Hello Reader,
It's Cold! Stay inside and heat up some pizza,let's get down to some DFIR reading! Time for more links to make you think on this week's Saturday Reading:
1. What, did we have a forensic lunch this week? Why, yes we did! This week we had:
Jacob Williams, @malwarejake, talking about his proof of concept code shown at shmoocon check it out here: http://malwarejake.blogspot.com/2014/01/shmoocon-talk-and-add.html and download the tool/memory samples here http://code.google.com/p/attention-deficit-disorder/
Hal Pomeranz, @hal_pomeranz, talking about the scripts he's been sharing via GitHub for the DFIR Community: https://github.com/halpomeranz/dfis
Lee Whitefield, @lee_whitfield, talking about his new series of internet safety videos that you can show to your friends and family, found here: https://www.youtube.com/user/mrleewhitfield
2. Apple Examiner has been updating its analysis pages for OSX, http://www.appleexaminer.com/MacsAndOS/Analysis/InitialDataGathering/InitialDataGathering.html, give it a read and keep up to date.
3. Patrick Olsen has a great post on how to spot lateral movement from bad guys, http://sysforensics.org/2014/01/lateral-movement.html. I like how he breaks down categories of lateral movement techniques and show their combinations for analysts to find.
4. SANS is hosting a photo contest to win a free simulcast seat to a training class of your choice, http://digital-forensics.sans.org/blog/2014/01/20/announcing-the-dfircon-photo-contest-changce-to-win-a-free-simulcast-course, a pretty sweet prize for just taking a photo.
5. Patrick Olsen also wrote a great post on knowing whats normal in a Windows system, http://sysforensics.org/2014/01/know-your-windows-processes.html, you have to know whats normal to know whats wrong! I certainly hope Patrick keeps blogging!
6. A firm called Cassidiancy Cybersecurity has put out a tool for carving $i30 entries, http://blog.cassidiancybersecurity.com/post/2014/01/Introducing-MftCrawler%2C-a-MFT-parser-with-%24i30-carving-capabilities. It's written in Lua, can't say I've seen that very often.
7. Here's a good read on securing logs so they can be reviewed later, http://www.scip.ch/en/?labs.20140123#null. If you are doing internal IR making sure the logs you need actually make it to be analyzed is kinda important.
8. Brian Moran has another post up, http://brimorlabs.blogspot.com/2014/01/identifying-truecrypt-volumes-for-fun.html, this time extending the truecrypt master password recovery plugin that the Volatility devs released with how to find these volumes.
9. Mandiant, now Fireeye?, has a new blog up https://www.mandiant.com/blog/tracking-malware-import-hashing talking about their methods for attribution via which modules a backdoor imports as each team has their own preferred backdoor kits. Kinda neat!
That's all for this week! Did I miss something interesting? Leave it in the comments below so others can find it and I can add it to my feedly for next week!
It's Cold! Stay inside and heat up some pizza,let's get down to some DFIR reading! Time for more links to make you think on this week's Saturday Reading:
1. What, did we have a forensic lunch this week? Why, yes we did! This week we had:
Jacob Williams, @malwarejake, talking about his proof of concept code shown at shmoocon check it out here: http://malwarejake.blogspot.com/2014/01/shmoocon-talk-and-add.html and download the tool/memory samples here http://code.google.com/p/attention-deficit-disorder/
Hal Pomeranz, @hal_pomeranz, talking about the scripts he's been sharing via GitHub for the DFIR Community: https://github.com/halpomeranz/dfis
Lee Whitefield, @lee_whitfield, talking about his new series of internet safety videos that you can show to your friends and family, found here: https://www.youtube.com/user/mrleewhitfield
2. Apple Examiner has been updating its analysis pages for OSX, http://www.appleexaminer.com/MacsAndOS/Analysis/InitialDataGathering/InitialDataGathering.html, give it a read and keep up to date.
3. Patrick Olsen has a great post on how to spot lateral movement from bad guys, http://sysforensics.org/2014/01/lateral-movement.html. I like how he breaks down categories of lateral movement techniques and show their combinations for analysts to find.
4. SANS is hosting a photo contest to win a free simulcast seat to a training class of your choice, http://digital-forensics.sans.org/blog/2014/01/20/announcing-the-dfircon-photo-contest-changce-to-win-a-free-simulcast-course, a pretty sweet prize for just taking a photo.
5. Patrick Olsen also wrote a great post on knowing whats normal in a Windows system, http://sysforensics.org/2014/01/know-your-windows-processes.html, you have to know whats normal to know whats wrong! I certainly hope Patrick keeps blogging!
6. A firm called Cassidiancy Cybersecurity has put out a tool for carving $i30 entries, http://blog.cassidiancybersecurity.com/post/2014/01/Introducing-MftCrawler%2C-a-MFT-parser-with-%24i30-carving-capabilities. It's written in Lua, can't say I've seen that very often.
7. Here's a good read on securing logs so they can be reviewed later, http://www.scip.ch/en/?labs.20140123#null. If you are doing internal IR making sure the logs you need actually make it to be analyzed is kinda important.
8. Brian Moran has another post up, http://brimorlabs.blogspot.com/2014/01/identifying-truecrypt-volumes-for-fun.html, this time extending the truecrypt master password recovery plugin that the Volatility devs released with how to find these volumes.
9. Mandiant, now Fireeye?, has a new blog up https://www.mandiant.com/blog/tracking-malware-import-hashing talking about their methods for attribution via which modules a backdoor imports as each team has their own preferred backdoor kits. Kinda neat!
That's all for this week! Did I miss something interesting? Leave it in the comments below so others can find it and I can add it to my feedly for next week!
Also Read: Daily Blog #215
Post a Comment