Friday, January 24, 2014

Daily Blog #216: Saturday Reading 1/25/14

Hello Reader,
          It's Cold! Stay inside and heat up some pizza,let's get down to some DFIR reading! Time for more links to make you think on this week's Saturday Reading:

1. What, did we have a forensic lunch this week? Why, yes we did! This week we had:
Jacob Williams, @malwarejake,  talking about his proof of concept code shown at shmoocon check it out here: http://malwarejake.blogspot.com/2014/01/shmoocon-talk-and-add.html and download the tool/memory samples here http://code.google.com/p/attention-deficit-disorder/

Hal Pomeranz, @hal_pomeranz,  talking about the scripts he's been sharing via GitHub for the DFIR Community: https://github.com/halpomeranz/dfis

Lee Whitefield, @lee_whitfield, talking about his new series of internet safety videos that you can show to your friends and family, found here: https://www.youtube.com/user/mrleewhitfield

2. Apple Examiner has been updating its analysis pages for OSX, http://www.appleexaminer.com/MacsAndOS/Analysis/InitialDataGathering/InitialDataGathering.html, give it a read and keep up to date.

3. Patrick Olsen has a great post on how to spot lateral movement from bad guys, http://sysforensics.org/2014/01/lateral-movement.html. I like how he breaks down categories of lateral movement techniques and show their combinations for analysts to find.

4. SANS is hosting a photo contest to win a free simulcast seat to a training class of your choice, http://digital-forensics.sans.org/blog/2014/01/20/announcing-the-dfircon-photo-contest-changce-to-win-a-free-simulcast-course, a pretty sweet prize for just taking a photo.

5. Patrick Olsen also wrote a great post on knowing whats normal in a Windows system, http://sysforensics.org/2014/01/know-your-windows-processes.html, you have to know whats normal to know whats wrong! I certainly hope Patrick keeps blogging!

6. A firm called Cassidiancy Cybersecurity has put out a tool for carving $i30 entries,     http://blog.cassidiancybersecurity.com/post/2014/01/Introducing-MftCrawler%2C-a-MFT-parser-with-%24i30-carving-capabilities. It's written in Lua, can't say I've seen that very often.

7. Here's a good read on securing logs so they can be reviewed later, http://www.scip.ch/en/?labs.20140123#null. If you are doing internal IR making sure the logs you need actually make it to be analyzed is kinda important.

8. Brian Moran has another post up, http://brimorlabs.blogspot.com/2014/01/identifying-truecrypt-volumes-for-fun.html, this time extending the truecrypt master password recovery plugin that the Volatility devs released with how to find these volumes.

9. Mandiant, now Fireeye?, has a new blog up https://www.mandiant.com/blog/tracking-malware-import-hashing talking about their methods for attribution via which modules a backdoor imports as each team has their own preferred backdoor kits. Kinda neat!

That's all for this week! Did I miss something interesting? Leave it in the comments below so others can find it and I can add it to my feedly for next week!