Friday, September 20, 2013

Daily Blog #90: Saturday Reading 9/21/13

Hello Reader,
       Another week has ended and for those of us not in the lab this weekend or onsite responding to some rude ruffian running an otherwise ideal weekend its time to give yourself a coffee break and get some forensic reading done.

1. If it's the first item on my Saturday Reading list it must be this weeks Forensic Lunch, you can watch this weeks show here http://www.youtube.com/watch?v=e4EjVftQ56o. I think this weeks show was pretty great as it involved three guests, Blazer Catzen, Jonathan Tomczak and Suzanne Widup talking for the majority of the hour instead of me! Topics this week included the Verizon veris database project, mft references numbers in jump lists, lnk files and shell bags with TZWorks and html5 offline artifacts.

2. If you do forensics on iPhones this week Linux Sleuthing has a pretty great writeup on how he got a semi functional device into DFU and then back to normal using a couple different packages, http://linuxsleuthing.blogspot.com/2013/09/iphone-recovering-from-recovery.html.

3. If you are triaging for malware then Corey Harrell's blog post this week is going to help, http://journeyintoir.blogspot.com/2013/09/tr3secure-data-collection-script.html. His updated tr3secure script will grab all of the most common artifacts and both volatile and non volatile from a system to help you get to the facts faster.

4. The last person I saw actively blog about GPS device forensics with forensics from the sausage factory but it looks like the fork() blog has taken up the mantle, to see the current state of his very thorough testing read here http://forensicsblog.org/research-gps-device-analysis/

5. Curious about what happens in the clean rooms at drive recovery shops? Watch this video by Scott Moulton where he films the whole process https://www.youtube.com/watch?feature=player_embedded&v=g3Dqld3PLNY

6. Hexacorn is always a good read, he really knows his stuff. He's currently running a series on going beyond the normal malware persistance locations, http://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ it is worth your time to read.

7. Jimmy Weg has put up a nice tutorial on what you need to know when mounting your forensic images as physical disk to get them to boot in Vmware 10 http://justaskweg.com/?p=1355.

That's all I have for this week. Did I leave off your blog or article? Let me know! I am always looking for more reading material to learn more and share more. Tomorrow its going to be another Sunday Funday with our most popular prize back up for grabs, a 4TB external hard drive.

Get Ready!