Friday, September 27, 2013

Daily Blog #97: Saturday Reading 9/28/13

Hello Reader,
          It's Saturday! It's been a great week in the lab over at G-C, lots of good research and good cases keeping us going. This week I have another pile of good links for you to read over a hopefully uneventful weekend with lots of good stuff happening this week.

1. We had another Forensic Lunch this week with Harlan Carvey, Zoltan Szabo and Jake Williams joining us in the lab for a great hour of discussion. We covered shell items, Richland college digital forensics program, the updated FOR 610 and more on OSX 10.8's Document Revision functionality to recover wiped files. You can watch it here and remember to make time to watch it live next week so you can ask your questions.

2. Windows 8 is slowly being adopted and with research coming out with new forensic artifacts being found I'm waiting fore my next Wndows 8 system to come into the lab. This blog written by Jared Atkinson from the Invoke IR blog has a fascinating write up on new data being found in Windows 8 prefetch files, read it here http://www.invoke-ir.com/2013/09/whats-new-in-prefetch-for-windows-8.html

3. Monday Lenny Zeltser is having a webcast introducing how to do behavioral analysis of malware https://www.sans.org/webcasts/introduction-behavioral-analysis-malicious-software-97180 I'm planning on tuning in myself.

4. Over on Eric Huber's blog 'A fist full of dongles' he has part 2 of his critique of the current state of academia in relation to digital forensics, http://www.ericjhuber.com/2013/09/ever-get-feeling-youve-been-cheated.html, it's a good read and part of why I stay involved with the Richland College program.

5. Mark Spencer over at Arsenal Recon has released with a dual license his own image mounting tool over on GitHub, https://github.com/ArsenalRecon/Arsenal-Image-Mounter. Now you may wonder why this is something of note when you could be using FTK Imager or another image mounter program. The reason to be excited is that Mark has figured out how to get the mounted image to show up as a physical disk rather than a network mount. This means that tools like vssadmin and others that require a physical disk will finally work right without having to convert the image to a vhd!

6. Following up on our Forensic Lunch talk with Harlan Carvey about shell items, check out this wrote up on Harlan's Blog http://windowsir.blogspot.com/2013/09/artifacts.html where he goes into further detail on the format and why MFT reference numbers appear there now.

7. Over on Corey's Journey Into Incident Response blog he has a great write up on triaging malware incidents, http://journeyintoir.blogspot.com/2013/09/triaging-malware-incidents.html, a great read if you are trying to get your process together and want to learn from Corey who clearly has done the work.

8. On the SketchyMoose blog there is a good writeup, http://sketchymoose.blogspot.com/2013/09/total-recall-script-released.html, on a script for parsing memory dumps for known items of interest. The script is extensible so you can change it to fit your needs as well.

That's all for this Saturday, it was a good week in DFIR! Tomorrow is Sunday Funday so get ready!