Friday, March 21, 2014

Daily Blog #272: Saturday Reading 3/22/14

Hello Reader,
          It's Saturday! Put the kids outside (if its above freezing where you are) and brew your favorite beverage because it's time to get ready for the week ahead! It's for more links to make you think in this week's Saturday reading.

1. We had another great forensic lunch this week, this week we had:
Vico Marziale, @vicomarziale Talking about the research being done at 504ENSICS Labs and specifically into the OSX Spotlight index.

You can get a copy of spotlight inspector here:
http://www.504ensics.com/tools/digital-forensics-tool-spotlight-inspector/

You can read the 504ensiecs blog here
http://www.504ensics.com/blog/

You can see the rest of their website and tools here:
http://www.504ensics.com/

Nasa Quba & Kausar Khizra   - Talking about their research on Windows 8 File History!
You can see Nasa & Khizra at the SANS DFIR Summit this june go into depth into this research during an hour presentation on the topic!
Go here to learn more

To contact Nasa  & Khizra their linkedin page is here:
http://www.linkedin.com/in/kausarkhizra/
www.linkedin.com/pub/nasa-quba/39/715/382/

2. Didier Stevens has a new blog up talking about how to find embedded executables with his tool Xorsearch. Very cool stuff read it here: http://blog.didierstevens.com/2014/03/20/xorsearch-finding-embedded-executables/

3.  On the SP Security Blog there is a great writeup on the examination of a rootkit using Volatility, http://spresec.blogspot.com/2014/03/uroburos-rootkit-hook-analysis-and.html Always nice to see how someone else solves these kinds puzzles.

4.  Brian Moran has a new blog post up with his OSX live response scripts, http://brimorlabs.blogspot.com/2014/03/announcing-osx-live-response-bash.html If you are doing live response Brian's scripts are very helpful.

5. Darren Windham has a new blog up this week talking about the side effects of having McAfee installed when you are trying to do memory analysis, http://dfirtx.blogspot.com/2014/03/update-from-this-week-mcafee-and-memory.html

6. Version 3 of the SANS SIFT virtual machine is out,http://digital-forensics.sans.org/community/downloads

7. The Rekall memory forensics blog has a post up on how simple it can be to stop memory acquisitions, very interesting http://rekall-forensic.blogspot.fr/2014/03/how-to-stop-memory-acquisition-by.html

8. Frank McClain has a new blog up talking about his planned talk at this years SANS DFIR Summit, http://forensicaliente.blogspot.com/2014/03/presenting-dfir-shakespeare-style-dfir.html

Did I miss something? Let me know in the comments below!