Southern California ("SoCal") Chapter Report 2010/2011

ORGANIZATION

There have been no changes to the structure of the Southern California (“SoCal”) Chapter.
http://www.socalhoneynet.org/

Current chapter members:

Cameron H. Malin- Chapter lead; sensor configuration, deployment and maintenance; research and development of the Digital Investigator’s Virtual Environment (“DIVE”), digital virology/malware profiling research.

James M. Aquilina- Legal considerations, digital forensic considerations, infrastructure.

DEPLOYMENTS

Current deployment: Virtualized low-interaction malware collection honeypots (Dionaea) installed on Ubuntu Linux with Pharm client software installed on each sensor. Configuration is structured to emulate edge-user systems.
Pharm is used to manage, report, and analyze the distributed dionaea instances from one interface. A Pharm server deployment (Ubuntu Linux) with associated web server (Apache2) and SQL server are used to manage the Pharm data.

RESEARCH AND DEVELOPMENT

1. Digital Investigator’s Virtual Environment (“DIVE”) is a Linux virtual machine customized toward the forensic examination of malicious code specimens, unknown files, and physical memory dumps. The current test versions of DIVE are modified and enhanced versions of pre-existing forensic virtual environments; long term efforts are toward the design and implementation of a new virtual environment. DIVE provides the digital investigator with over 150 different tools, many of which easily invoked through customized menus categorized for File Profiling, Behavioral Analysis, Static Analysis, Network Forensics, Post-Mortem Forensics, and Visualization. DIVE was developed to provide digital investigators a mobile, robust, and easily navigable virtual system to effectively and efficiently analyze suspect files in the field or in the lab.

2. Research relating to malware profiling through malware taxonomy and phylogenetic relationships. Practical analysis techniques documented in upcoming text, "Malware Forensics Field Guide for Windows Systems" (Publisher: Syngress), for publication in November, 2011.

3. Research regarding forensic examination and categorizing indicators of compromise on a victim system resulting from a malicious code incident.

FINDINGS
Collection to date has not revealed unique attacks, tools, methods or trends, but this is likely limited due to the current configuration. Additional sensor deployments with less restrictive filtering is being contemplated in an effort to broaden the scope of exposure and collection.

PAPERS AND PRESENTATIONS

1. Publications:
Co-authored malicious code forensics book, "Malware Forensics Field Guide For Windows Systems" (Publisher: Syngress), due for publication November 15, 2011.

2. Presentations:
Cameron H. Malin presented:
-June 27, 2011: “Digital Forensics in the Cyber Threatscape” to an international cyber delegation.
-June 22, 2011 & June 23, 2011: “The Evolving Malware Threat” at a U.S. Government Cyber Conference.
-June 1, 2011: “Cyber Crime Threats and Trends” to an international delegation.
-April 2, 2011: “The Evolving Cyber Threatscape” at a U.S. Government Cyber Conference.
-December 8, 2010: “Information System Threats and Incident Response,” Resilient Angel Table Top Exercise, Federal Executive Board .
-May 12, 2010: “The Evolving Malware Threat” at the Policing Cyberspace International Conference.
-March, 30, 2010: “Malware Threats” at Symantec.

James M. Aquilina presented:
-June 29, 2011: “Social Media Revolution: Social Media Forensics-The Next Generation of E-Discovery and Information Governance” before a panel of premier entertainment executives and security professionals at DreamWorks Animation.
-April 26, 2011: In conjunction with Judge Beverly Reid O’Connell, presented a class on social networks and their expanding impact on the courts entitled, “Advanced Course on Social Networks.”
-April 8, 2011: "Investigation Strategies and Techniques: Forensic, Street Crimes, White Collar and Post-Conviction Cases," Fidler Institute on Criminal Justice located at Loyola Law School.
-December 10, 2010: "Social Media Forensics" at the 2010 Bankruptcy Winter Education Conference.
-October 29, 2010: “Social Media Evidence and the Courts” at the Los Angeles Superior Court Criminal Bench Seminar.
-October 23, 2010: Served as a panelist at the “MySpace or ThierSpace? Justice, Law Enforcement, and the Legal Profession in the Age of Social Networking” conference hosted by the Samuelson Law, Technology & Public Policy Clinic at the University of California Berkeley School of Law.
-October 6, 2010: “Social Network Forensics” to the Association of Corporate Counsel’s Southern California Chapter at the Los Angeles Angels of Anaheim Stadium.
-September 2010: Moderated the “Hot Topics in Cybercrime” discussion panel as part of the 24th Annual National Institute on White Collar Crime, presented by the American Bar Association.
-April 17, 2010: "The effect of social media on today’s legal system" at the California Central District Judicial Conference California Central District Judicial Conference.
-January 26, 2010: Loyola Law School- Guest Lecturer; cyber-law class on the cyber prosecution of botnets at Loyola Law School of Los Angeles.

GOALS
1. Continued deployments of Dionaea on additional IP space. Continued use of centralized analytical platform, such as Pharm.
2. Further research on digital virology/malware profiling concepts (malware taxonomy and malware phylogeny) toward the goal of developing practical and repeatable forensic investigative methods.
3. Further research in measuring forensic artifacts and indicators of compromise associated with malicious code incidents.
4. Continued development of DIVE, with the aim of releasing v1.0

MISC ACTIVITIES

Research into bridging digital/malware forensic concepts with traditional forensic/crime scene/ investigative concepts and theories.