Saturday, October 12, 2013

Daily Blog #111 Saturday Reading 10/12/13

Hello Reader,
             It's Saturday and time for another set of links that make you think, about forensics. I'm making my plans for PFIC and hope to see you there as well, hoping for early snow! Here is this weeks links:

1. Yesterday we had part 2 of our IR roundtable on the forensic lunch, you can watch it here http://www.youtube.com/watch?v=1_hbziV-1g8. Darren Windham, Joseph Shaw, Kyle Maxwell and James Lohman join us to talk about how they handle escalating IR scenarios of threat and their advice to new practioners.

2. Didier Stevens has a good blog up on finding out if a file is contained within another, http://blog.didierstevens.com/2013/10/07/finding-contained-files/, its an interesting read and as our suspects get more sophisticated in IP theft and malware continues to grow we will need to analyze more and more.

3. If you work on litigation supporting either party this is an interesting write up on parties being required to disclose where and how they searched for the documents they produced, http://e-discoveryteam.com/2013/10/06/party-ordered-to-disclose-where-and-how-it-searched-for-esi-you-can-expect-this-kind-of-order-to-become-commonplace/. As case law grows behind this precedent combined with the upcoming proposed federal rule changes requiring relevancy we may see more transparency in the discovery process.

4. David Kover posted the slides from his talk at the SANS DFIR Summit in Prague, http://integriography.wordpress.com/2013/10/06/sans-dfir-summit-prague-blue-team-perspectives-slides/ where he sums up the life of a responder within an enterprise and how to understand the business perspective.

5. Over on Harlan Carvey's blog he has a good writeup on his shell item research that we talked about on the forensic lunch. http://windowsir.blogspot.com/2013/10/shell-item-artifacts-reloaded.html Harlan goes into good detail on surprising locations where we find shell items and how they can expand and aid your analysis.

6. Chad Waibel has updated his blog with his first update to his Shellbag research. If you are at all interested in how shell bags are created, the timing and the events behind them keep up with Chad. http://chadwaibelforensics.blogspot.com/2013/09/first-update.html

7. Corey Harrell has a new blog up providing links to free training resources for infosec and IT training. http://journeyintoir.blogspot.com/2013/10/linkz-4-free-infosec-and-it-training.html If you are looking to expand your knowledge its hard to beat free!

That's all for today, get ready for tomorrow's Sunday Funday!