Friday, January 10, 2014

Daily Blog #202: Saturday Reading 1/11/14

Hello Reader,
    It's Saturday! I hope you've been keeping warm, it's time to make some coffee and let the kids play outside.Get ready for some more links to make you think on this weeks Saturday Reading:

1. We had a very interesting forensic lunch this week with:
Christian Prickaerts from Fox IT discussing the new EU privacy directive and notification requirements, Carlos Cajigas of Epyx Forensics, http://www.epyxforensics.com/blog discussing his research into booting images into vms in Linux with FOSS, Kevin Stokes demonstrating our new super multi boot USB response thumbdrive.
You can watch it here: http://www.youtube.com/watch?v=5xUPUykYmZU

2. The Volatility devs are coming out with a book on memory forensics! http://volatility-labs.blogspot.com/2014/01/the-art-of-memory-forensics.html I've preordered a copy and would suggest you do as well if you have any interest in memory forensics.

3. The SANS DFIR Summit 2014 Call for Papers it out, http://digital-forensics.sans.org/blog/2014/01/06/sans-dfir-summit-call-for-papers-dfirsummit, go submit a topic and I hope to see you there!

4. Here is a nice write up on MS Office document sturcture internals (pre office 97 docx/pptx/xlsx) http://forensecurity.blogspot.com/2014/01/microsoft-office-compound-document.html. If you do work with these kinds of files its a good read as there are sometimes old streams that can be recovered if you can understand the format.

5. Adam over at the Hexacorn blog has another entry up in his beyond the run key series, http://www.hexacorn.com/blog/2014/01/10/beyond-good-ol-run-key-part-6-2/. This one is pretty ingenious as it is a autorun that occurs anytime a visual basic program is executed.

6. Corey has a new post up, http://journeyintoir.blogspot.com/2014/01/malware-and-self-deleting-batch-file.html, analyzing a Malware sample that cleans up after itself. Sneaky stuff and some great analysis here.

Did I miss something? Let me know about other blogs I should be following in the comments below, I want to read everything DFIR related!