Saturday, January 4, 2014

Daily Blog #195: Saturday Reading 1/4/14

Hello Reader,
       It's the first Saturday of the new year, so let's get our reading started off right! It's time for more links to make you think in this weeks Saturday Reading.

1. The forensic lunch was pretty great this week, we had:
  • Sean Conover from Sony Online Entertainment talking about his work doing memory analysis and forensics to stop game cheats. Follow him at https://twitter.com/seanconover
  • Nicole Ibrahim, now from G-C Partners, talking about her research into USB storage drivers including MSC, MTP and PTP. You can read Nicole's Blog here: http://nicoleibrahim.com/
  • Lee Whitefield, from Digital Discovery, talking about the forensic 4cast awards which are now available for 2014 nominations! You can nominate someone here: http://forensic4cast.com/2014/01/4cast-awards-2014-nominations 
It was a great show and you can watch it here: https://www.youtube.com/watch?v=_I5EI5aCvRE

2.  Brian Baskin has a nice overview of his 2013 along with links to challenges he's attempted and tools he's developed on his Ghetto Forensics blog. http://www.ghettoforensics.com/2014/01/a-ghettoforensics-look-back-on-2013.html. I like these looking back and looking forward blog entries as it helps you find things you may not be thinking of.

3. This is an interesting to read by Ross Anderson on the Light Blue Touchpaper blog, http://www.lightbluetouchpaper.org/2014/01/03/reading-this-may-harm-your-computer/. It covers a survey and analysis they did of how people respond to malware warnings.

4. Here is a fun entry from Jason Hale, http://dfstream.blogspot.com/2014/01/the-windows-7-event-log-and-usb-device.html. He's following up on the work by Yogish and Nicole regarding artifacts of USB usage, but in this entry Jason focuses on event logs generated by the device insertion. I love finding more points of correlation that may survive various types of cleanup attempts.

5. Did I mention that the Forensic 4cast awards are accepting nominations? You can go here, http://forensic4cast.com/2014/01/4cast-awards-2014-nominations/, and nominate who you feel deshttp://www.blogger.com/blogger.g?blogID=1466903740262764947#editor/target=post;postID=6575321601589410251erved a recognition for their work in the DFIR space in the last year. Speaking as someone who was lucky enough to win one last year, it feels good man. So reward those you think helped you out with a nomination!

6. If you watched the Forensic Lunch two weeks ago you got to hear Mari DeGrazia talk about her work in carving and analyzing Google Analytics cookies. She's put up a great blog post that walk through what she's found and how you can do the same, http://az4n6.blogspot.com/2013/12/carving-for-cookies-supersize-your.html.

7. Harlan has a new post up this week with a word about upcoming updates to RegRipper, http://windowsir.blogspot.com/2013/12/quick-post.html. I think nearly everyone uses RegRipper so please go check up on this so you can find out where to get updates in the future and what Harlan is thinking.

8. If you are lucky enough to have the training budget for some SANS training there is a pretty great deal now where you can also get a free laptop out of it, http://digital-forensics.sans.org/blog/2014/01/01/get-a-macbook-air-toshiba-satellite-ultrabook-or-an-850-discount-with-most-dfir-online-courses-2.

9. New to RegRipper? Harlan has a post up on the RegRipper blog regarding how it works, what it can do and how to Extend it. http://regripper.wordpress.com/2013/12/30/what-is-regripper

That's a pretty great group of reads this week, we should have more holiday weekends to give people more time to write up great research!

Make sure to come back tomorrow for Sunday Funday where we will be giving away a Jtag flasher box from Riffbox.org!