Friday, January 17, 2014

Daily Blog #209 Saturday Reading 1/18/14

Hello Reader,
     The DFIR world has been busy this week! I have a lot of links for you to look at that it might take you into Sunday! So put on a full pot of coffee, because it's time for links to make you think on this week's Saturday Reading

1.Did you know we do a live google on air hangout every Friday called the Forensic Lunch? We do! This week our guests were:
Sarah Edwards talking about her OSX Forensics class for SANS, signup for the beta here:http://computer-forensics.sans.org/blog/2014/01/14/introducing-mac-forensics-the-new-sans-dfir-course-in-beta-starting-in-april-2014

Craig Ball talking about his work as a Special Master within the Civil Courts and his perspectives on DFIR, you can read more from Craig at his website: http://craigball.com/

Matthew and I talking about the v3 Beta, the NCCDC Red Team intern position opening for CCDC alumni and more.

2. The Volatility team is always coming up with new and cool tools. This weeks post is no exception, click the link to read on how to recover truecrypt keys from memory! http://volatility-labs.blogspot.com/2014/01/truecrypt-master-key-extraction-and.html

3. This post on the securosis blog, https://securosis.com/blog/cloud-forensics-101, is a great primer for those of you having to do an examination on an AWS (Amazon Web Service) virtual instance.

4. Corey has really been doing some seriously good posts lately, this post about tying up all the sources of program execution is no exception, read it here http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html


5. I mentioned this post in the Forensic Lunch and I'll probably write about it again next week. The  team that runs the National Collegiate Cyber Defense Competition has put together an 'intern seat' on my red team at nationals, open to Alumni of the CCDC games. If you qualify, go here to fidn out how to apply and join Team Hillarious (Two L's because we are extra funny) http://www.nationalccdc.org/blog/do-you-want-to-be-the-1st-red-team-intern/

6. I tend not to talk about malware and IR much as this is a digital forensics blog for the most part, but I don't think of any of us are not fascinated by the Target breach. Brian Krebs has two great articles up looking into what he's uncovered: Part 1 is here http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/ and Part 2 is here http://krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/

7. To follow up from Brian Krebs post on the Target Breach, here is the Volatility team's write up on the POS malware and the technique of RAM scraping, http://volatility-labs.blogspot.com/2014/01/comparing-dexter-and-blackpos-target.html

8. Willi Ballenthin has released three tools this week, you should go get all of them... right now http://www.williballenthin.com/blog/2014/01/16/tool-release-fuse-mft/
http://www.williballenthin.com/blog/2014/01/15/tool-release-list-mft/
http://www.williballenthin.com/blog/2014/01/13/tool-release-get-file-info/

9. If you have to talk to lawyers regularly in your work you may have been asked the question how many boxes of paper would X data represent, Craig Ball has a new post up where he examines the issues in answering this question http://ballinyourcourt.wordpress.com/2014/01/15/revisiting-how-many-documents-in-a-gigabyte/

10. Jesse Kornblum has a quick post up pointing to new capability on hashsets.com to search the NSRL online, that's seriously cool. http://jessekornblum.livejournal.com/295268.html 
 
11. I do a lot of examinations of MS Office documents, so when I see a blog post regarding new findings in them I pay attention. Check out this post on Jason Hale's blog to learn about some new artifacts in MS Excel 2013,  http://dfstream.blogspot.com/2014/01/ms-excel-2013-last-saved-location.html

12. Harlan has a new post up this week discussing the gap or disconnect between those doing IR and those reverse engineering the malware that responders find. In it he argues for the integration of these two distinct roles or at least the communication between them to allow both aprties to do their jobs better. http://windowsir.blogspot.com/2014/01/malware-re-ir-disconnect.html

That's all for this week, keep up the great work out there! Make sure to come back tomorrow for a chance to win a Write Protectable USB3 Flash drive on Sunday Funday!