Saturday, September 7, 2013

Daily Blog #76: Saturday Reading 9/7/13

Hello Reader,
         Another week of forensics down, lets get down to some interesting reading. I have a redeye right now, coffee and espresso, so I'm ready to focus.

1. Yesterday we had another Forensic Lunch, http://www.youtube.com/watch?v=BI4EDyD2osE. Eric Zimmerman, Phil Hagen, Lee Whitfield and our good folks in the lab at G-C had a great hour of discussion. We talked about Phil's new SANS network forensics class, Eric's forensic imaging speed and performance testing and HFS+ journaling among other topics. Watch the recording and make plans to watch live next week at noon cst!

2. An interesting article over at the 'e-Discovery team' blog, http://e-discoveryteam.com/2013/09/01/poor-plaintiffs-counsel-cant-even-find-a-car-much-less-drive-one/, about an attorney whose excuse for not producing electronic data in a lawsuit was that he couldn't find an affordable provider. The judge in this case did not agree that the inability to find a reasonably priced vendor was a good excuse for not producing data.

3. Over on forensic focus Brian Carrier wrote up a nice article on Autopsy 3, http://articles.forensicfocus.com/2013/08/29/autopsy-3-windows-based-easy-to-use-and-free/. If you haven't been following Autopsy's development it has evolved from a web front end to a full GUI native application that runs on Windows and supports hadoop for scalability. As our current forensic vendors balance the needs of the DFIR community against the market demands of compliance and e-discovery its good to see a FOSS solution to keep up the pressure.

4. On the SANS forensics blog there is a great writeup on PowerShell remoting, http://computer-forensics.sans.org/blog/2013/09/03/the-power-of-powershell-remoting. For those who haven't made use of this feature, you can take the power of PowerShell and use it to query 1000's of remote systems on the same domain and bring all the data back to a central system. It's like have a built in IR agent across your infrastructure without the costs, management or arguments with IT about gold image conflicts.

5. Harlan has a new blog up on the benefits of understanding data structures, http://windowsir.blogspot.com/2013/09/data-structures-revisited.html. Harlan walks through a test he did of a well known artifact, IE History, and how his tests and validation allowed him to find deleted records within the structure that he would have missed otherwise.

6. Corey has a new blog up over on JIIR, http://journeyintoir.blogspot.com/2013/09/my-journey-into-academia.html. It's a nice write up explaining his decision on writing a DFIR course for academia instead of writing a training course.

7. The Obsidian Forensics blog has a interesting write up on detecting clock changes with cookies, http://www.obsidianforensics.com/blog/detecting-clock-changes-using-cookies/. Anytime you can find anti-forensics activity its like a light shining down on an interesting time period of what your custodian is trying to hide.

Tomorrow is Sunday Funday so get ready!