Saturday, October 19, 2013

Daily Blog #118 Saturday Reading 10/19/13

Hello Reader,
       It's Saturday and time for another set of links to to make you think. I am actually writing this on Friday this week so there may be some links that won't make it until next week.

1. This week we had a bit of a last minute forensic lunch, so its just Matthew and I this week. We talked about perl development, tsk for perl, developing a research and testing plan and more: http://www.youtube.com/watch?v=pSU4LI54ZtY

2. Didier Stevens has released another updated tool, http://blog.didierstevens.com/2013/10/14/update-xorsearch-version-1-9-1/, that searches a file or binary for known dictionaries for 32bit and brute force for less. Why is this useful outside of malware reversing? Think of how many artifacts we found that end up being xor encoded, using a known word of a website, document, etc.. you can then search strange files looking to see if they are xor encoded for privacy and storing history.

3. Looking to make forensic test images but don't have the time to do it manualy? There is a great article over on forensic focus, http://articles.forensicfocus.com/2013/10/18/forge-computer-forensic-test-image-generator/, detailing a new tool called ForGe developed by Hannu Visti that automates the creation of forensic test images. The tool isn't perfect, yet, as it really is meant to manipulate single files around a forensic image but it can certainly create some interesting scenarios and provide some great challenges. I'll have to try it one Sunday!

4. Lance Mueller has put up a really cool Enscript to take the hashes created within Encase and look them up on virustotal creating a bookmark for those that return a score http://www.forensickb.com/2013/10/vtbookmark.html This could help many of you when trying to quickly triage a system for known malware but without having to work with extracted data and risking infection.

5. There is a great webinar scheduled for Oct 24th by Alissa Torres on the SANS site with an introduction to the different tools that are in use in the industry for creating dumps of physical memory, https://www.sans.org/webcasts/dumping-dark-gaining-insight-memory-acquisition-tools-techniques-97260, SANS is no longer requiring Java so not many reasons not to give it a watch.

6. Want to have a more portable version of WinFE, check out this nice video tutorial on Mini-WinFe https://www.youtube.com/watch?feature=player_embedded&v=IJ3OBTysVbI

Thanks for stopping by, make sure to come back for tomorrow's Sunday Funday!