Friday, December 13, 2013

Daily Blog #174: Saturday Reading 12/14/13

Hello Reader,
              It's Saturday! Time for another set of links to make you think. The ice is melting in Dallas and I'm looking forward to a cold winter so I'll have an excuse to stay inside and read.

1. We had a great Forensic Lunch this week! We had Yogesh Kahtri talking about his Windows 8 registry forensics research , Dan Pullega talking about his extensive research into Windows Shellbags, David Dym talking about his new tool MetaDiver, and Matthew and myself talking about v3 of ANJP and demoing the auto detection of CD Burning. You can watch it here: https://www.youtube.com/watch?v=XNui5Rrz7-s

2. Willi Ballenthin has put up his slides on MFT analysis for responders, http://www.williballenthin.com/blog/2013/12/13/mft-analysis-presentation/. I like Willi's work a lot so you should know its full of good material.

3. Over on the hexacorn blog there is a cool bit of analysis written up on detecting what libraries were loaded by a visual basic application, http://www.hexacorn.com/blog/2013/12/11/some-forensic-artifacts-are-just-like-this-sometimes-visual-often-basic-and-on-occassion-iconic/. This is great for those of you doing IR as VB apps are in the attackers toolkit of most of the bad guys out there.

4. There is a new article up on forensic focus regarding recovering purged records from Skype databases and SQLite, http://articles.forensicfocus.com/2013/11/26/extracting-evidence-from-destroyed-skype-logs-and-cleared-sqlite-databases/, how cool is that. The author uses a number of tools to test which can carve SQLite records from unallocated space to recover skype history. Great reading.

5. What's that? Two articles on he hexacorn blog in one week? It must be close to Christmas time. This post focuses on a really cool topic, using the names of unused dlls to load into memory with valid processes. The basic idea is that there are some dll's that no longer exist but will still be loaded if you place a dll with the same name in the right directory, give it a read: http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/

6.  Dealing with a UEFI system and want to boot from Linux? Read this http://ilostmynotes.blogspot.com/2013/12/windows-8-and-ubuntu-1304-with.html and see what his solution was. If you can get it working it can get your Linux boot cds working again.

7. This wasn't put up this week but I thought after meeting Carlos that I should make sure more people are aware of it. Carlos has a great blog up on how to boot from a write blocked drive in Linux with an overlay file for changes using all FOSS software, http://www.epyxforensics.com/node/50. Before his post I only knew of commercial solutions so this is great stuff.

8. Jimmy Weg has a good blog up if your trying to boot a suspects Win8 image up in a VM and don't know his password, http://justaskweg.com/?p=1434. Following Jimmy's methods will get a working password readded to the account and you logged in.

9. Jack has a new blog up on the Handler Diaries which is a blog I like to read but need to put in to my feedly so I see his newest posts. http://blog.handlerdiaries.com/?p=177 In this post Jack goes into his approach for hunting evil and taking a proactive approach to finding unknown malware.

That's all for this week, make sure to come back for tomorrow's Windows 8.1 themed Sunday Funday!