HBGary SRA International “Memory Grabber” Forensics Tool White Paper

The purpose of this paper is to describe the SRA Memory Grabber system, which provides memory access to a running and password protected laptop through the use of a small PC Card inserted into the PCMCIA slot of the laptop. The Memory Grabber device shown in the figure below is operating system agnostic; working on Microsoft Windows, Linux, and MacOS and is available today as a production unit for use with Express Card and Card Bus laptop systems.

HBGary DARPA Cyber Insider Threat (CINDER) Proposal

Like a lie detector detects physical changes in the body based on sensitivities to specific questions, we believe there are physical changes in the body that are represented in observable behavioral changes when committing actions someone knows is wrong. Our solution is to develop a paranoia-meter to measure these observables. Using shoplifing as an example, there are peaks and valleys of adrenaline during the entire theft process. There is the moment the thief puts an item in their pocket (high), then as they walk around the store the adrenaline begins to valley a bit, then they attempt to walk out of the store (very high). It is at these points that we want to be able to take as many behavioral measurements as possible because it is at these points the insiders activity will be as far from normal behavior. In this hypothesis we will have a rootkit on the host that monitors keystrokes, mouse movements, and visual cues through the system camera.

Bank of America Anonymous Email Leak

Emails released by a member of Anonymous relating to the supposed concealment of mortgage fraud by Bank of America. Due to extreme interest, the main site distributing the documents ( has been intermittently inaccessible. Also, a somewhat confusing presentation makes the actual emails themselves difficult for some people to interpret. Text renditions of the emails contained in the leak are presented.

HBGary Morgan Stanley CERT Physical Memory Standard Operating Procedures

Memory forensics allows MSCERT to become more effective and agile regarding the acquisition of actionable intelligence. Traditional disk forensic approaches to investigations are slow and non-scalable. Large amounts of data must be acquired, transferred, and then analyzed. Memory forensics reveal what the true running state of a target system is at the time of acquisition. Hidden processes and other system activities are made available to an analyst by analyzing a smaller set of data than disk forensics. This document details Morgan Stanley’s (MS) Standard Operating Procedures (SOPs) for acquiring and analyzing physical memory using the HBGary forensic toolset. Fastdump Professional and Responder Professional usage are detailed through a case study methodology.

HBGary DoD Cyber Warfare Support Work Statement

Cyber Warfare is warfare in the Cyberspace domain, which is defined by the SECDEF as “a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the internet, telecommunications networks, computer systems and embedded processors and controllers.” Cyber Warfare encompasses Computer Network Operations (e.g. Attack, Defend and Exploit,) Information Assurance, and the network operations that encompass Command, Control, Communications, Intelligence, Surveillance and Reconnaissance (C4ISR) and Information Operations (IO) functions that occur within the Cyberspace domain. This includes Computer Network Operations (CNO) against automated systems (e.g. C4ISR), and the interaction between the physical, social and biological networks that define human-machine interaction.

Internal BP Azerbaijan Subsea Drilling Safety, Security, Environmental Procedure Manuals

A .zip file containing more than one-hundred internal BP documents relating to Health, Safety, Security and Environment (HSSE) procedures for the company’s operations in Azerbaijan (Azerbaijan Business Unit/AzSPU). The titles of all the documents contained in the file are listed below. Most of the documents are classified internally within BP at the Document Control Tier 2 level. Many of the documents appear to reflect procedural revisions made following the 2010 oil spill in the Gulf of Mexico.

HBGary Qosmos Deep Packet Inspection White Paper

Given the massive volumes of data that the U.S. and other governments must manage and the volume of traffic across IT networks, government-wide security solutions pose significant technical challenges. According to Phil Bond, president of TechAmerica, “Now more than ever, a partnership between the public and private sectors in leveraging IT to achieve a more transparent government is essential to securing the public’s safety.”

HBGary QinetiQ Cyber Attack Response Report

Beginning in March 2010, HBGary, Inc. was contracted to assist in the identification, analysis, and removal of malware from QinetiQ North America (QNA) internal systems. This was in response to what QNA believed to be an organized and sophisticated cyber attack involving the potential theft of ITAR controlled data. HBGary was given background on the attack, which included information on targeted attacks on digital data systems that have occurred in the past.

HBGary Windows Rootkit Analysis Report

This report focuses on Windows Rootkits and their affects on computer systems. We also suggest that combining deployment of a rootkit with a BOT makes for a very stealth piece of malicious software. We have used various monitoring tools on each of the rootkits and have included most but not all of the monitor logs due to space constraints. However, if a log is needed for perusal it is available. Some of the rootkits we investigated contained readme files which were, for the most part, quite informative and actually substantiated some of our monitoring log findings. For the rootkits that contained readme files we have either included them within the document or have included a link for them. At the beginning of this report we have included clean monitoring logs from two different tools that we employed on the rootkits. We have other clean logs but did not include them for the sake of space. Once more, as the logs for the rootkits will be available if needed so will these clean logs.

HBGary General Dynamics Malware Development: Task Z

General Dynamics has selected HBGary Inc to provide this proposal for development of a software tool, which provides the user a command line interface, that will enable single file, or full directory exfiltration over TCP/IP. General Dynamics has requested multiple protocols to be scoped as viable options, and this quote contains options for VoIP (Skype) protocol, BitTorrent protocol, video over HTTP (port 80), and HTTPS (port 443). HBGary will research and analyze the best solution given the client’s choice of protocol(s). As outlined in the Bill of Materials on page 4 of this document, cost per protocol is provided separately, and one or more of the options can be chosen by General Dynamics. HBGary will develop this user mode application with listen capabilities, trace cleanup, and ensure network sniffer testing doesn’t trigger any alerts. The application will be provided for user testing, and validation at the close of the development cycle which will be scheduled jointly between HBGary, and General Dynamics.

HBGary General Dynamics Malware Development: Project C

General Dynamics has selected HBGary Inc to provide this proposal for development of a software application targeting the Windows XP Operating System that, when executed, loads and enables a covert kernel-mode implant that will exfiltrate a file from disk (or other remotely called commands) over a connected serial port to a remote device. The enabling kernel mode implant will cater to a command and control element via the serial port. The demonstration will utilize an exploit in Outlook as the delivery mechanism for said software application. The subsequently loaded implant will be stable and will not crash the demonstration system. A usermode component will be included as part of the exploitation package that exercises the kernel mode implant for demonstration purposes. The loaded implant will use the connected serial port to remotely enable functions which can be visible on the collection computer connected on the other end of the serial line. The purpose of the demonstration setup is to verify the functionality for the customer and validate that all work has been completed.

HBGary Team Themis Corporate Information Reconnaissance Cell Documents

Internet based communications, most predominately the growing spectrum of social media platforms, allow people to coordinate and communicate in a highly efficient and collaborative manner, even when vastly geographically distributed. These same services and technologies can also make it difficult to attribute information to specific entities. Anonymizing and misattribution technologies used to mask location and identity have become commonplace. In many cases, people and/or organizations use the inherent insecurity in Internet communications to conduct criminal or unethical activities. This represents a paradigm shift in the capability of individuals and small groups to conduct effective planning and execution of asymmetric operations and campaigns that can have major impacts on large organizations or corporations. Despite the increased capability and anonymity that these new communications technologies provide, it is still possible to counter individuals and groups who are leveraging networks, platforms, and/or applications to conduct criminal and/or unethical activities. In such cases, it is necessary to develop a more forward leaning investigative capability to collect, analyze, and identify people or organizations conducting such activities. In order to effectively track and understand the complex, interconnected networks involved in these actions, it becomes critical to utilize proven, cutting-edge tools and analytical processes; applying them in a deliberate, iterative manner against those involved in illicit activities. The most effective way to limit the capability of individuals and/or groups is to develop a comprehensive picture of the entities involved through focused collection, conduct rapid analysis to identify key nodes within the network, and determine the most effective method for influencing/limiting these entities.

HBGary DARPA Cyber Genome Technical Management Proposal

While it is a challenging undertaking, we plan to research and develop a fully automated malware analysis framework that will produce results comparable with the best reverse engineering experts, and complete the analysis in a fast, scalable system without human interaction. In the completed mature system, the only human involvement will be the consumption of reports and visualizations of malware profiles. Our approach is a major shift from common binary and malware analysis today, requiring manual labor by highly skilled and well-paid engineers. Results are slow, unpredictable, expensive and don’t scale. Engineers are required to be proficient with low-level assembly code and operating system internals. Results depend upon their ability to interpret and model complex program logic and ever-changing computer states. The most common tools are disassemblers for static analysis and interactive debuggers for dynamic analysis. The best engineers have an ad-hoc collection of non-standard homegrown or Internet-collected plug-ins. Complex malware protection mechanisms, such as packing, obfuscation, encryption and anti-debugging techniques, present further challenges that slow down and thwart traditional reverse engineering technique.

HBGary General Dynamics DARPA Cyber Genome Program Proposal

Current technologies and methods for producing and examining relationships between software products, particularly malware, are lacking at best. The use of hashing or “fuzzy” hashing and matching techniques are conducted at the program level, ignoring any reflection of the actual development process of malware. This approach is only effective at finding closely related variants or matching artifacts found within malware that are only tangent to the development process, such as hard coded IP address, domains, or login information. This matching process is often unaware of internal software structure except in the most rudimentary sense, dealing with entire sections of code at a time, attempting to align matches while dealing with arbitrary block boundaries. The method is akin to an illiterate attempting comparing two books on the same topic. Such a person would have a chance of correlating different editions of the same book, but not much else. The first fundamental flaw in today’s approach is that it ignores our greatest advantage in understanding relationships in malware lineage, we can deduce program structure into blocks (functions, objects, and loops) that reflect the development process and gives software its lineage through code reuse.

Internal Deloitte LLP Email Prohibiting Access to WikiLeaks

In the wake of the recent WikiLeaks disclosures of U.S. classified information, the U.S. Office of Management & Budget (OMB) and the Department of Defense (DoD) published guidance that prohibits federal government employees and federal contractor personnel from accessing the WikiLeaks web site to view or download classified information. As federal contractors, the Deloitte U.S. Firms and their professionals are obligated to protect the integrity of classified information.

TransUnion Illegal Sale of Personal Credit Information 2000 FTC Documentation

The Federal Trade Commission has ordered the Trans Union Corporation to stop selling consumer reports in the form of target marketing lists to marketers who lack an authorized purpose for receiving them under the Fair Credit Reporting Act (“FCRA”). In a unanimous opinion authored by Commissioner Mozelle W. Thompson, the FTC determined that “Trans Union’s target marketing lists are . . . consumer reports under the FCRA” and concluded that Trans Union is violating the FCRA by selling this information to target marketers who lack one of the “permissible purposes” enumerated under the Act. The Commission’s decision applies to a number of Trans Union’s target marketing list products including its Master File / Selects products, its modeled products and its TransLink / reverse append products. Trans Union is based in Chicago, Illinois, and is one of the three national credit bureaus, or consumer reporting agencies, in the United States. It currently handles data on approximately 160 million consumers. As a consumer reporting agency, Trans Union receives detailed credit information about millions of American consumers from numerous credit grantors including banks, mortgage companies, credit unions, auto dealers and others. Trans Union compiles this information into consumer reports and sells the reports to credit grantors nationwide.

TransUnion Corporation Sale of Consumer Credit Information Privacy Litigation Decision 2002

Defendant Trans Union is one of three major consumer reporting agencies in the United States. Its core business is assembling and evaluating consumer credit information, including credit and payment patterns on consumers for the purpose of selling consumer reports to third parties. Typical buyers of such information are firms considering extending credit to a particular consumer. The information provided by Trans Union is used to determine if the consumer is a good credit risk. Trans Union maintains a computer data base called “CRONUS,” that contains consumer credit information it uses to generate credit reports. The data base includes the credit activity of every credit-active individual in the United States. Trans Union receives the information from credit grantors such as banks, mortgage companies, credit unions, auto dealers and collection agencies. Trans Union also receives information on student loans and child support.