Saturday, June 7, 2014

Daily Blog #349: Saturday Reading 6/7/14

Hello Reader,
             It's been a long and enjoyable week helping out in FOR408 here at the SANS DFIR Summit. I've haven't kept up with blogs much this week as I focused on what was happening in class and work, but that's OK as it lead to me finding some new sources tonight! So get ready for more links to make you think in this week's Saturday Reading.

1. We had a great Forensic Lunch today. We didn't have any official guests this week , just Matthew, You and I talking about what was interesting to us this week. We talked about:

1. The SANS DFIR Summit
2. The For 408 class I am currently assisting with
3. The research into USB Device history that is leading to a race for application development between Eric Zimmerman and myself
Here are the links to he USB device lookups I found:
Official list of Vendors from USB.org (requires you to convert from decimal to hex to match in the registry) http://www.usb.org/developers/tools/comp_dump
The Linux USB driver list of known USB Vendors and Products:
http://www.linux-usb.org/usb.ids
4. A good discussion about programming in DFIR and the movement towards common output formats and moving data between tools.

You can watch it here: https://www.youtube.com/watch?v=I5PaghWRj8k

2. Kristinn has released version 1.1.0 of Plaso, you can read whats new here http://blog.kiddaland.net/2014/06/what-is-one-to-say-about-june-time-of.html and take advantage of all the work happening in that project.

3. Lenny Zeltser has a new blog post up on the SANS DFIR Blog all about recovering evidence of older versions of malicious office macros within documents, read it here http://digital-forensics.sans.org/blog/2014/06/05/srp-streams-in-office-documents-reveal-earlier-macros.

4. On the threat geek blog is a good write up on how to avoid screwing up your next IR job, http://www.threatgeek.com/2014/06/how-to-screw-up-an-incident-response.html.

5. Sarah Edwards has a new blog post up on her new mac4n6 blog all about HFS+ http://www.mac4n6.com/blog/2014/6/2/omg-hfs-ftw as a file systems person I highly recommend it.

6. Corey Harrell has a new post up following up on last years triage focused talk with one focused on root cause analysis, read it here http://journeyintoir.blogspot.com/2014/06/malware-root-cause-analysis-dont-be.html

7. Jack Crook has a new blog up all about the deciding factors when deciding if your IR and SOC team should be silo'd http://blog.handlerdiaries.com/?p=613