Southern California ("SoCal") Chapter Report 2013

ORGANIZATION

There have been no changes to the structure of the Southern California (“SoCal”) Chapter.
http://www.socalhoneynet.org/

Current chapter members:

Cameron H. Malin- Chapter lead; sensor configuration, deployment and maintenance; research and development of the Digital Investigator’s Virtual Environment (“DIVE”) (transitioning to LMDA), digital virology, and digital criminalistics research.

James M. Aquilina- Legal considerations, digital forensic considerations, infrastructure.

DEPLOYMENTS

In 2013, the SoCal chapter continued to focus exclusively on Linux malware—specifically, the forensic processes for identification, collection and analysis of malware from compromised Linux systems. Further, additional research was conducted into the design and implementation of a malware laboratory and associated tools for analyzing suspect Linux binaries. This research contributed toward the authoring and publication of two books: "Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data" and "Malware Forensics Field Guide for Linux Systems."

In 2014, the SoCal chapter is planning to deploy honeypots geared toward Linux malware and associated threats.

RESEARCH AND DEVELOPMENT

1. Research relating to advanced file profiling, malware taxonomy and phylogenetic relationships of Linux malware. Practical analysis techniques documented in, "Malware Forensics Field Guide for Linux Systems," (Publisher- Syngress), December, 2013.
2. Research into digital criminalistics—bridging digital/malware forensic concepts with traditional forensic/crime scene/investigative concepts and theories. Specific focus on execution trajectory, network trajectory, digital impression evidence (tool marks), network impression evidence and digital trace evidence on Linux Systems. Theory and analysis techniques documented in, "Malware Forensics Field Guide for Linux Systems," (Publisher- Syngress), December, 2013.
3. Linux Incident Response Forensics, with emphasis on live response techniques and procedures. Practical analysis techniques documented in, "Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data," (Publisher- Syngress), March, 2013, and "Malware Forensics Field Guide for Linux Systems," (Publisher- Syngress), December, 2013.

4. Development of Digital Investigator’s Virtual Environment (“DIVE”) transitioned into the development of the Linux Malware Dissection Appliance (LMDA). DIVE was a Linux virtual machine customized toward the forensic examination of malicious code specimens, unknown files, and physical memory dumps. DIVE provided the digital investigator with over 150 different tools, many of which easily invoked through customized menus categorized for File Profiling, Behavioral Analysis, Static Analysis, Network Forensics, Post-Mortem Forensics, and Visualization. In particular, DIVE was developed to provide digital investigators a mobile, robust, and easily navigable virtual system to effectively and efficiently analyze suspect files in the field or in the lab. The transition to LMDA is to develop a virtual machine that contains a myriad of tools specifically geared toward analyzing suspect Linux files and ELF malware specimens.

FINDINGS

Collection during the reporting period was discontinued to focus exclusively on malware forensic research of Linux based malware.

Findings relating to practical analysis steps for malware phylogeny of Linux malware specimens were documented in, "Malware Forensics Field Guide for Linux Systems," (Publisher- Syngress), December, 2013.

Findings relating to digital criminalistics theory and application on Linux systems were documented in, "Malware Forensics Field Guide for Linux Systems," (Publisher- Syngress), December, 2013.

PAPERS AND PRESENTATIONS

1. Publications:

Co-authored a live response forensics practitioner’s guide for Linux systems and a malicious code forensics field guide for Linux systems.

Malin, C., Casey, E., and Aquilina, J., 2013. Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data, Massachusetts: Elsevier/Syngress.

Malin, C., Casey, E., and Aquilina, J., 2013. Malware Forensics Field Guide for Linux Systems, Massachusetts: Elsevier/Syngress.

2. Presentations:

Cameron H. Malin presented:

November, 2013: “Criminal Behavior in Cyberspace” at a U.S. Government Conference.
June, 2013: “Criminal Behavior in Cyberspace” at a U.S. Government Conference.
March, 2013: “Criminal Behavior in Cyberspace” at a U.S. Government Conference.
January, 2013: “Criminal Behavior in Cyberspace” at a U.S. Government Conference.

James M. Aquilina presented:

May 9, 2013 to May 10, 2013: Participated on a panel entitled "Cyber resilience and IT risks" at the Global Risk Management Conference held in New York City.

April 12, 2013: Participated in a webinar entitled "Future Proofing Your Infosecurity Strategy" hosted by Infosecurity magazine.

GOALS

1. Revive deployments focusing on Linux based malware attacks and specimen collection. Initial deployment will be Kippo honeypots.
2. Continue research focus on Linux based malware. Specific emphasis on forensic processes, techniques and procedures for identifying and responding to Linux malware incidents.
3. Further research on digital virology concepts (malware taxonomy and malware phylogeny) toward the goal of developing practical and repeatable forensic investigative methods.
4. Further research into digital criminalistics in an effort to further bridge digital/malware forensic concepts with traditional forensic/crime scene/investigative concepts and theories.

MISC ACTIVITIES
Research into malware profiling concepts and attacker behavior.