Friday, August 2, 2013

Daily Blog #41: Saturday Reading 8/3/13

Hello Reader,
           It's Saturday and after a long week of working, heck you might be in the office working right now, its time to let the disks image, the indexes run and the hashes hash while you sip some coffee and do some forensic reading.

1. If you haven't watched/listen to it already we had a pretty great Forensic Lunch yesterday, you can watch it here http://www.youtube.com/watch?v=UG8ZZM7S5nk. This week we talked about HTML5 offline caching in gmail with Blazer Catzen, the life of an internal corporate forensics person with Brandon Foley, Shadow Kit with David Dym and updates to some OSX forensics and the Triforce. Give it a watch and next week you can watch us live and participate here Google+ Event.

2. Speaking of Blazer Catzen he had a great presentation at Techno Forensics on file system tunneling. He said we could upload and share the slides from his presentation and you can download it here: click here for the zip of the presentation and reference spreadsheets

3. In the Forensic Lunch I talked about an article from a couple years ago describing the offline gmail storage we were talking about and the risks to the user, you can read it here http://geeknizer.com/pros-cons-of-html-5-local-database-storage-and-future-of-web-apps/

4. I'm a big fan of WinFE and over on the WinFE blog they had a good write up on getting WinFE to build with Autopsy 3. If you are looking for a free and open source portable toolkit thats still windows based read about how to get it all together, http://winfe.wordpress.com/2013/07/15/more-on-winfe-and-autopsy/.

5. We talked about Shadow Kit this week so here's a link to read more about it and grab a copy, http://redrocktx.blogspot.com/p/shadowkit.html. You should then read this post, http://redrocktx.blogspot.com/2012/04/shadowkit-working-with-disk-images.html, which is a great write up on how to get your forensic image into a vhd format so Windows will treat it as a physical local device rather than as a network attached device as it does with FTK Imager and other mounting technqiues.

6. If you are working with Windows 8 or Windows Server 2012 then you'll be happy to read the latest SANS blog entry by Chad Tilbury pointing out which tools now support their memory structures, you can read it here: http://computer-forensics.sans.org/blog/2013/07/30/windows-8-server-2012-memory-forensics.

7. A new blog I found and has just been updated this week is from French expert Zythron. He has a humorous yet factual writeup of a case he worked on and his process and approach, http://zythom-en.blogspot.com/2013/07/filling-up-on-pr0n.html.

Thats what I have for you this week, have an article or blog that you think I'm missing? Leave a comment and leave a link, I'm always trying to learn more and find more researchers who are sharing their data.