Hello Reader,
Hope you had a great week, but now the week is over. It's Saturday! It's time for more links to make you think in this weeks, Saturday Reading.
1. We had a Forensic Lunch with two people whose expertise is in fields I know much less about which always fascinates me. We had a fascinating Forensic Lunch today with:
Lenny Zeltser, @lennyzeltser , talking about his career in reverse engineering and the challenges of moving his analysis platform to Windows 8. Here are the links he discussed:
Jon Stewart, @codeslack, talking about his career and his work on Lightgrep.
2. Hexacorn blog has part 8 in their autorun series up, http://www.hexacorn.com/blog/2014/02/21/beyond-good-ol-run-key-part-8-2/, this one covering how to get users to be your persistence mechanism through jumplists. Very cool.
3. Jason Hale has a new blog post up documenting addtional MRU's in office 2013, http://dfstream.blogspot.com/2014/02/office-2013-more-mrus.html, more MRUs is always a good thing!
4. Lenny Zeltser has a new blog post up on the SANS DFIR blog discussing Ollydbg v2, http://digital-forensics.sans.org/blog/2014/02/20/ollydbg-version-2-for-malware-analysis, and its current state of feature completeness.
5. Harlan has a new blog up discussing how to identify, http://windowsir.blogspot.com/2014/02/more-tracking-user-activity-via-registry.html, additional files being accessed in Office 2013 on a per user basis with timestamps and last position for each document.
Did I miss something? Did you post a blog I missed? Let me know in the comments or email me dcowen@g-cpartners.com and let me know!
Hope you had a great week, but now the week is over. It's Saturday! It's time for more links to make you think in this weeks, Saturday Reading.
1. We had a Forensic Lunch with two people whose expertise is in fields I know much less about which always fascinates me. We had a fascinating Forensic Lunch today with:
Lenny Zeltser, @lennyzeltser , talking about his career in reverse engineering and the challenges of moving his analysis platform to Windows 8. Here are the links he discussed:
Dealing with ASLR on Windows 8.1: http://digital-forensics.sans.org/blog/2014/02/17/malware-analysis-and-aslr-on-windows-8-1setdllcharacteristics: http://blog.didierstevens.com/2010/10/17/setdllcharacteristics/CFF Explorer: http://www.ntcore.com/exsuite.phpScylla for process dumping: http://forum.tuts4you.com/files/file/576-scylla-imports-reconstruction/Books mentioned:Malware Analyst's Cookbook: http://www.malwarecookbook.comPractical Malware Analysis: http://practicalmalwareanalysis.com/
You can take a class with Lenny here: https://www.sans.org/course/reverse-engineering-malware-malware-analysis-tools-techniques
You can grab a copy of the lightgrep engine source here:http://www.lightboxtechnologies.com/lightgrep-engine/
You can grab a copy of v1.4 with lightgrep built in here: http://digitalcorpora.org/downloads/bulk_extractor/
You can buy a copy of lightgrep that works with Encase and other tools here:http://www.lightboxtechnologies.com/lightgrep/
2. Hexacorn blog has part 8 in their autorun series up, http://www.hexacorn.com/blog/2014/02/21/beyond-good-ol-run-key-part-8-2/, this one covering how to get users to be your persistence mechanism through jumplists. Very cool.
3. Jason Hale has a new blog post up documenting addtional MRU's in office 2013, http://dfstream.blogspot.com/2014/02/office-2013-more-mrus.html, more MRUs is always a good thing!
4. Lenny Zeltser has a new blog post up on the SANS DFIR blog discussing Ollydbg v2, http://digital-forensics.sans.org/blog/2014/02/20/ollydbg-version-2-for-malware-analysis, and its current state of feature completeness.
5. Harlan has a new blog up discussing how to identify, http://windowsir.blogspot.com/2014/02/more-tracking-user-activity-via-registry.html, additional files being accessed in Office 2013 on a per user basis with timestamps and last position for each document.
Did I miss something? Did you post a blog I missed? Let me know in the comments or email me dcowen@g-cpartners.com and let me know!
Also Read: Daily Blog #243
Post a Comment