Saturday, July 13, 2013

Daily Blog #20: 7/13/13 Saturday Reading List

Hello Reader,
       It's saturday! The week is over and hopefully you are either at the office and making overtime looking for something to read while a process runs or at home ready to relax with some good forensic reading. It's been a light reading week for me as I was at the DFIR Summit Mon-Wed and then onsite working. Here is what I'm looking into this week, let's learn together.

1. TSK has a api now that allows any developer to access forensic images through it! You can find the documentaiton here, http://www.sleuthkit.org/sleuthkit/docs/api-docs/, and there are implementaitons in C, C++ and Python so far. Matthew and I are looking into this to see how we can implement the api into our triforce app so we can get access to the artifacts directly from the image. If you are working on a tool and want easier access to the evidence this creative commons based license is amazing.

2. The FOX toolkit is something I just learned existed from reading the gena documentation that came from TZWorks, you can read more about it here http://fox-toolkit.org/. If you are developing gui apps and are looking for a good light weight cross platform GUI solution this seems to be a winner. For an example of it in action check out 'gena' from tzworks. You can get it here, https://www.tzworks.net/prototype_page.php?proto_id=28.

3. One of the great things about being both a development shop and a forensic lab is that we get lots and lots of evidence to test our tools against and validate our findings as we push whats possible. This week we were validating some USN data and running some re-creation tests, the results of which we will publish once they are done, by comparing our triforce output to TZWorks USN parser. The first time we did this the TZWorks parser actually returned more records than our parser which was surprising to us since the USN is supposed to be a well documented and understood standard. As Matthew went back to validate the records and find the exceptions we found some very unusual behavior which has been documented here. When we send out the August beta this updated parser will be included and we can now recover these entries and handle more exceptions/produce more records than other parsers in our tests now.

4. This isn't necessarily a read but Hal Pomeranz did a great presentation at the DFIR Summit titled 'Facing your Dragons ' you can watch it here, https://t.co/JG7V1B3Xfl. Many times when asked for advice by those looking to get started and move forward in their careers I've explained that most of major achievements of my life were done by saying 'Yes'. I think a lot of people might have misunderstood my advice as a bad version of Jim Carrey's movie 'Yes man'. Hal really explains what I mean in better terms with good stories to back it up. If you are looking to succeed in your career and move forward than watch Hal's presentation and when the time comes to face your fears say Yes!'.

5. For those who've missed Matthew and I (and our beards) talk about the TriForce so far we will be doing a webcast with SANS on monday 7/15/13. You can watch us here https://www.sans.org/webcasts/force-ntfs-tri-force-you-always-96857 and ask questions!

6. Harlan Carvey posted some more How to's since last saturday, this one was the most interesting to me http://windowsir.blogspot.com/2013/07/howto-track-lateral-movement.html. If you are doing IR tracking lateral movement can be as important as discovering how the intruder got access in the first place.

7. Corey Harrell has posted his keynote presentation from the SANS DFIR Summit titled, Finding Malware Like Ironman. http://journeyintoir.blogspot.com/2013/07/finding-malware-like-iron-man-slide.html I found that it was both entertaining and informative and I hope you give it a read. I've mentioned before that I am more DF than IR so getting to understand the other side of the acronym is always interesting to me.

Get ready for tomorrow's Sunday Funday going to make it a bit more approachable than last weeks.