Friday, July 19, 2013

Daily Blog #27: Saturday Reading 7/20/13

Hello Reader,
           It's Saturday, so its time for another fresh batch of forensic reading. Time to bring the dogs in and put the kids outside, grab a good cup of coffee and lets learn.

1. Harlan has been doing some serious blogging lately, one of his more recent posts goes into different scenarios in data exfiltration, read it here http://windowsir.blogspot.com/2013/07/howto-data-exfiltration.html. If you are faced with the task of determining infiltration this is a great resource. If your suspected exfil route isn't listed its time to step back and think about what artifacts are relevant and make a plan similar the examples Harlan posted for yourself.

2. Over at the SANS forensics blog they have the results of their yearly DFIR surrvey, read it here http://computer-forensics.sans.org/blog/2013/07/19/sans-survey-of-digital-forensics-and-incident-response-dfir. If you want to see what other examiners are dealing with and look to bring some issues up to your management this survey could be a great tool.

3. On the cyb3rcrim3 blog they cover legal cases that involve computer forensic issues. Typically these cases involve the appealing of a ruling to exclude evidence, a tool being challenged, etc.. but this posting was something all together different. This post covers a legal dispute between computer forensics company Vestigage and a client about unpaid invoices and the actions that occured during the litgiation Vestige was retained in, you can read it here http://cyb3rcrim3.blogspot.com/2013/07/the-computer-forensic-company-evidence.html.

Needless to say its pretty much every examiners worst nightmare to have their faults linked to and published around the internet but as its already out there I don't feel I'm adding to much to their pain. Please if you read any of these links this weekend read this one and learn from the mistakes that occurred here. I don't know all the facts of this case and who is right or wrong but the biggest takeaway is to make sure you understand the work of those who work with you and clearly communicating your findings both good and bad to counsel if you want to be the best expert you can be for them.

4. All of the SANS DFIR Summit 360 videos have been posted here, http://www.youtube.com/playlist?list=PLfouvuAjspToxKMa8DeLTEh5BppA_p_pG. The 360 talks are fun to watch as each speaker only has 6 minutes to talk meaning they get to the heart of things very quickly. I linked to Hal Pomeranz's talk last time but this playlist has all the videos now for you to watch.

5. If you are on the IR side of the fence and need to get management to understand the importance of your work and need for resources read this http://blogs.gartner.com/anton-chuvakin/2013/07/15/on-importance-of-incident-response/. Just having the Gartner name on it should get their interest, the fact that the information is good and interesting also helps.

That wraps up this weeks reading list, it's been a good week in the lab and I hope you enjoyed this weeks go bag series and the interview with SA Eric Zimmerman. We previewed some research we've done on USN journal artifacts of Outlook attachment access during our first 'Forensic Lunch' Google hangout, I hope to get that data documented into a white paper and posted next week. If you are interested in an informal conversation with the people in my lab and others in the DFIR world we are attempting another 'Forensic Lunch' friday 7/26/13 details here https://plus.google.com/u/0/events/ce2rsd6sumer9laimu4s0hdoddo. The way Google+ currently handles this we will post/tweet/broadcast/share the link to watch the broadcast live once it begins and then the recording will be available on our Youtube account.

Tomorrow is Sunday Funday and the prize is being provided by Magnet Forensics who have graciously offered the following to the winner:

  • Three month license to IEF
  • A Magnet Forensics baseball cap
  • A gift card to Amazon
I reached out to Jad and asked him if he would be interested and he and Magnet were very gracious in their response. I want to keep the prizes for Sunday Funday varied and interesting to keep driving great and thorough answers we all can benefit from. Good luck to the participants I have to make the question worth the prize!