Is it spam? This week in PayPal account lockout scams
In 2015, take #spearphishing seriously

ISIT: A Template to Document Your DNS Investigations

Anuj Soni has written a fine post at the SANS Digital Forensics and Incident Response blog entitled  How to Track Your Malware Analysis Findings. In the post, Anuj asserts that a truly successful malware analysis requires "both a well-crafted process and detailed documentation of the journey through that process". This is a spot on observation and it applies  to investigations where documenting Internet identifier systems - domain names , Internet addresses, autonomous system numbers - is equally critical.

Anuj also mentions that "meticulous documentation allows you to easily retrace your analysis flow (particularly important if the work supports any litigation), and it facilitates information sharing so others can benefit from your analysis approach and results." These, too, are consistent with principles I've described in my Thought Paper on Domain Seizures and Takedowns.

ISIT_templateJust as Anuj has created template to record analysis details when performing malware analysis of Windows executables, so have I created an Identifier Systems Investigations Template (ISIT), in Word. These templates have sections for:

  • DNS and domain intel, including domain names of interest, class of abuse, name server and zone data of interest;

  • Domain name registration information from domain whois;

  • IP and ASN whois information; and

  • Reputation data for domains, addresses, MX records and hosted or attachment malware.

In some respects, these templates might be more useful as web forms, especially in circumstances where you're investigating lists of domains and have whois records, dig output, raw email messages, web page screenshots, or HTML for each of these. I've identified places where you might want to link or upload files of supporting data should you choose to make web forms.

In the same spirit of sharing and learning as Anuj offered, feel free to use this template and tailor to your own methology. Email me with suggestions and I'll try to update regularly.

 

 

 

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)