Friday, April 11, 2014

Daily Blog #293: Saturday Reading 4/12/14

Hello Reader,
                It's Saturday! One week behind you, another week ahead. In between those two events let's focus on what we can learn to make next week even better. Here are more links to make you think in this week's Saturday Reading.

1. If it's the first link of the week it must be the forensic lunch! This week we had:

Anthony Di Bello from Guidance Software talking about CEIC. CEIC is our industries biggest conference and we will be there. If you are interested go here http://www.guidancesoftware.com/ceic/Pages/about-ceic.aspx and follow them on twitter @encase

David Dym talking about his upcoming talk on SQLite forensics at CEIC and the early release of a new tool called SQLiteDiver which comes in GUI and CLI forms. You can download SQLiteDiver here: http://www.easymetadata.com/Downloads/SQLiteDiver/ and you can see Dave talk about it and SQLite forensics at CEIC!

You can watch it here: https://www.youtube.com/watch?v=ZEXnP34jf1I&list=UUZ7mQV3j4GNX-LU1IKPVQZg

2. There's a new blog in town, Jan Verhulst's 4ensics.net. He's written a good post on report writing, and a couple things before that, that I think you should take a look at here: http://www.4ensics.net/home/2014/4/2/r8nqt1isgo3lvaxtbcx7xy8iyqu6uq. Thanks to Jan who let me know he started a blog so I can have more sources to review! If you are getting ready to put out research, let me know! I want to help you get your work the most exposure possible.

3. Richard Drinkwater has made a new post on his blog 'Forensics from the sausage factory'. I've always enjoyed Richard's blog and his great analysis, this weeks entry is no different. Richard is facing a common scenario that many of us face, receiving an image without access to the original machine it came from. He did the work to determine the plist that would allow him to know if automatic time syncing via NTP was enabled on OSX. If you get a OSX image in and want to know if the timestamps are accurate this is worth a read, http://forensicsfromthesausagefactory.blogspot.com/2014/04/mac-os-x-set-date-and-time-automatically.html.

4. Jake Williams has a post up on the SANS blog with all of his Heartbleed slides, notes a link to his webcast on the subject. Heartbleed is going to be a ongoing problem for years to come so it would be wise to get up to date on it now, http://digital-forensics.sans.org/blog/2014/04/10/heartbleed-links-simulcast-etc.

5. Chad Tilbury has also a new post up on the SANS blog, his is all about how to use the new CrowdStrike tool CrowdResponse. In reading through the post its clear that this is powerful tool for large scale yara scanning of systems. Make sure to give this a read http://digital-forensics.sans.org/blog/2014/04/09/signature-detection-with-crowdresponse.

6. Andrew Case has a new post up on the Volatility labs blog this week showing how to build a decoder for a piece of shellcode http://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0502.html. If you are trying to become a better malware reverser you should reread this a couple dozen times.

7. Harlan Carvey's latest edition of Windows Forensic Analysis is out this time with a focus on Windows 8 forensics. I own most of Harlan's books and always appreciate the work he puts into making them such a good reference guide going forward, you can buy it here http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Edition/dp/0124171575/.

8. 'Chip_DFIR' is a blog that I just found thanks to the #dfir hash tag on twitter this week. Chip has put a two part post, with the second part posted this week, covering how to recover and analyze deleted Chrome cache artifacts and metadata. You can read it here http://chipdfir.blogspot.co.uk/2014/04/chrome-cache-wheres-stash-part-2.html.

9. Sketchymoose blog has a new post up on using a Live USB boot drive to deal with encrypted drives with drive locked systems, http://sketchymoose.blogspot.co.uk/2014/04/creating-live-usbcd-for-whatever-reason.html. Always good to see good posts showing what people have learned from work in the field.