Saturday, June 29, 2013

Daily Blog #6: The weekly reading list

Hello Reader,
     It's Saturday so we will take a break from the current series and lets enjoy the weekend with some relaxing digital forensic reading. So get a good cup of coffee, a comfortable chair and I'll point you to what I'm reading this week to try to keep pace with the rest of the forensic world.

1. Over on the SANS forensics blog Mike Pilkington has a great article on securing active directory, you can read it here: http://computer-forensics.sans.org/blog/2013/06/20/overview-of-microsofts-best-practices-for-securing-active-directory

When I first started my career it was in information security and I believe it has benefited my forensic work to be aware of how systems are configured by default and what logs existed. Understanding active directory default configuration, how to secure it and what it contains won't just help IR people, when doing internal investigations of IT admins its important to be able to spot the subtle backdoors they leave.

2. If you are doing internal investigations of employees and deal with employees faking replies to emails you owe it to yourself to read Joachim Metz's excellent white paper on his deep dive into the PST structure. https://googledrive.com/host/0B3fBvzttpiiScU9qcG5ScEZKZE0/PFF%20forensics%20-%20e-mail%20and%20appoinment%20falsification%20analysis.pdf

The thread index he discusses is something I've never seen parsed out by another tool and is something I keep in mind now when I'm approaching email investigations. The white paper is part of his libpff project, http://code.google.com/p/libpff/, which has been updated to work with Office 2007 and forward psts and osts.

3. One of my course co-authors Jake Williams wrote an interesting blog post, http://malwarejake.blogspot.com/2013/06/penetration-testing-scope-murky-waters.html, all about how clients place artificial limitations on penetration tests  and remove most of the tests usefulness. It's a good read and if you deal with penetration testers its something you should consider. If you are paying good money for a service, you should get the best evaluation of your network security your vendor can provide without artificial limitations.

4. Lastly this week I'd like to point out that with Windows 8 and Windows Server 2012 now out in the wild (I've had one windows 8 investigation so far) the USN structure has been updated to version 3. You can read the v3 specification here http://msdn.microsoft.com/en-us/library/windows/desktop/hh802708(v=vs.85).aspx to get an idea of the changes. Make sure your USN parser support the version 3 structure before you try it on Win 8/Server 2012. The triforce will be USN v3 aware in the coming release. If you are not including the USN in your investigations you are missing valuable data.

That's it for today, if you found something interesting this week please leave a link and a description in the comments.