CEIC 2012 - Anti Anti Forensics Materials

CEIC 2012 - Anti Anti Forensics Materials

Hello Possible CEIC Attendee,
           I always put my materials up after I give a presentiation. This time since I also made a couple labs to show how to perform this type of investigation into indentifying, detecting and recovering from anti forensic tools I am including those as well. There are 3 labs making up 10gbs of data compressed. The images are e01 and the cases are saved in Encase v7.04 since this was a guidance software conference. There is a lab manual for each lab as well in the root directory to walk you through what you are expected to find.

I'm putting this up on a dropbox account as they are the only file hosting service I could find without  max file size limit (that you couldn't pay to increase).

All three labs here:

The ppt slides are here:

As I've said in the prior post, I'm more of a talker than a powerpoint slide maker. So if you have questions based on the presentation/lab please leave them in the comments below and I'll do my best to answer them.

Also Lab 3 contains a preview of our $logfile research that we will hopefully be presenting at blackhat (please pick me blackhat review board).

If this type of lab download/review thing is popular with you readers I can put up more and we can do a forensic challenge style of blogging for a bit!


  1. Thanks for posting your files, I did not have time to copy them after the presentation. In your Lab 2, you recommend checking the Jump Lists in Windows 7. I have to admit, this was the first time I've seen and heard about this artifacts. You just caused a few nights of research to catch up - thanks for the heads up.

    I would love to unleash my guys on forensic challenges of this kind, just keep the evidence at a more manageable size.

    P.S. Have fun presenting at BlackHat, they will be lucky to have you.

    1. Thanks for well wishes, I really do hope blackhat picks this up. I think what we are showing here can really help a lot of investigators.

      I'm going to work on smaller images :)

  2. Why did you keep your interview "hidden" from us? It is a very good addition for those who are interested in the topic and to connect a voice to a face : -)

    "The CyberJungle • Episode 260", http://www.thecyberjungle.com/listen.php