Friday, August 23, 2013

Daily Blog #62: Saturday Reading 8/24/13

Hello Reader,
         It's Saturday? How did that happen. Time for another saturday reading. I've been trying to expand my reading list to find more DFIR related blogs and websites to bring you good content every saturday. What I've noticed is that most of the old blogs I was following have fallen silent. If you know of a good current DFIR blog let me know in the comments, I'm always looking to learn. Let's get to todays reading.

1.Over on the e-discovery team blog they've publshed an easy to read version of the upcoming proposed FRCP changes. For those not familiar FRCP is the Federal Rules of Civil Procedure with lay out the rules for how civil courts operate. The last major change came in 2010 I believe when communications and drafts between experts and lawyers became work product. If you are a current or aspiring expert wintess you should make sure to keep up with the changes, http://e-discoveryteam.com/2013/08/16/proposed-amendments-to-the-rules-the-easy-to-read-e-discovery-only-version/

2. Forensic focus has been getting some good articles posted lately from a variety of sources. I thought this article, http://www.forensicfocus.com/News/article/sid=2085/, was quite good. It covers recovering data from damaged mobile phones. While chip off is a well known technique its not often that some writes a publically accessible primer on how to do it.

3. In cases that will likely show up in your future news Sharon Nelson has a short write up on the upcoming legal battles expected now that Bitcoin is officially will be regulated. http://ridethelightning.senseient.com/2013/08/court-rules-that-sec-has-authority-to-regulate-bitcoin-investments.html

4. When we were doing some Mac research I got linked to this blog by Mari DeGrazia and her research into MS Office plists, http://az4n6.blogspot.com/2013/08/ms-office-recent-docs-plist-parser.html. It's a great write up showing how the break down the plists and found timestamps and other embedded data. I extended her concepts into some other plists and found more timestamps there as well.

5. I thought this was interesting and not something I had heard of before. Jason Hale has an interesting write up on extracting not which user last saved an Excel spreadsheet but which user last opened it! http://dfstream.blogspot.com/2013/07/ms-excel-and-biff-metadata-last-opened.html Very cool stuff

6. Open source hardware is something that I think is pretty interesting. This project shows you how to create an open source write blocker and drive imager, http://digitalfire.ucd.ie/?page_id=1011. So if you are feeling handy this looks like a fun weekend project.

7. I'm very tempted to go to the Open Source Digital Forensics conference, http://www.basistech.com/about-us/events/open-source-forensics-conference/, its the one conference I'm considering attending this year that I'm not speaking at!

8. We had another Forensic Lunch! You can watch the latest episode here, http://www.youtube.com/watch?v=kOBW2R4N2HA

Well thats what I have for you today. Hopefully we will figure out our audio issues for the additional 2 mics in the forensic lunch for next weeks show. Tomorrow is Sunday Funday so make some time for some Windows Forensic Fun!