Southern California ("SoCal") Chapter Report 2012

ORGANIZATION
There have been no changes to the structure of the Southern California (“SoCal”) Chapter.
http://www.socalhoneynet.org/

Current chapter members:

Cameron H. Malin- Chapter lead; sensor configuration, deployment and maintenance; research and development of the Digital Investigator’s Virtual Environment (“DIVE”), digital virology, and digital criminalistics research.

James M. Aquilina- Legal considerations, digital forensic considerations, infrastructure.

DEPLOYMENTS

2011- Mid 2012: Continued deployment of virtualized low-interaction malware collection honeypots (Dionaea) installed on Ubuntu Linux with Pharm client software installed on each sensor. Configuration was structured to emulate edge-user systems. Pharm was used to manage, report, and analyze the distributed dionaea instances from one interface. A Pharm server deployment (Ubuntu Linux) with associated web server (Apache2) and SQL server were used to manage the Pharm data. The objective of the deployment was to capture and collect Windows Portable Executable (PE) malware for further classification and phylogeny.

In 2012, the SoCal chapter shifted focus exclusively toward Linux malware—specifically, the forensic processes for identification, collection and analysis of malware from compromised Linux systems.

RESEARCH AND DEVELOPMENT

1. Research relating to advanced file profiling, malware taxonomy and phylogenetic relationships. Practical analysis techniques documented in, Malware Forensics Field Guide for Windows Systems, (Publisher- Syngress), June, 2012;

2. Research into digital criminalistics—bridging digital/malware forensic concepts with traditional forensic/crime scene/ investigative concepts and theories. Specific focus on execution trajectory, network trajectory, digital impression evidence (tool marks), network impression evidence and digital trace evidence. Theory and analysis techniques documented in, Malware Forensics Field Guide for Windows Systems, (Publisher- Syngress), June, 2012;

3. Linux Malware Forensics- with emphasis on Live Response forensics processes, techniques and procedures;

4. Continued development of Digital Investigator’s Virtual Environment (“DIVE”). [R&D was slowed and put on hiatus while focusing on Linux malware forensics]. DIVE is a Linux virtual machine customized toward the forensic examination of malicious code specimens, unknown files, and physical memory dumps. The current test versions of DIVE are modified and enhanced versions of pre-existing forensic virtual environments; long term efforts are toward the design and implementation of a new virtual environment. DIVE provides the digital investigator with over 150 different tools, many of which easily invoked through customized menus categorized for File Profiling, Behavioral Analysis, Static Analysis, Network Forensics, Post-Mortem Forensics, and Visualization. DIVE was developed to provide digital investigators a mobile, robust, and easily navigable virtual system to effectively and efficiently analyze suspect files in the field or in the lab.

FINDINGS

Collection during the reporting period did not reveal unique attacks, tools, methods or trends; as a result deployments were discontinued to focus exclusively on malware forensic aspects of Linux based malware.

Findings relating to practical analysis steps for malware phylogeny were documented in Malware Forensics Field Guide for Windows Systems, (Publisher- Syngress), June, 2012.

Findings relating to digital criminalistics theory and application were documented in Malware Forensics Field Guide for Windows Systems, (Publisher- Syngress), June, 2012.

PAPERS AND PRESENTATIONS

1. Publications:

Co-authored malicious code forensics book for Windows systems and began writing malicious code forensics book for Linux systems, set for publication in 2013.

Malin, C., Casey, E., and Aquilina, J., 2012. Malware Forensics Field Guide for Windows Systems, Massachusetts: Elsevier/Syngress.

Malin, C., Casey, E., and Aquilina, J., (for publication in 2013). Malware Forensics Field Guide for Linux Systems, Massachusetts: Elsevier/Syngress.

2. Presentations:

Cameron H. Malin presented:
-November 7, 2012: “Criminal Behavior in Cyberspace” at a U.S. Government Conference.

-August, 2012: “Understanding Cyber Threats” at a U.S. Government Conference.

-June, 2012: “Criminal Behavior in Cyberspace” at a U.S. Government Conference.

-May, 2012: “Cyber Offender Behavior” at a U.S. Government Conference.

-November 3, 2011: “Understanding Cyber Threats: A Look at Malware, Phishing and other Attacks” at a Private Industry lecture series.

-October 27, 2011: “The Evolving Malware Threat” at a Private Industry Cyber Conference.

-October 13, 2011: “Understanding Cyber Threats: A Look at Malware, Phishing and other Attacks” at a U.S. Government Conference.

-September 30, 2011: “Understanding Cyber Threats: A Look at Malware, Phishing and other Attacks” at an ICAN Associates event.

-August 18, 2011: “The Evolving Cyber Threatscape” at a Private Industry Cyber Conference.

-August 8, 2011: “Digital Forensics in the Cyber Threatscape” to an international cyber delegation.

-June 27, 2011: “Digital Forensics in the Cyber Threatscape” to an international cyber delegation.

-June 22, 2011 & June 23, 2011: “The Evolving Malware Threat” at a U.S. Government Cyber Conference.

-June 1, 2011: “Cyber Crime Threats and Trends” to an international delegation.

- April 2, 2011: “The Evolving Cyber Threatscape” at a U.S. Government Cyber Conference.

James M. Aquilina presented:

-June 28, 2012: “The Evolving Cyber Threatscape” Presented to interns, associate staff, and field representatives from Senator Feinstein’s office on the subject of Cyber Threat.

-June 25, 2012 to June 27, 2012: “Anti-Piracy and Content Protection Summit”
Panel participant at the Anti-Piracy and Content Protection Summit, held in Los Angeles, CA.

April 24, 2012: “Advanced Course on Social Networks” Presented before a group of Los Angeles County Superior Court judges as part of a social media education panel alongside Hon. Beverly Reid O'Connell, Los Angeles Superior Court.

April 16, 2012: “Social Networking and Judicial Ethics”
Co-presented "Social Networking and Judicial Ethics", in Los Angeles, CA before a group of California's appellate justices as part of a social media education initiative hosted by the Judicial Council of California's Administrative Office of the Courts. James was joined by co-presenters Judith Ashmann-Gerst, California Second District Court of Appeal, and Justice Laurence D. Rubin, California Second District Court of Appeal.

April 13, 2012: “The Internet, Social Media, Ethics & Juror Issues”
Presented on a panel "The Internet, Social Media, Ethics & Juror Issues" at the ABA 2012 E-Discovery in Government Investigations and Criminal Litigation conference hosted by the Criminal Justice Section.

March 1, 2012: “E-Discovery: Will There Ever Be Any Rules?”
Presented on a panel entitled, "E-Discovery: Will There Ever Be Any Rules?" at ABA's 26th annual National Institute on White Collar Crime conference in Miami.

-June 29, 2011: “Social Media Revolution: Social Media Forensics-The Next Generation of E-Discovery and Information Governance” before a panel of premier entertainment executives and security professionals at DreamWorks Animation.

-April 26, 2011: In conjunction with Judge Beverly Reid O’Connell, presented a class on social networks and their expanding impact on the courts entitled, “Advanced Course on Social Networks.”

-April 8, 2011: "Investigation Strategies and Techniques: Forensic, Street Crimes, White Collar and Post-Conviction Cases," Fidler Institute on Criminal Justice located at Loyola Law School.

GOALS

1. Continued research focus on Linux based malware. Specific emphasis on forensic processes, techniques and procedures for identifying and responding to Linux malware incidents;

2. Further research on digital virology concepts (malware taxonomy and malware phylogeny) toward the goal of developing practical and repeatable forensic investigative methods;

3. Further research into digital criminalistics in an effort to further bridge digital/malware forensic concepts with traditional forensic/crime scene/ investigative concepts and theories.

MISC ACTIVITIES
Research into malware profiling concepts and attacker behavior.