Saturday, November 23, 2013

Daily Blog #153: Saturday Reading 11/23/13

Hello Reader,
           It's Saturday! I had a bit too much fun playing the heartstone beta last night so I didn't post this the night before like I usually do, no reason not to share good links though!

1. Forensic Lunch went down yesterday! We had Mari DeGrazia on to talk about her research into SQLite deleted data recovery and Eric Zimmerman talking about being the first Xways Xpert and OsTriage v2. Watch it here http://hackingexposedcomputerforensicsblog.blogspot.com/2013/11/daily-blog-152-forensic-lunch-112213.html.

2. Yogesh Khatri has been putting up some good blog posts this week in regards to changes in USB device forensic in Windows 8. He's done this in two posts this week, the first is on new registry entries from USB device removal with timestamps, http://www.swiftforensics.com/2013/11/windows-8-new-registry-artifacts-part-1.html very cool! The second is talking about which event logs are not being created on USB device insertion and removal http://www.swiftforensics.com/2013/11/event-log-entries-for-devices-in.html. This is great stuff and hopefully he'll keep going!

3. In an interesting civil case over on the CYB3RCRIM3 blog a unhappy consumer sued best buy an represented himself, http://cyb3rcrim3.blogspot.com/2013/11/the-laptop-malware-and-consumer-sales.html. This case is interesting to me because claims revolved around not just the typical warranty issues but also the malware/spyware found on his computer. Good reading for anyone buying computers and warranties from a retailer.

4. On forensic focus there is a new article up on new metadata found in OSX Mavericks, read it here http://articles.forensicfocus.com/2013/11/13/os-x-mavericks-metadata/. The article goes into two different types of new metadata found in OSX Mavericks, email attachments saved to disk and file tagging.

5. Harlan has a new post up on using the 'sniper forensics' methodology of examination to quickly find malware and reduce analysis time. He then goes into working with Volatility and his steps taken in using it for memory analysis. A good read you can see here http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html.

6. If you are doing forensics on OSX systems your going to run into virtual machines as most users run their Windows apps in Parallels of Fusion. This can be a pain as you want a forensic image to work with in most of your tools. This article on appleexaminer goes through how to convert these images to raw/dd images using qemu http://www.appleexaminer.com/MacsAndOS/Analysis/VirtDiskConv/VirtDiskConv.html.

7. Dealing with dropbox on Windows XP and want to decrypt more of the databases? Magnet forensics has updated their tool to now work against any Dropbox database and its free! http://www.magnetforensics.com/decrypting-the-config-dbx-file/

8. Forensic Femmes has a good interview with Sk3tchmoose aka Melissa Augustine about her work in DFIR http://christammiller.com/2013/11/19/forensic-femmes-4-melissa-augustine/

9. The Volatility guys put up some more training dates, http://volatility-labs.blogspot.com/2013/09/2014-malware-and-memory-forensics.html, this is a class I'd like to take in the future!

That's all for this week, lots of good stuff out there. Sunday Funday is coming up shortly after!