Friday, March 7, 2014

Daly Blog #258: Saturday Reading 3/8/14

Hello Reader,
It's Saturday and boy has the DFIR community been busy this week! We have 14 links to read this week and I know I didn't cover everything that made its way out there! I guess the extended winter has more of us indoors and researching so let's hope it lasts a little longer. It's time for more links to make you think on this weeks Saturday Reading!

1. The Forensic Lunch was served up this week with a full plate of knowledge with some experience on the side. This week on the forensic lunch:
Doug Collins, talking about his career in DFIR and how to become a regular Sunday Funday winner

Mark Spencer. @arsenalrecon, talking about his work at Arsenal Experts and their tools (Registry Recon and Arsenal Image Mounter)

Sebastian Nerz, @tirsales, discussing the state of DFIR in Germany/EU

You can watch it here: https://www.youtube.com/watch?v=CbDLdzw3Hrw

2. There is a new post on the SANS blog from Lenny Zelster going over tools that are available for static analysis of malware and other executables, http://digital-forensics.sans.org/blog/2014/03/04/tools-for-analyzing-static-properties-of-suspicious-files-on-windows

3. Over on the Apple Examiner blog there is a good writeup for those of you doing forensics on OSX systems. There is a new driver out to allow mounting EXT file systems in OSX read about it here, http://www.appleexaminer.com/files/c44849037083bb426c73e5b3b2c6645d-52.html.

4. If you are looking to become a testifying expert, or become a better testifying expert I would highly recommend reading Craig Ball's blog post located here, http://ballinyourcourt.wordpress.com/2014/03/03/becoming-a-better-digital-forensics-witness/.

5. I liked this post by Didier Stevens showing how to use .cat file to validate packages to determine if you are dealing with a false positive or not http://blog.didierstevens.com/2014/03/03/forensic-use-of-cat-files/

6. I hope Adam's beyond the run key series never ends, because its fascinating. This week's entry shows how to manipulate existing pinned applications for the execution of malware, http://www.hexacorn.com/blog/2014/03/02/beyond-good-ol-run-key-part-9/.

7. Over on Chad Tilbury's blog there is a new post called 'forensics in the post snowden era' http://forensicmethods.com/snowden-forensics Chad is showing how applications we rely on for artifacts are changing how they operate to make all of our lives harder.

8. Harlan has a new post up and its an amazing read. If you ever wanted a short deep dive into in depth damaged registry analysis, this is it! http://windowsir.blogspot.com/2014/03/reconstructing-data-structures.html

9. Ian Duffy has a new post up this week continuing his series on MS Office internals, this one showing how to repair a document header http://forensecurity.blogspot.com/2014/03/microsoft-compund-document-internals.html which can be the difference from having an interesting string into a powerful document.

10. Interested in Windows 8 preftech files? You should read over this post by Jared on the Invoke-IR blog to really get an understanding of the internals with his excellent illustration: http://www.invoke-ir.com/2014/03/windows-8-prefetch-101.html

11. Darren Windham, a serial sunday funday winner, has started a blog! He is chronicling the operation and review of a honeypot as he see's what the attackers decide to reveal about themselves. I plan to follow along, http://dfirtx.blogspot.com/2014/03/day-1-review.html.

12. Julia Desautels from Champlain has a new post up describing how to recover google searches made through Google Glass http://desautelsja.blogspot.com/2014/03/google-glass-forensics-google-searches.html

13. Matt Bromiley over at the 505 Forensics blog is back with a follow up from last week, this time showing how to use logstash to bring a variety of non json data sources into elastic search. It's neat check out (We are in the lab!) http://www.505forensics.com/logstash-and-log2timeline

14. Lastly this week here is a post by David Dym showing how to use his tool metadiver to analyze shell metadata from files. http://redrocktx.blogspot.com/2014/03/finding-shell-metadata.html