Enfuse 2017 Reflection – Felisa Charles: Know Normal, Find Evil

Introduction

I am truly grateful to have be chosen by the Leahy Center for Digital Investigation (LCDI) to represent Champlain College at Enfuse 2017, a digital forensics conference hosted by Guidance Software. The knowledge I gained in just 4 days was immeasurable. By the end I walked away with a tremendous amount of new experience that I’ll be able to utilize in my field of study. I most appreciated that the speakers would stick around after their sessions to share further knowledge with whoever wants to hear it. Also, I was fortunate to be able to introduce myself to professionals in the fields of forensics, networking and cyber security. One highlight was meeting Former White House CIO Theresa Payton, who spoke to us about being a woman in technology. I truly hope to attend another Enfuse conference during my time at Champlain.

Know Normal, Find Evil

One of my favorite sessions was presented by by Jacob Williams – a forensic analyst from Rendition Infosec – titled “Know Normal, Find Evil–Windows 10 Edition”. This session emphasized the importance of understanding normal and suspicious operating system (OS) behaviors.

“Someone who doesn’t know what a $100 bill looks like is an easy mark for a counterfeit,” he said.

Therefore, if you don’t know how a system should look like when operating properly you will be an easy target for malware. Since Windows 10 is the newest edition of an expansive Windows OS family, Williams suggested that you should know the differences in their respective processes. For instance, WinRT(Windows runtime), a platform of Windows 8 was renamed to UWP(Universal Windows Platform) in Windows 10.

Best Practices for Investigators

In the end,I was able to take away several points from the session:

  1. Know what’s new, and what’s different in every OS.
  2. What are the normally scheduled tasks in each OS? (Like wsappx – ws service starts to update an app)
  3. How should the system react to these tasks? (like svchost.exe having a high CPU usage),
  4. Learn what processes belongs to which services, how they work and the correlation between parent/child relations.

As an illustration, the speaker went over one of the new processes introduced by Windows 10 that investigators need to understand, the process called backgroundtaskhost.exe. This process is usually located in C:\Windows\System32 folder, but Malware can disguise itself as backgroundtaskhost.exe. If the application is located in another folder, an investigator should see it as a threat.

Conclusion

I chose this class because of its name: I had a pretty good idea of what I was getting into as I took my seat. Though this is just a snippet of what I’ve learned from this session, I was overwhelmed by how much an investigator has to learn about an OS and the fact that little details are important. The driving point of the session was that as long as you know the norm of an OS, you’ll be able to identify non-familiar behaviors; and all of these behaviors are suspects.

For more updates on Enfuse 2017 and research projects, like us on Facebook and follow us on Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *