Saturday, December 21, 2013

Daily Blog #181: Saturday Reading 12/21/13

Hello Reader,
        It's Saturday! I'm going to be spending the day using my smoker and reading Windows Internals Part 1 while my kids play. For you though I have more links to make you think as we get into this weeks Saturday Reading.

1. Forensic Lunch always is #1 on my list! This week we had Rob Lee, @robtlee http://computer-forensics.sans.org/, talking about the new SANS FOR 408 class and the interesting journey into Windows 8 forensics.This included some really interesting discussions into artifacts being created across synced devices! Mari DeGrazia, @maridegrazia http://az4n6.blogspot.com/, talking about her research into Google analytics cookies. This included a demo of her tool and its output. It allows you to recover so much more information if your trying to discover not only if a website was visited but at what times and to what extent. Lastly Matthew and I talked about detecting files being created from alternative NTFS drivers, such as ntfs-3g, using artifacts within the $MFT only!

Watch it here: http://www.youtube.com/watch?v=PZBjams_abg

2. Kevin Stokes from my lab put up a series of two articles on Dropbox analysis using the journals. Part 1 is here http://metadatum.me/2013/12/15/dropbox-ntfs-journal-artifacts/ and Part 2 is here http://metadatum.me/2013/12/18/dropbox-ntfs-journal-artifacts-part-2/. This is an interesting low level look on how dropbox interacts with the file system in creating, uploading and deleting files.

3. Harlan has two blogs up this week. The first is a pretty large update post that covers topics from windows 8 artifacts to shellbags to shell items research updates and links. You should read it here http://windowsir.blogspot.com/2013/12/updates.html. The second post http://windowsir.blogspot.com/2013/12/shellbags.html goes into why testing and understanding our artifacts is so important.

4. Yogesh Kahtri has an update to his amcache resarch, http://www.swiftforensics.com/2013/12/amcachehve-part-2.html. If you are going to be looking at a Windows 8 system in the near future you need to read this.

5. Frank Mclain has a fun two parter up on his blog about a piece of malware he tracked down and examined. Part 1 goes into the initial detection here http://forensicaliente.blogspot.com/2013/12/whats-hash-got-to-do-with-it.html and part 2 goes into his analysis of what it was doing http://forensicaliente.blogspot.com/2013/12/whats-hash-got-to-do-with-it-part-2.html.

6. On Andrew DiMino's blog Semper Securus has a nice walk through showing his analysis of an attack on his honeypot and what the attacker setup. A nice ready walking through a Linux compromise that you don't see much of. Also it involves perl so I had to link it http://sempersecurus.blogspot.com/2013/12/a-forensic-overview-of-linux-perlbot.html

7. On the sysforensics blog there is a nice write up to create  a 'NSRL server' http://sysforensics.org/2013/12/build-your-own-nsrl-server.html. NSRL stands for National Software Reference Library and is an invaluable resource for eliminating files by hash when they are known to be part of the operating system or application install set. The more non user generated data you can eliminate the better you can focus on whats important. More importantly you can now download the NSRL hash sets instead of waiting for DVDs in the mail!

8. Over on the handler diaries there is neat post walking through how to extract a process for memory and analyze it with volatility to understand what its up to http://blog.handlerdiaries.com/?p=205.   The point of the blog is to help you understand a programs capabilities, execution and output so you can determine what to do next.

That's all for this week, make sure to come back tomorrow for Sunday Funday!