@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon leanpub libtsk libvshadow linux linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #143: PFIC Day 1 Morning Sessions

Hello Reader,
          I'm attending PFIC and trying to be a good attendee and attend all the sessions when I'm not running our for call. I thought I would pass on my notes on these sessions and then post the slides they are associated with for those of you who couldn't make it.

8am Session - Amber talking about trends in mobile forensics

Shows real data from kids cell phones, its a form of punishment
Windows phone acquisition is limited to local device data, cloud storage is currently out of reach
To acquire a windows phone you need to install an app from the marketplace

9am session - James Wiebe - remote forensic acquisition

a review of what we now know about nsa capabiltities via snowden
Beyond the front end server most providers pass decrypted traffic between their nodes
apologizes that this is a talk focused on a product cru is selling but wants to try to educate beyond it
I think Eric Zimmerman needs to get a ditto and test it to see if their speed claims match up to what he's seen
Ditto is an embedded linux system, but they don't use the ntfs-3g fuse driver and thus avoid the performance penalty we saw in our testing
Optional battery allows it to run for 7 hours of imaging, thats cool
They've implemented lightgrep into their embedded device and are using it for carving, I would assume they are using it for searching as well. Remote live triage is the goal.
Currently on sale for $1,649 from forensiccomputers.com, not a low cost option

Just a note here, surface is my go to device to take with me for conference notes now.

10:30am session "eDiscovery Overview for Forensic Examiners"

Data mining and mapping against email to find patterns or criteria to find interesting/relevant data.
Case law shown about various expert rulings in how experts were used
Review of challenges in defending ediscovery searches
Review of challenges in attacking ediscovery searches
I had to leave the session at this point to take a client call. 

11:30am session Google Glass Forensics

Start with glass v1
Review of what google glass is/does
Review of the hardware and specifications
Showed glass v2
walking through future glass apps and forensic data implications
Introduction of 'shattered' an open source forensic project from champlain
Current version scrapes user accessible data, next version will root the device for physical images and more data
showing how images are saved and timestamped
photos have exif
two thumbnails are also generated, filename meaning is unknown
adds an entry to usagestats
shattered script file 'logcat.txt' also shows a picture was taken, the timestamp of the log should match the name of the image taken and the exif data
Calls are also logged to these logs
map requests and cached direction information are stored
bluetooth logging includes mac addresses of devices connected to
wifi logging of access points and mac addresses in range
each glass activation and method of activation is logged
example images will be posted soon to allow testing and research

more to come as a I sit through the 2:30pm session!

Post a Comment


Author Name

Contact Form


Email *

Message *

Powered by Blogger.