public speaking – the more you must do it! Start in a gentle way; asking questions in class or contributing to discussions is a first step in public speaking, so do try and take part. Take every opportunity to develop and practice these skills – we can all improve no matter how experienced we are.

7.    Finally, in the profession you will be expected to know multiple operating systems (Windows and Linux extensively), file systems, hardware, connection protocols, cables, devices, etc. So get an old machine or two, a screwdriver, a bunch of operating systems and play (carefully!) – and learn!

It’s a great profession – good luck on your degree course and in the profession that follows.

Dr. Richard Howley
MSc Forensic Computing and MSc Computer Security Course Leader
De Montfort University



IT Audit & Digital Forensics: How to use an IT audit to prepare for a computer forensics investigation.

Muema Lombe explores the area of IT audit and the questions that should be asked in an incident response scenario.

The problem: your organization has been subject to intellectual property theft, or stolen data, or inappropriate web surfing and/or emails.  These problems pose potential risks including economic espionage, unauthorized access, unauthorized use and possibly civil liabilities, among other risks.  IT audit procedures can help facilitate an understanding of both the computing environment and corresponding controls, which can help with a  forensics investigation.  What follows are six IT audit areas of inquiry.

1.      IT Standards, Policies and Procedures – In the event of inappropriate activity by employees, one area to audit are IT standards, policies and procedures with a specific focus on the acceptable use or end user policy.  Questions to address in the review include:

  • Is an acceptable use policy in place?
  • Is it formally documented?
  • Has the policy been formally communicated to all employees?
  • Are employees required to formally sign an acknowledgement of receipt and review of said policy?
  • Does the policy explicitly denote what behavior is acceptable and unacceptable?
  • Does the policy address the various methods of computing use, e.g. email, web surfing, social media use, etc.

2.      User Access Monitoring – The IT auditor should also gain an understanding of the user access monitoring.  Consider the following:

  • Is both traditional user and privileged user access subject to monitoring?
  • At what layer is access monitored (e.g. database, application, network layers)?
  • What type of activity is monitored (e.g. direct data access, etc.)?
  • Does monitoring include a review of unsuccessful login attempts?
  • Does monitoring include a review of unusual access attempts (e.g. weekends, off-hours, etc.)?
  • Are inactive accounts disabled?

3.      Web Access Monitoring

  • Is user activity on web surfing tracked by computer? By user?
  • Is web access filtered (blocked) by keyword and/or URL?

4.      Password Controls

  • Are password required for system access?
  • Is a password policy in place and enforced?
  • Are passwords required to be complex?
  • Are password periodically changed?

5.      Backup Procedures

  • Are backups being performed?
  • What is being backed up? Application? Database? Configuration settings?
  • Has a restore been performed to ensure backups operate as intended?

6.      Audit Trails

  • Determine if automatic logging of activity takes place?
  • Gain an understanding of what activity is logged?
  • Determine if audit trails are in place at the OS, application or database layer.
  • Determine if audit trails are periodically reviewed.

These six areas of inquiry are meant to begin a conversation and provide a framework of understanding to a computer forensics team conducting an investigation.




Book Review – Windows Registry Forensics





Rating: ***

Windows Registry Forensics is a three-star book with five-star content. It has one mission: to persuade you that examining the Windows registry is an essential and valuable component of any Windows system examination. The author does this by presenting a variety of registry keys and values that can be leveraged to answer important investigative questions. The book does not, however, try to be an exhaustive guide to the Windows registry. Instead, Mr. Carvey focuses on an educated selection of high-value registry keys, in order to demonstrate how to add context and depth to one’s findings.

The book seems most useful to beginning and intermediate practitioners, but even advanced examiners may find registry information here that they were not previously aware of. Anyone working in digital forensics or incident response who has not made registry examination integral to their process must read and absorb this book. The information is vital to Windows examinations.

Windows Registry Forensics is divided into four chapters. The first provides an introduction to both the Windows registry and to registry analysis, including a look at the data structure of the registry hive files. The second chapter introduces numerous tools that can be used to examine the registry, both during live response and dead disk analysis. Chapters three and four dive into specific registry artifacts and their investigative value, dividing the discussion between System (chapter 3) and User (chapter 4) activity.

The reader will learn to use the Windows registry to perform valuable investigative tasks such as: profile what a user did and when they did it, identify the physical locations of wireless access points used, determine whether a particular user account has a password set, discover which files may have been accessed on a USB device, and address whether malware could have been responsible for activity attributed to the user (the Trojan defense).

There are moments in the book, however, when more advanced or curious readers will find themselves wanting more. With few exceptions, the book focuses on the meaning of the registry values at hand and on how the data can be extracted using tools provided by the author. As a result, the book sometimes refers to the binary data structures contained within certain keys, and the need to parse those correctly, without discussing how the structures should be parsed. In these instances, the author simply notes that one or more of his RegRipper plugins will parse the data, then moves on to the meaning of that data.

These moments that want more technical depth are relatively few, however. The information Mr. Carvey does provide is still well worth the price of admission. It is the egregious number of proofing and editing errors, ranging from simple typos to flawed organization, that compels me to give this book three stars. The author is not entirely at fault, as Syngress titles by other authors have shown similar problems. The company seems to suffer a serious quality control problem. But the author is not without fault. In particular, the choice to organize the later chapters based on System versus User settings leads to a disorganized presentation in which the information needed to answer particular investigative questions is sometimes scattered across two chapters. Windows Registry Forensics would be much more cohesive if it had been organized around specific investigative questions. In this way, the approach to answering a question, or set of questions, would be presented in one place, regardless of which registry hives the relevant data resided in. The reader would not be forced to jump between chapters to find all of the information relevant to a particular question.

When all is said and done, however, Windows Registry Forensics easily succeeds in its mission to convey the value of integrating registry examination into the forensic process. It provides valuable information relevant to a wide range of investigations. And Mr. Carvey’s conversational writing style makes the book easy to read, aforementioned defects notwithstanding. In short, the book is certainly worth adding to your library. But I would be remiss if I did not point out that the number of flaws, both big and small, is unacceptable for any book, especially one with a list price of $69.95/£42.99.

Gregory Prendergast   (This was incorrectly attributed to John Hughes in Digital Forensics Magazine, our apologies to Greg)

Book Title: Windows Registry Forensics

Book Subtitle: Advanced Digital Forensic Analysis of the Windows Registry

Author(s): Harlan Carvey

Publisher: Syngress

Date of Publishing: February 2011

ISBN: 9781597495806

Price: $69.95 / £42.99



Diary of a Student – Part 3 – 19th February 2011 – Businesses and Web Systems

Well it’s certainly been a busy few weeks starting the new semester and I thought it time to let you all know how things were going.

Following on from my previous post, I can tell you that the second part of my Fundamentals assessment went very well and I’m quite confident about the results. A few simple questions about Public and Private GPG keys and some bizarre plain text TCP communications made the test fairly enjoyable. Well, as enjoyable as any test can be I suppose.

All my coursework has been handed in for Semester 1 and I am pleased with the results that have been returned so far. I am on my way to getting those 3 letters after my name!

Semester 2 pretty much kicked off as soon as the assessments were all finished so there has not been much of a break but it has started with some highly interesting topics.

Secure Web Systems looks set to be particularly interesting. While it is slightly more security focused, it does involve learning some PHP and basic web development, which I enjoy a lot and have already dabbled in a little bit.

The culmination of this module shall bring the most terrifying assessment to date – a pen test. Thank goodness I bought those books on SQL and PHP! Hopefully, though, everything will go smoothly and I’ll come out the other side with some valuable knowledge.

Digital Evidence and Incident Response is following on from Forensic Tools and Techniques nicely, with some Virtual Machine Acquisitions and use of various Sysinternals tools. We are already learning much about CIRT and CSIRT teams, and how they operate which has been eye opening if I am honest. A bit more live Forensics is going to be thrown in along with Network Forensics, so all in all, it should be a fun module.

Advanced Topics in Forensics and Security is pretty much like Ronseal, it does exactly what it says on the tin. We will be looking at current research being conducted in both fields and will also receive some guest lectures from the Researchers involved.

By now I imagine you’re wondering why the title of this post is Businesses and Web Systems. Well, among the four modules of Semester 2 is “Professional Practice and Responsibilities”. Now, if you’re like me, then you will take one look at that title and think, “That sounds a bit strange for a Forensics course.” However, the first two lectures have probably been some of the most enjoyable so far.

The main premise of the module is to understand the fundamentals of a business, how IT operates within the business as a support or service function and how Digital Forensics and Security form part of this. In addition we are looking at the various roles that digital forensics and security have within the overall security operations and not just the post event analysis, lastly we will be putting all of this together to develop our own fake businesses and must apply the various laws and policies to make them successful.

In groups of four we will work over the semester building up our research into Business so that, when we face the dreaded DMU Dragons Den, we will be able to present to them, a company that has the beginnings of being highly successful and worth investing into. Who knows? Maybe our businesses will become real some day. The Presentation also assesses our business plans and our communicative skills so it should be a bit of fun.

I will keep you informed as to how our business, currently under the temporary name of Four Candles Forensics and Security Ltd, gets on.

That’s all for this post, really just an intro to the second Semester and what I will be getting up to. I’ll try not to leave it so long before the next post!

For now, I wish you all well.



Volatility Developer Responds

In Issue 5 of Digital Forensics Magazine, Ron Tasker discussed the subject of Volatile RAM Analysis and the use of Volatility. This prompted a letter from Marc Remmert published in Issue 6 raising concerns about the limitations of Volatility and Windows XP.

Whilst Ron responded to these concerns (his comments can be found in 360 of issue 6) DFM approached AAron Walters who is the founder of Volatile Systems, LLC and the lead developer for the Volatility Project, for his comments on the article, the comments made by Marc and Ron’s response. Unfortunately they were not received in time to be included in Issue 6. In the interests of balance we agreed to include his comments in a blog.

“Let me begin by thanking Ron for the excellent article.  I think he did a very good job explaining the importance of memory analysis and the associated challenges and base that modern digital investigators face.

It is imperative for digital investigators to realize that we are facing an adaptive human adversary and thus we can’t afford to simply rely on the rules we once learned.  Not doing the right thing because it is complicated or new, is never a justification for complacency.  It seems hard to defend the antiquated statement that “powering off the system is good” when, comparatively, it destroys more artifacts within the perspective of entire digital crime scene (RAM, disk, etc) than running a tool that samples the state of physical memory.

In Ron’s response to the comment about his article he also raises some interesting points about Open Source forensics tools. The comment’s author states that Volatility 1.3 only supports Windows XP 32-bit memory samples and contends that this a big obstacle. While the comment’s author is correct with respect to 1.3, it seems interesting that they contend their only option is to buy expensive tools or hope Volatility is updated. As the leader of the Volatility Project, I always find these statements disheartening. I’m not sure why people feel the need to complain from the sidelines as opposed to actually getting involved and contributing to the community.  It is only then that they would come to appreciate the unique flexibility and modularity of The Volatility Framework, which has allowed it to support a variety of operating systems and hardware architectures (Windows, Linux, etc).

As Ron mentioned in his reference to Dr. Schatz’s work, there are many groups out there using Volatility to support other operating systems including Windows 7. I’m even aware of groups using Volatility to analyze cell phones. Thus, the “tool-users” can sit back and wait till 1.4 ( is released or they take the initiative to contribute. Regardless, if that contribution is writing an article (i.e. Ron Tasker) or helping test a new operating system (i.e. Dr. Schatz), all contributions help to move the community forward.”

AAron Walters

Founder, Volatile Systems, LLC

Lead Developer, The Volatility Project

You too can have your say by adding your comments here or writing directly to DFM via 360.



Diary of a Student – Part 2 – 25th January 2011 – Assessment Time!

Apologies for my slightly late entry, my weekend was filled with coursework and Christmas 2 with my girlfriend’s family (don’t ask!).

The past week or so has not really been very exciting, mainly finishing coursework and revising for the exam that took place last Friday, I’ll get to that shortly.

Firstly, the coursework! That one word that every student runs in fear from. Luckily, it’s not been too bad this time around. I started last week finishing up a 5000-word essay on Computer Ethics that I quite enjoyed. It was interesting researching and learning the history of Computer Ethics and the various issues surrounding it over the last 60 years or so. Who’d have thought a Second World War Mathematics professor could have predicted the ethical issues of modern day technology? I am, of course, referring to Professor Norbert Wiener, who taught Maths and Engineering at MIT during the 1940’s. It was certainly some research well worth doing as it has helped me to understand more about the issues surrounding not only Computing, but Forensics and Computing too!

My other main focus last week was revising for my exam on C Programming and Operating Systems. Joy of joys. Now if there’s one thing I knew I would struggle with, it was going to be programming. After the mock, I had been seriously worrying about that part of the test and it was definitely the hardest part of the real exam. The 300-line program almost drove me to insanity but, with some perseverance (and a little bit of divine intervention, I think), I managed to figure out all but the last tweak that would enable the program to print out what I needed it to. The operating systems part of the test was much better, locating partitions and their block addresses and block sizes, finding partitions within an extended partition and working out how much unallocated space there was on the disk, a few simple commands in the terminal and I was there! (Hurrah..!)

I briefly mentioned, in my last post, a report about a malware sample that I had to statically and dynamically analyse and identify through various means of sandboxing. That piece of work is also now finished and I’m going to play around in Adobe Illustrator creating a nice fancy front cover for the report, because I’m sad like that.

Other than that and the exam, not much else to report, although there was a slight mishap with some lost Tools and Techniques Workbooks, which, as luck would have it, were lost in the post over Christmas thanks to all the wonderful snow. Luckily, I managed to redo them thanks to a last minute email from my tutor and once again enjoyed the tasks of password cracking and hiding techniques such as Steganography, Alternate Data Streams and Bit Shifting.

I may sound a bit weird to some but I am really enjoying all that I am learning on the course to date, which is kind of the point, I know. I think I always felt the subject was going to frazzle my brain completely, with me coming from a Science degree onto a Computing one. Luckily, the teaching has broken me in gently with only a few hiccups along the way. With that, I conclude this weeks (well, last weeks) student diary entry. I am still keen to hear what you all have to say on the ethical issues I mentioned last week; in fact, I am very keen to hear any thoughts on the subject so post away.

Next post I’ll let you know how my second Fundamentals of Forensics and Security exam has gone (Cryptography and Networking  – fun times!), for now I hope you have a very enjoyable week.



Diary of a Student – Part 1 – 15th January 2011 – Of Ethics and Exams

Welcome to the first entry in my ‘Diary of a Student’ covering my exploits through the next 8 months whilst I study to earn a Masters of Science degree in Forensic Computing.

To bring you up to date, I have been studying the MSc programme since September of last year after completing a BSc in Forensic Science in May. It has certainly been an eye opener from learning basic programming in C to reverse engineering malware samples. The first semester has already taught me much about the forensic process and the science behind computers.

The most enjoyable module to date, albeit a difficult one, has certainly been Live Forensics and Reversing, giving me a basic understanding of assembler language and live forensic techniques. I am currently finishing my final piece of coursework for the module, which involved the forensic analysis of a malware sample, both static and dynamic. Creating my own sandbox and following the processes and actions of the malware, I have managed to discover the nature of the malware and identify it. All that’s left is to finish my investigative report!

First week back at University following the 3-week Christmas vacation and, it’s assessment time! Much of the week occupied by Mock Exams, Coursework and, a full Investigation of a USB device using whichever tools I care to choose, I chose EnCase 6.17 and FTK.

Wednesday – Great fun, best part of the week! A session on Computer Law and Ethics, we discussed the various ethical theories and practices behind computing and forensic computing (all the way from Weiner to the Universities very own ethical researcher, Professor Stahl). Proceeded to have our own debate on issues surrounding Forensic Computing, great discussion around:

  • Would Forensics benefit from a Licensing body and how would this affect the current processes and procedures?
  • Wikileaks – Julian Assange – villain or victim?
  • The ethics of RIPA .

Debate lasted well over 90 minutes and, as I was thinking of ideas for my first blog posting, I thought it would be good to get all who read this to put forward a short statement of their thoughts and feelings on the aforementioned topics.

Next week, it’s more exams and hand-ins (joy of joys); I’ll let you know how it goes.



A View from the Canadian Rockies or What Not to Present as Evidence of Online Paedophilia: R. v. Morelli, 2010 SCC 8, [2010] 1 S.C.R. 253

Don’t like what you see, tempted to jump to an ‘obvious’ conclusion-then don’t. Mr Urbain Morelli, an enthusiast of adult and child pornography, was at home when the computer technician came a calling. The technician noticed a webcam plugged into a VCR and pointed toward the man’s three-year-old daughter who was playing with toys nearby in a play pen. There were several links to adult and child pornography sites in the taskbar’s ‘favorites’ list of Mr. Morelli’s computer. When the technician returned the toys had been put away, the webcam was pointed in a different direction, the hard drive reformatted and the offending icons removed. The technician reported his concerns to a social worker, who told the Royal Canadian Mounted Police and a search warrant was issued. Appealing in the Canadian Supreme Court Mr. Morelli maintained his rights were violated when police searched his computer.  Finding in his favor the Supreme Court noted that the technician saw suspicious links but had not seen pornographic images of children on the computer. In addition information used to obtain the warrant failed to mention that the child was fully clothed, there had been no signs of physical abuse evident to the technician and that there was only one living area in the home.  All in all the court found that a selective presentation of facts portrayed a less objective and more villainous picture than would have been the case had all the material information been presented.  The court heard it was plausible to suppose Mr. Morelli was using his VCR and webcam to videotape his daughter at play for posterity’s sake, not for purposes connected with child pornography. The suspiciously labeled links in were insufficient to characterize a person as an habitual child pornography offender. Since the majority of pornographic material observed was adult this suggested that the accused did not have a pronounced interest in child pornography.



What on Earth Next: Malta Gets a Prosecuted Pirate and the Right to a Lawyer

2010 saw momentous legal upheaval in Malta. A judgment by a Maltese Magistrates’ Court on 30 September 2010 for the first time there convicted a seller of computer hardware with distributing pirated Microsoft software. The guilty party received a large fine and two years probation. Computer hardware and other related apparatus seized by the Police during their investigations was confiscated. The Business Software Alliance (BSA), global representative of the software industry, welcomed the judgment as ‘a very important step in the fight against software copyright theft’ in Malta. The judgement is ‘proof that Malta is making great efforts to combat the escalating problem of piracy on the island’ according to Georg Herrnleben, BSA Director. In 2010, too, suspects in Malta were granted the marvellous novelty of a lawyer during police questioning. The right, long common to most in the civilised world, had for years languished in the Criminal Code articles 355AT, 355AU, 255AZ and sub-articles 2, 3 and 4 of article 355AX of article 74. What with all that and the emergence of a prosecuted pirate the island’s reputation as a Mecca for digital forensics experts may be about to take wing.