How do you use your feeds?

Tuesday, April 5, 2011 Posted by Corey Harrell
A feed reader is a valuable resource since the software manages the content from websites such as news sites, blogs, or other online publishers. A reader not only enables you to stay informed of the latest content from the sites but it also enables content to be leverage to help keep your knowledge current and to assist with research for your investigations. This post is about how I’ve been using RSS feeds to help keep my knowledge current and conduct research.

Before I discovered the value of RSS feeds I wasted a lot of time and energy on trying to stay current with the latest content from information security and digital forensics websites. Periodically I checked the sites to see if anything was new, I wasted time trying to find an article I read but couldn’t remember where, and I struggled to remember all of the articles/posts I wanted to read on new sites I came across. Needless to say this was the wrong approach so I turned to RSS feeds to help me manage this content.

Getting Started with Feeds

RSS (Rich Site Summary) is a “format for delivering regularly changing web content”. A feed reader is software that downloads feeds from various sites and stores them for a person to read and use. The first and only program I tested was FeedReader and this has become my reader of choice. The software has no fees and a range of capabilities to read, collect, and organize web content using RSS or Atom feeds. I’m not going to go into detail about FeedReader’s features or its configuration since I wanted to focus on the benefit of feeds.

Right away I knew the one feature I wanted in any reader was portability. I use numerous computers between work and home so I didn’t want to be tied to one system or have to worry about syncing content between systems. FeedReader can either be installed on a computer using the installer or the zip package can be used for the program to run from a thumb drive. I opted for the latter option and this has allowed me to have access to the web content no matter where I am. Plus an additional benefit is being able to access the content stored in the database without needing Internet access.

Adding Feeds

There are different ways to find digital forensics and incident response related websites. Most blogs have an area where the authors share links or blogs they follow. Authors’ may also include links to content on other sites in their posts/articles. Following all of these links can lead to interesting sites that can be used to create a collection of feeds. In addition to blogs and news sites, I’ve been working on adding social media sites, such as Twitter, to my feed collection. After the sites are located then the next step is to determine if a site supports RSS or Atom feeds. One quick way to determine this is to look for the icon in the web browser. The picture below shows the icon highlighted in Firefox and Internet Explorer.

Adding feeds to a reader will vary depending on the program being used. FeedReader supports adding the following types: feeds, smartfeeds, and search feeds. My current FeedReader database consists of 159 feeds, 20,031 news (downloaded web content), 141 unread news, and the database is only 76 MB. I organized the content into folders to make it easier to manage. The picture below shows FeedReader’s interface and the web content downloaded from jIIr. Unread items are highlighted in bold and the numbers to the left of the folders show the amount of unread content in that folder.

Leverage the Feeds

FeedReader automatically downloads feeds from sites and this saves me a lot of time since I no longer have to periodically check sites for new content. The reader allows me to stay informed about the latest content and helps me organize the content. This isn’t the only benefit of a reader because another benefit is the ability to search the content for research or investigations. To see how it's possible I’ll perform three different searches against my FeedReader’s database.

The first search will be on random topic and Internet Explorer 8 InPrivate browsing feature is the first thing I thought about. The feature enables users to surf the web without leaving any traces of their activity on the computer being used. To obtain information about this feature I performed a search against my feeds using the keyword inprivate. The following is the summary of three of the keyword hits:

* Derek Newton’s blog post Internet Explorer InPrivate URL Artifacts. The post discusses a few areas that could contain InPrivate URL artifacts and how those areas can be searched.

* Digital Detective’s blog post NetAnalysis v1.50 - New Release and the post advertizes that Netanalysis can recover data from InPrivate browsing.

* Computer Forensics and IR – What’s New blog post Internet Evidence Finder - new release and more and the post mentions how IEF is able to recovery IE8 URLs.

The previous search showed how to locate information on a random topic. The search located research on InPrivate browsing artifacts and three possible ways to try to recover data from InPrivate browsing. The next search will illustrate how the feeds can help in obtaining more information about an artifact found during an investigation. If the investigation involves the activity of a user account then one of the artifacts of interest could be the UserAssist key in the Ntuser.dat registry hive. A search was conducted using the keyword userassist and the following is a summary of some of the hits.

* ForensicArtifacts blog post UserAssist which is a write-up about what the key is and contains useful references about the key.

* Richard Drinkwater’s Forensics from the Sausage Factory blog post Prefetch and User Assist. This write-up was about determining how often a program was ran and one of the areas that provided this information was the UserAssist key.

* Harlan Carvey’s Windows IP blog post Accessing Volume Shadow Copies where he discusses how the registry key could be analyzed in Volume Shadow Copies.

* Chris Pogue’s Digital Standard blog post The “Not So” Perfect Keylogger. In this write-up the UserAssist key showed the initial execution of a keylogger.

* Into the Boxes Digital Forensics and Incident Response Magazine Issue 0x0. Didier Stevens wrote an article for this issue about the Windows 7 Userassist Registry key.

* Dave Hull’s post Digital Forensics: Detecting time stamp manipulation on the SANs forensics blog. This write-up was about identifying time stamp manipulation and the UserAssist key was one of the artifacts including in a timeline.

The previous search showed the potential wealth of information that could be obtained about an artifact of interest. The last search will illustrate how the feeds can help in conducting research about an item such as an email. The picture below shows an email that was in one of my throw away email accounts and this email will be used for this demonstration.

The email appears to be a notification from the United Parcel Service and the attachment is supposed to contain the tracking number and more information about a shipment. This is the type of email I would do additional research on so I can learn more about the Spamming campaign and the artifacts left on a system by opening the attachment. The first keyword I searched for was the name of the attachment which was upsnotify. This only resulted in one hit in my feeds and this was for the post Spamvertised United Parcel Service notifications serve malware on Dancho Danchev's blog - Mind Streams of Information Security Knowledge. His post was about the current spam campaign impersonating UPS for malware serving purposes. The information covered was the detection rates for the attachment contents, additional executables downloaded, and domains contacted. I wanted more information so I ran another search using the keyword United Parcel Service. The following is the summary of some of the keyword hits:

* MXLab blog post “United Parcel Service notification” from UPS contains trojan. The post discusses how MXlab started receiving a new trojan distribution campaign by email with the subject “United Parcel Service notification" and it provides some information about the email.

* MXLab blog post “United Parcel Service notification 48161” from UPS contains trojan. This write-up is about the SPAM campaign and provides details about the spoofed email address, URLs the Trojan downloads data from, payload artifacts created on the system, and processes started on system.

* Microsoft Malware Protection Center post Trojan downloader Chepvil on the UPSwing. The post discusses the email campaign and the attachment that was detected as TrojanDownloader:Win32/Chepvil.I.

* There were a couple of tweets mentioning the SPAM email as well.

The searches against my feeds provided a wealth of information. I was able to determine an email sitting in my Inbox was a part of a Spamming campaign and identified some of the potential artifacts on a system where the attachment was opened. The two other searches located information on how to recover the InPrivate browsing data and a wealth of information about the UserAssist key.

The best part about the moving to a feed reader is that I have access to the information at any time since it is stored in the RSS feed database stored on the thumb drive. Sometimes it feels like I have a portable Google in my pocket.
Labels: ,

Post a Comment