DFIROnline Meetup review

17 Jan 2012

Well the DFIROnline meetup went well tonight. The turn-up tripled from the first event, we had a max of 97 attendees at one point. Harlan and Eric both gave a couple of great presentations, and I just sat there and looked like an idiot. Oh and drank every time Harlan said Mullware, which meant my beer did not last until the end of his presentation! I will be posting the recording tomorrow or Saturday. This time round there was a lot more activity in the chat's, lots of heckling and a few good points made, I am not sure if this was just because we had more people, or because I promised not to record the chats. There were some useful links posted during the chats, and I have posted most of them below. Unfortunately I did miss a few of the early ones, so will track them down tomorrow.
Harlan's malware (mullware) list: http://windowsir.blogspot.com/p/malware.html
Mandiant blog on Malware persistence without using the registry: https://blog.mandiant.com/archives/1207
Richard Bejtlich's definition of APT : http://taosecurity.blogspot.com/2010/01/what-is-apt-and-what-does-it-wan...

I have now posted the recordings on the DFIROnline page, I have cut these down to just include the presentation and presenters voice, if you want to see real people and join in the chat you will just have to attend the meetings ;-) One of really good things about the meetup was that we had the audience contributing to the discussion during the presentation, which is where most of the links have come from.
Listening to the recording I have found out just how bad my mic was, which is strange as it was the same mic I used last time when it appeared to work fine. Anyway I will have it sorted for the next meeting I promise.

The other links that I missed are:
Simple Phishing Toolkit: www.sptoolkit.com
How malware authors evade antivirus detection http://blog.webroot.com/2012/01/18/how-malware-authors-evade-antivirus-d...
Social Engineering Toolkit: www.secmaniac.com/download/
A recommended AV tool (can't remember who recommended, sorry) http://www.threatfire.com

Finally it appears that Anonymous was aware that all the top people in the field were at the meetup, as they chose that time to attack the DOJ and Universal websites! http://www.pcmag.com/article2/0,2817,2399116,00.asp (well alright it was a few hours before the meetup, but I suspect they were just over enthusiastic and started a bit early ;-)