Saturday, July 6, 2013

Daily Blog #13: 7/6/13 Saturday Reading

Hello Reader,
           It's our second Saturday together and time to get a nice cup of coffee and your favorite reading device ready for some good forensic reading.

    1.) Harlan Carvey has been very busy over at his blog posting up a series of how-to's. In relation to last weeks Sunday Funday I found this one to be the most appropriate to link, http://windowsir.blogspot.com/2013/06/howto-tie-lnk-files-to-device.html. All the How-to's are good though and if you are looking to find a process to tie specific artifacts together to reach a conclusion he has some great examples for you to follow.

    2.) If you want to know where our research is heading after journaled file systems you can look here http://msdn.microsoft.com/en-us/library/windows/desktop/bb968806(v=vs.85).aspx to follow along with us. Joachim Metz originally pointed me to it and has some proof of concept code, and his write up of the format can be found here: http://code.google.com/p/libfslibs/downloads/detail?name=Common%20Log%20File%20System%20%28CLFS%29.pdf (this link may not work.)

    CLFS aka Aegis is very interesting and something we are only beginning to experiment with it. We are working to understand which system operations call the transactional file operations versus non transactional so we can know what we can expect to recover. If all goes well hopefully we will be talking about it at CEIC next year!

    3.) Interested in learning more about the CD Burning lab we posted with the triforce materials from CEIC? Here is our original write up on CD Burning remnants from $logfile analysis, we will follow this up with more write-ups for each lab and update them to show how the USN augments these results: https://docs.google.com/file/d/0B_mjsPB8uKOAR0ktX1ctSHdpazA/edit?usp=sharing

    4.) Interested in windows 8 forensics? http://randomthoughtsofforensics.blogspot.com/2013/07/windows-8-thesis-draft.html Ken Johnson has released his draft thesis which is all about windows 8 forensics. I'm not sure if anyone else has compiled as much information on the topic as Ken has at this time, so this is as far as I know the best place to get up to speed.

    That's it for me today, my vacation ends tomorrow and the summit starts Monday night. I hope you all will get plenty of rest and be ready for another Sunday Funday contest tomorrow!