Friday, December 6, 2013

Daily Blog #167: Saturday Reading 12/7/13

Hello Reader,
            It's Saturday! It's really cold here so I would advise that you make a fresh pot of coffee and get a warm blanket, its time to for links to make you think!

1. We had a great forensic lunch this week! Robert Haist, Amber Schroader and Joakim Schicht joined us this week. Robert talked about his ongoing research into recovering cmd.exe sessions with page_brute.py analysis of the pagefile, Amber talked about Device Seizure 6.5 and the challenges of mobile forensics, Joakim talked to us about the development of setmace and his development story. You can watch it here: https://www.youtube.com/watch?v=S5xP4ALhqSU

2. Speaking of Robert Haist's research, you can read his blog here to follow the research he talked about this week on the fornesic lunch here: http://blog.roberthaist.com/2013/12/restoring-windows-cmd-sessions-from-pagefile-sys-2/ 

3. Are you utilizing shellbags in your forensic analysis? You should be! You should also read this very well written blog by Dan Pullega on his extensive testing of shellbags. If you need to explain how and why timestamps get set on shellbags you need to read this blog http://www.4n6k.com/2013/12/shellbags-forensics-addressing.html

4. Harlan has a new blog up this week with his own news and links, http://windowsir.blogspot.com/2013/12/links-and-news.html. Since I focus mainly on deadbox forensics you should take the time to check out his view of the world.

5. Corey Harrell has a new post up this week that I found fascinating. He covers a new artifact that records which programs were executed in the last day on a Windows 7 systme through the 'recentfilecache.bcf' give it a read http://journeyintoir.blogspot.com/2013/12/revealing-recentfilecachebcf-file.html

6. If you liked Corey's research and are looking into Windows 8 systems then you need to read Yogesh Khatri's blog post on the new Windows 8 artifact 'amcache' http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html This amazing artifact is even recording the sha1 hashes of executables run on the local system!

7.Speaking of shellbag forensics, Chad Waibel finished his research project at Champlain College on Shellbags, read it here http://chadwaibelforensics.blogspot.com/2013/12/final-summary.html. Chad focused on a different side of shellbags, in what instance they are created and where. Reading this and Dan's post should really get you up to speed!

8. Jake Williams has a new blog up on memory image, http://malwarejake.blogspot.com/2013/12/memory-image-file-formats.html, and all the different formats we deal with today.

9. Let's end this Saturday with something fun, SANS has a memory challenge up for you to try out https://www.surveymonkey.com/s/JQ9QFHP. The winner will get a free simulcast viewing of a training class at DFIRCON, no matter which SANS class you pick to attend remotely thats a very big prize.

Tomorrow is Sunday Funday, so get ready!