Friday, August 9, 2013

Daily Blog #48: Saturday Reading 8/10/13

Hello Reader,
            It's Saturday! Hooray! The week is over and fedex pickup ends earlier today meaning you either have extra time in the lab or a some time at home. Either way, get some coffee and lets get our forensic reading going.

1. Joachim Metz has updated his volume shadow specification paper, not this week bu recently enough that I didn't read it until this week. If you are at all curious about how the volume shadow service data structures are stored then read this for what I believe to be the most detailed guide outside of whatever internal team at Microsoft developed it. In addition if you care more about the usage of volume shadow copies in your analysis and the existence of unallocated space in VSC's you should read this paper he presented which will answer questions you didn't even know you had.

2. Did you read yesterday's blog? No? Oh well we had another Forensic Lunch with David Nides, Kyle Maxwell, Joseph Shaw and the fine fellows I work with at G-C Partners. Tune in and keep up with what I think was a great hour of forensic discussion.

3. Andrea London has posted the slides for her talk at DefCon http://www.strozfriedberg.com/wp-content/uploads/2013/08/DefCon-2013.pdf tilted 'The Evidence Self Destructing Message Apps Leave Behind'. Her talk covers a wider base of these applications than I've seen covered before and it's a good read as she and Kyle O'Meara go deep into the file system internals and network traffic exchanged.

4. Lenny Zeltser posted a nice retrospective of how teaching Malware Analysis has grown, http://blog.zeltser.com/post/57795714681/teaching-malware-analysis-and-the-expanding-corpus-of. It's a nice short read and reinforced the idea that his advice remains the same 10 years later:
  • Too many variables to research without assistance
  • Ask colleagues, search Web sites, mailing lists, virus databases
  • Share your findings via personal Web sites, incidents and malware mailing lists

5. If you are doing USB device forensics and have a Windows 8 system that Woanware's USB Device Forensics application does not support yet then check out TzWork's USB Storage Parser. So far its the only tool that I have that take the multiple Windows 8 USB artifacts and combines them to a single report of activity.

6. Hal Pomeranz put out a new Command Line Kung Fu entry this week, http://blog.commandlinekungfu.com/2013/08/episode-169-move-me-maybe.html, always a good read.

7.  On an earlier Forensic Lunch you may have heard Rob Fuller talk about anti-forensic hard drive custom firmwares. Going more into that topic here is a great article about Hard Drive hacking and showing how these firmware changes are researched, implemented and performed. If you are dealing with an advanced subject you might want to be aware of these new possibilities! http://spritesmods.com/?art=hddhack

8. In this week Forensic Lunch we talked about parsing carved binary plists. For those of you looking to implement your own parsers or just try to understand the format better here are two sources. The first is the OSX code for binary plists, http://opensource.apple.com/source/CF/CF-550/CFBinaryPList.c, and a great write up on plist forensics by CCL http://www.cclgroupltd.com/images/property%20lists%20in%20digital%20forensics%20new.pdf.

That's all I have for this Saturday Reading. I hope these links are enough to get you through your day. Tomorrow is Sunday Funday and I have yet another challenge waiting for you to solve. This week we will have 'winners choice' where the winner can pick from a free ticket to PFIC or a year license to AccessData's Triage tool!