Daily Blog #376: Saturday Reading 4/16/16

Hello Reader,

          It's Saturday!  Soccer Games, Birthday Parties and forensics oh my! That is my weekend, how's yous? If its raining where you are and the kids are going nuts here are some good links to distract you.

1. Diider Stevens posted an index of all the posts he's made in March, https://blog.didierstevens.com/2016/04/17/overview-of-content-published-in-march/. If you are at all interested in malicious document deconstruction and reverse engineer it's worth your time to read. 

2. If you've done any work on ransomware and other drive by malware deployments this article by Brian Krebs on the the sentencing of the black hole kit author is worth a read, http://krebsonsecurity.com/2016/04/blackhole-exploit-kit-author-gets-8-years/

3. Harlan has a new blog up this week with some links to various incident response articles he's found interesting, http://windowsir.blogspot.com/2016/04/links.html. This includes a link to the newly published 2nd edition of Windows Registry Forensics!

4. Mary Ellen has a post up with a presentation she made regarding the analysis of phishing attacks, http://manhattanmennonite.blogspot.com/2016/04/gone-phishing.html, The presentation also links to a Malware lab. Maybe this will see more posts from Mary Ellen.

5. Adam over at Hexcorn has a very interesting write up on EICAR, http://www.hexacorn.com/blog/2016/04/10/a-few-things-about-eicar-that-you-may-be-not-aware-of/. I wasn't aware of EICAR until Adam posted about it and found the whole read fascinating. EICAR is apparently a standard file created to allow anti virus developers test their own software and as Adam discusses others have made their own variations. 

6. In a bit of inception posting, Random Access has a weekly reading list of his own on his blog. This is his post from 4/10/16, https://thisweekin4n6.wordpress.com/2016/04/10/week-14-2016/. He does a very good job covering things I miss and frankly I should just be copying and pasting his posts here, but I think that's looked down on. 

So Phil, if you are reading this. Do you want to post here on Saturdays?

That's all for this week! Did I miss something? Post a link to a blog or site I need to add to my feedly below.

Also Read: Daily Blog #375 

Read More

Daily Blog #369: Saturday Reading 4/9/16

Hello Reader,

          It's Saturday! I'm excited to post my first Saturday Reading in almost two years!. While I get to work on seeing whats changed in the world of rss feeds and twitter tags since I last did this, here is this weeks Saturday Reading!

1. We had a great forensic lunch this week.  We had Jared Atkinson talking all about how to do forensics on a live system or mounted image with his Powershell framework PowerForensics.

• You can grab your own copy of PowerForensics on Github here: https://github.com/Invoke-IR/PowerForensics
• Read his Blog here: www.invoke-ir.com
• Vote for him in the Forensic4Cast Awards here: https://forensic4cast.com/forensic-4cast-awards/
• Reminder I'm up for voting in another category as well!
• and of course you can follow him on Twitter here: https://twitter.com/jaredcatkinson

You can watch the episode on youtube here: https://www.youtube.com/watch?v=uCffFc4r4-k

2. Adam over at Hexacorn is continuing to update his tool DeXRAY which can examine, extract and detail information about the malware that 20 different anti virus products. If you've ever been frustrated that the very thing you need to analyze is being withheld by an anti virus products quarantine this should help. 

Read more about it and download it here: http://www.hexacorn.com/blog/2016/04/06/dexray-twentin-quarantino/

3.  On the CYB3RCRIM3 blog there is a neat post covering the basic facts and a judges ultimate opinion regarding a civil case that involved the Computer Fraud and Abuse Act (CFAA). While there are alot of criminal cases out there that have CFAA charges there are few civil CFAA cases that I know of, outside of the ones I've been involved in. 

Read more here: http://cyb3rcrim3.blogspot.com/2016/04/unauthorized-access-former-employees.html

4. Harlan has a new post up on his blog Windows Incident Response. It covers some new WMI persistence techniques he's seen used by attackers in the wild. Not only does Harlan link to a blog he wrote for SecureWorks on the topic but he also linked to a presentation written by Matt Graeber from Mandiant.

Read more here: http://windowsir.blogspot.com/2016/04/cool-stuff-re-wmi-persistence.html

5. Also on Harlan's Blog he's let us know that the 2nd version of Windows Registry Forensic is out! 

Read more about here and get a copy for yourself! http://windowsir.blogspot.com/2016/04/windows-registry-forensics-2e.html

6. The 2016 Volatility Plugin Contest is live! If you have an idea or just want to go through the learning process of how to write a Volatility plugin for cash and prizes you should go here: http://volatility-labs.blogspot.com/2016/04/the-2016-volatility-plugin-contest-is.html

Did I miss something? Let me know in the comments below!

Also Read: Daily Blog #368

Read More

Daily Blog #363: Saturday Reading 6/21/14

Hello Reader,
         It's Saturday! I don't know about you but it's been a long week. While we both finishing tracking down those miscreants we've been hunting this week, here's some links to make you think while volatility runs in this weeks Saturday Reading!

1. We had a great forensic lunch this week.  We had (in order of appearance)

• Blazer Catzen, of Catzen Forensics, talking all about File System Tunneling in an extensive piece of research that goes beyond the STDINFO and into the File Name attributes and Object IDs. Blazer has two presentations he has done on the subject so I hope to talk him into a guest blog about it, if he does not put up his own blog first.
• Detective Cindy Murphy, with the Madison Wisconsin police talking all about Mobile Forensics and her journey in DFIR. 

For those who watched the link to the SANS Work Study program is here:
https://www.sans.org/work-study

You can watch it here:  https://www.youtube.com/watch?feature=player_embedded&list=UUZ7mQV3j4GNX-LU1IKPVQZg&v=bI9T2-bnbM0

2. AppleExaminer has updated the OSX and IOS focus lists, cheat sheets of where to look for artifacts. Get it here: http://www.appleexaminer.com/files/b79f4470195d89b9d6a6ec0e4f8799fa-68.html

3. Craig Ball has a new post up and his perspective as a special master is always interesting. This week he is talking about an issue he is facing where he's trying to understand someones motive for inflating their fees http://ballinyourcourt.wordpress.com/2014/06/19/unconscionable/

4. Corey Harrell has posted up a review of Harlan's updated WFA http://journeyintoir.blogspot.com/2014/06/review-of-windows-forensic-analysis-4th.html

5. Matthew, my partner in lunch, posted a new entry to his new blog. Talking all about additional fields stored within the prefetch files revealing file record numbers and sequence numbers http://forensicmatt.blogspot.com/2014/06/possible-new-field-identified-in.html

That's all for this week!

Also Read: Daily Blog #362

Read More

Daily Blog #356: Saturday Reading 6/14/14

Hello Reader,
       It's been a long couple of weeks for me and I'm enjoying a little down time this weekend. What better way to wind down then with some good reads to help next weeks work be even better with new information and new tools. It's time for links to make you think in this weeks Saturday Reading!

1. The forensic lunch this week again had no guests but plenty of content:
This week we talked about:
The SANS DFIR Summit, our favorite talks and what makes it stand out as a conference
Dave Hull's, @davehull project Kansa http://github.com/davehull/kansa
An in depth discussion of Volume Shadow Copies discssuing:

• How to identify how much shadow copies are active on a volume (without VSS Admin)
• Evidence of Automatic vs Manual VSC deletion
• What different tools show for how many VSCs exist
• What you can and can't implictily trust
• How to validate what you see

More about what forensic tools should provide to an examiner at a minimum
And BBQ Summit talk!

2. Matt has his own blog back up to talk about all things beard worthy, this weeks entry is all about good forensic dev work. You can read his first blog post here http://forensicmatt.blogspot.com/2014/06/what-makes-great-tool-in-dfir.html

3.  All of the presentation materials from the SANS DFIR Summit are now online for your viewing, https://digital-forensics.sans.org/community/summits . In the neat future there should be videos of them up as well!

4. Adrian aka Cheeky4N6Monkey has a new post up this week discussing some internal structures and data sources in examining Windows Phone 8 devices, http://cheeky4n6monkey.blogspot.com/2014/06/monkeying-around-with-windows-phone-80.html. Cool stuff!

5. On the plaso blog there is a write up by Ashley all about how to get your Plaso timeline into Elastic Search (and then Kibana) http://blog.kiddaland.net/2014/06/ill-take-some-elasticsearchkibana-with.html

6.  The Forensic 4:Cast awards have come and gone, come see who won on the 4:cast Blog (Hint I did!) https://forensic4cast.com/2014/06/4cast-awards-2014-2/

Also Read: Daily Blog #355

Read More

Daily Blog #349: Saturday Reading 6/7/14

Hello Reader,
             It's been a long and enjoyable week helping out in FOR408 here at the SANS DFIR Summit. I've haven't kept up with blogs much this week as I focused on what was happening in class and work, but that's OK as it lead to me finding some new sources tonight! So get ready for more links to make you think in this week's Saturday Reading.

1. We had a great Forensic Lunch today. We didn't have any official guests this week , just Matthew, You and I talking about what was interesting to us this week. We talked about:

1. The SANS DFIR Summit
2. The For 408 class I am currently assisting with
3. The research into USB Device history that is leading to a race for application development between Eric Zimmerman and myself
Here are the links to he USB device lookups I found:
Official list of Vendors from USB.org (requires you to convert from decimal to hex to match in the registry) http://www.usb.org/developers/tools/comp_dump
The Linux USB driver list of known USB Vendors and Products:
http://www.linux-usb.org/usb.ids
4. A good discussion about programming in DFIR and the movement towards common output formats and moving data between tools.

You can watch it here: https://www.youtube.com/watch?v=I5PaghWRj8k

2. Kristinn has released version 1.1.0 of Plaso, you can read whats new here http://blog.kiddaland.net/2014/06/what-is-one-to-say-about-june-time-of.html and take advantage of all the work happening in that project.

3. Lenny Zeltser has a new blog post up on the SANS DFIR Blog all about recovering evidence of older versions of malicious office macros within documents, read it here http://digital-forensics.sans.org/blog/2014/06/05/srp-streams-in-office-documents-reveal-earlier-macros.

4. On the threat geek blog is a good write up on how to avoid screwing up your next IR job, http://www.threatgeek.com/2014/06/how-to-screw-up-an-incident-response.html.

5. Sarah Edwards has a new blog post up on her new mac4n6 blog all about HFS+ http://www.mac4n6.com/blog/2014/6/2/omg-hfs-ftw as a file systems person I highly recommend it.

6. Corey Harrell has a new post up following up on last years triage focused talk with one focused on root cause analysis, read it here http://journeyintoir.blogspot.com/2014/06/malware-root-cause-analysis-dont-be.html

7. Jack Crook has a new blog up all about the deciding factors when deciding if your IR and SOC team should be silo'd http://blog.handlerdiaries.com/?p=613

Also Read: Daily Blog #348

Read More

Daily Blog #342 Saturday Reading 5/31/14

Hello Reader,
       It's Saturday! Another week of forensics has passed us by and its time reflect on facts hard fought and mysteries left to solve. It's time for more links to make you think in this weeks Saturday Reading.

1. We had a fun Forensic Lunch this week with:

• Sarah Edwards, @iamevltwin, talking about her presentation on Mac/OSX malware at the SANS DFIR Summit. Here are the slides from her presentation at Bsides NOLA https://googledrive.com/host/0B_qgg13Ykpypekw4d2hwLVJmeDg/REMacMalware.pdf
• Lee Whitefield, @lee_whitfield, talking about the current Trucrypt conspiracy theories and what may have happened

You can watch it here: https://www.youtube.com/watch?v=4ZWP9ZZ71bk

2. Over on the Apple Examiner blog here is a new writeup on making a portable OSX triage workstation, if you are a OSX user its a good read http://www.appleexaminer.com/MacsAndOS/Analysis/HowTo/PFW/PFW.html

3. The volatility blog has been updated with a large set of information, including updates on their book and the announcement of their yearly plugin contest. Get involved and win a prize! http://volatility-labs.blogspot.com/2014/05/volatility-update-all-things.html

4. On the Digital Forensic Tips blog there is a writeup on how to deal with Trucrypt in your investigations, its a good summary and worth a read http://digitalforensicstips.com/2014/05/some-basic-options-when-dealing-with-truecrypt-aka-finally-a-forensics-post/

5. On the hexacorn blog Adam has a write up about a new malware variant that is targeting Windows Sidebar gadgets, http://www.hexacorn.com/blog/2014/05/24/upatres-gadgetry/

6. Brian Moran has a new blog up in his series on artifacts of Bluetooth data exfil, read part 4 here http://brimorlabs.blogspot.com/2014/05/bluetooth-for-data-exfiltration-say_29.html

7. The papers presented at DFWRS EU 2014 are up and I'm looking forward to reading new research, http://dfrws.org/2014eu/program.shtml, you might seem some blog posts pop up on the most interesting to me

8. Glen Edwards, Jr and Ian Ahl of fireye put up their slides from Bsides NOLA called 'Mo' Memory No Problems' https://speakerdeck.com/hiddenillusion/mo-memory-no-problem

9. The Open Security Research blog has been updated with a how to guide to remote memory acquisition in Linux, very cool http://blog.opensecurityresearch.com/2014/05/acquiring-linux-memory-from-server-far.html

10. J Michel has posted a step by step walk through of a journey into chip off, something I'm very interested in http://blog.j-michel.org/post/86992432269/from-nand-chip-to-files

Also Read: Daily Blog #341

Read More

Daily Blog #335: Saturday Reading 5/24/14 - TriForce, CEIC, and More

Hello Reader,
       It's Saturday and after a long two weeks in Las Vegas it was back to the lab with expert reports and declarations waiting for me to write. If you are like me and recovering your work load its time to keep up with the latest research to see how you can keep ahead of whats coming next. Time for more links to make you think in this weeks Saturday Reading.

0. We launched the Triforce ANJP! Go check it out and buy a copy at LINK N/A 

1. The Forensic Lunch this week was live from CEIC, with a total of three shows! You can watch them here:

Day 1: http://hackingexposedcomputerforensicsblog.blogspot.com/2014/05/daily-blog-331-forensic-lunch-live-from.html
Day 2: http://hackingexposedcomputerforensicsblog.blogspot.com/2014/05/daily-blog-332-forensic-lunch-live-from.html

2. Brian Moran has been very, very busy this week. Not only sending in a guest post to my blog but posting 4 blog posts of his own.

The first is a write up all about advanced analysis of the ZeroAccess rootkit and updates to his Windows response toolkit, http://brimorlabs.blogspot.com/2014/05/zeroaccess-windows-command-line-code.html

The next post is a three part series about data exfiltration using BlueTooth and the analysis to detect it
Part 1: http://brimorlabs.blogspot.com/2014/05/bluetooth-for-data-exfiltration-say.html
Part 2: http://brimorlabs.blogspot.com/2014/05/bluetooth-for-data-exfiltration-say_22.html
Part 3: http://brimorlabs.blogspot.com/2014/05/bluetooth-for-data-exfiltration-say_23.html

3. Sharon Nelson has a new blog post up covering a case involving a network engineer who decided to take down his old employer on the way out, http://ridethelightning.senseient.com/2014/05/network-engineer-sentenced-to-four-years-for-destroying-company-data.html. Read this to keep your office space dreams at bay.

4. Harlan has a new post up all about self publishing your next book. If you are considering writing a book please read Harlan's blog and carefully and understand the level of effort involved. Once you've done so carefully consider your next steps and what route to market you want to take:
http://windowsir.blogspot.com/2014/05/book-writing-to-self-publish-or-not.html

5. Adam from Hexacorn is back with part 12 of the beyond the run key series, this week with a focus on Rover autostart mechanism http://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/

6. Ryan over at Obsidian Forensics has a new blog up talking about the process of porting his previously perl tool Hindsight to python http://www.obsidianforensics.com/blog/python-version-of-hindsight-released/

7. Version 5 of REMnux has been released, a handy reverse engineering distribution gets better http://blog.zeltser.com/post/86508269224/remnux-v5-release-for-malware-analysts

8. A new release candidate for Plaso is out, Kristinn and team are asking that everyone test and report any bugs they find get a copy here:

https://googledrive.com/host/0B30H7z4S52FleW5vUHBnblJfcjg/1.1.0/RC1

Also Read: Daily Blog #334

Read More

Daily Blog #328: Saturday Reading 5/17/14

Hello Reader,
         It's the weekend between ADUC and CEIC. If you are a conference warrior like me this is your chance to take a breath and catch up the world. Get ready for more links to make you think before another week of good talks and knowledge on this weeks Saturday Reading.

1.  If it's #1 on the list its the Forensic Lunch, this week live from ADUC! This week we had:

• Lee Reiber, @celldet, talking about what is new at AccessData, the conference, his product MPE+, FTK, insight and all the rest. It was fun getting to talk to him in person where I could ask hi, questions without a filter and we can get some good facts.
• Matt came on and we talked about new features in our upcoming release of Triforce ANJP! Showing how to find evidence of exploitation of an XP system with metasploit via the netapi exploit.
• Sheryl Falk, @sheryfalk, Pierre Lidome and I talking about our panel that I posted the slides to yesterday. Most importantly going over the most important things we said but didn't write down in the slides.

I hope you liked it and get ready for next week when we will be broadcasting live from CEIC and bringing the best information there to you at home.  You can watch the video here:
https://www.youtube.com/watch?feature=player_embedded&v=408XUV9gKXg

2. Harlan has a new blog up this week with updates and links, http://windowsir.blogspot.com/2014/05/updates.html. Most interesting to me was updates to Regripper!

3. The Forensic 4Cast award voting has been extended another week, read about it here: https://forensic4cast.com/2014/05/awards-update-deadline-change/. If you haven't done so already please vote (I'm up for two awards!) and help those who help you! Vote here: https://forensic4cast.com/forensic-4cast-awards/

4. Corey Harrell has a new blog post up all about what artifacts are left over from an exploit, http://journeyintoir.blogspot.com/2014/05/cve-2013-0074-3896-silverlight-exploit.html. These are always fun to read and can usually lead to you thinking of new sources of artifacts to look for.

5. Brett Shavers has a new blog post up announcing the arrival of training videos on WinFE, http://winfe.wordpress.com/2014/05/10/coming-soon-online-winfe-training-program/. I think WinFE is great and look forward to seeing these.

6. Going to be at CEIC? Make sure to signup for our TriForce party Wednesday night from 6-8pm or our TriForce classes! It's all free so go here and get a ticket:

http://www.eventbrite.com/e/triforce-training-sessions-and-launch-party-during-ceic-conference-tickets-11533471925

That's all for this week, see you tomorrow for another Sunday Funday challenge!

Also Read: Daily Blog #327

Read More

Daily Blog #321: Saturday Reading 5/10/14

Hello Reader,
         It's Saturday!  I'm feeling better and the skies are blue, its go drop the kids off with the grandparents and get ready for another week! Time for more links to make you think in this weeks Saturday Reading!

1. We had a great Forensic Lunch this week! Our guests this week (in order of appearance):

• Mari DeGrazia, @maridegrazia, talking about her research into the Thunderbird email client, its variations and the tool she has put out to work with it. You can read her post about this on her blog as well as grab the tool here: http://az4n6.blogspot.com/2014/04/whats-word-thunderbird-parser-that-is.html 
• Hal Pomeranz, @halpomeranz, talking about his research into Encrypted iTunes backups. How to extract out whats contained within them and when they were made, very cool stuff. Here are the links Hal mentioned:
• Stack overflow discussion of the manifest.mbdb file:  
• http://stackoverflow.com/questions/3085153/how-to-parse-the-manifest-mbdb-file-in-an-ios-4-0-itunes-backup 
• Link to download Hal's tool here: 
• https://github.com/halpomeranz/mbdbls 
• Lucas Zaichkowsky, @LucasErratus, from AccessData talking about his work there and a new reveal of their unified cybersecurity/response/forensics platform. Very cool stuff that I didn't realize they were already viewing. I'll have to get a better understanding of this technology!

You can watch it here:
https://www.youtube.com/watch?feature=player_embedded&v=mNLOokxME5A

2.  Harlan has a new post up on his blog with updates, most importantly to me is the new plugins available for RegRipper! http://windowsir.blogspot.com/2014/05/new-stuff.html
While I use a variety of tools its rare for me to not have regripper on hand.

3. David Kovar has a new post up on his view on Incident Response as it stands today, http://integriography.wordpress.com/2014/05/06/if-you-are-doing-incident-response-you-are-doing-it-wrong/. It's a good post that should help you put your reactive response efforts into the perspective of established emergency management processes to help you manage rather then respond.

4. Over on the Linux Sleuthing blog there is a new post showing how to use command line tools to parse search queries from history plists, nice walk through if you don't speak grep/sed/awk/regex http://linuxsleuthing.blogspot.com/2014/05/searching-for-searches.html

5. Michael Maurer has a new post up on the DiFT blog announcing the alpha release of a virtual machine that will take your supertimeline data into logstash and thus elastic search/kibana. A great resource if you don't have a team of developers on hand to solve all of these things for you: http://diftdisk.blogspot.com/2014/05/dift-alpha.html

Also Read: Daily Blog #320

Read More

Daily Blog #314: Saturday Reading 5/3/14

Hello Reader,
          It's very late in Iceland but with only a few weeks left in the daily blogging I can't stop now! It's Saturday so get ready for more links to make you think on this weeks Saturday Reading!

1. The Forensic Lunch this week went a bit off the norm and we had an open discussion time. Lee Whitfield, @lee_whitfield and Suzanne Widup, Suzanne Widup, joined us and your comments in an open discussion. We discussed an article linked by Brian Moran located here: http://eandt.theiet.org/news/2014/apr/hackers-heartbleed.cfm all about how some malware researchers are accessing bad guy forums using Heartbleed. You can watch it here: https://www.youtube.com/watch?feature=player_embedded&v=4iCYNiGWFDE

2. Lee Whitfield has a new post up talking about the value of SMART data from your disk drives in your analysis, read it here: https://forensic4cast.com/2014/05/be-smart/

3. I have to say I hope that the beyond the run key series never ends. Adam is back this time with another post showing how to turn the execution of Internet Explorer into a persistence mechanism. http://www.hexacorn.com/blog/2014/04/27/beyond-good-ol-run-key-part-11/

That's all I have for this week, what did I miss? Post it in the comments below!

Also Read: Daily Blog #313

Read More

Daily Blog #307: Saturday Reading 4/26/14

Hello Reader,
    It's Saturday and I'm still at the National Collegiate Cyber Defense Competition. So while we reveal our plans to the 10 top student teams competing here, get your coffee or tea ready for this weeks reading to keep your own intruders out. Time for more links to make you think in this weeks Saturday Reading!

1. We had a short forensic lunch http://forensicmethods.com/webshell-log-analysis this week, This week we had:

Shelly Giesbrecht, @nerdiosity,  talking about her upcoming talk at the SANS DFIR Summit called '10 Ways To Make Your SOC More Awesome', learn more about the event here and you can hear a leadup to it on a SANS Webinar here: https://www.sans.org/webcasts/10-ways-rock-soc-97975

We also talked a bit about the National Collegiate Cyber Defense Competition where I am currently leading the red team before I had to run back to the fun! Also no audio issues!
You can watch it here: https://www.youtube.com/watch?v=M9Xtq1ZH74I&list=UUZ7mQV3j4GNX-LU1IKPVQZg

2.  Mari DeGrazia is back with a new post this week on parsing thunderbird archives, http://az4n6.blogspot.com/2014/04/whats-word-thunderbird-parser-that-is.html.

3. Chad Tilbury has a new post on Forensic Methods all about getting to know your web logs, http://forensicmethods.com/webshell-log-analysis.

4. Yogesh Katri has a new post up all about additional locations where Windows 8.1 stores search history, http://www.swiftforensics.com/2014/04/search-history-on-windows-81-part-2.html. Going beyond lnk files to event logs and cache files.

5. Jake Williams has a new post up taking about how to get Sift 3.0 running in an Amazon EC2 instance, http://malwarejake.blogspot.com/2014/04/sift-in-ec2.html.

6. Brian Moran has a new post up all about geolocating a devices past history, and its not a mobile phone. http://brimorlabs.blogspot.com/2014/04/you-dont-know-where-that-device-has-been.html.

7. Dave Hull has a new post up talking about the release of a new windows response tool he's preparing for his talk at the DFIR Summit, http://trustedsignal.blogspot.com/2014/04/kansa-modular-live-response-tool-for.html.

Also Read: Daily Blog #306

Read More

Daily Blog #300: Saturday Reading 4/19/14

Hello Reader,
        300 daily blogs in a row! Wow, I really wondered if I would get this far an its nice that I hit 300 on a Saturday Reading which are some of the more popular daily posts. Thank you very much for those of you who have been keeping up with the dailies and to those who have left comments/feedback. I'm not done yet, 62 more posts to go to finish my year so get that coffee brewing or your tea steeping and let's get ready more more links to make you think on this weeks Saturday Reading.

1.  Well we thought we fixed our sound issues but they krept back in today. We will be fixing this next week so don't fear! However the good news is that its just our sound that sounds muffled, our guests sound great! So please watch our following guests talk about their very interesting topics.

This week we had, in order of appearance:
Santiago Ayala, @darthsaac, talking about his career in DFIR leading up to his nomination for a Forensic 4cast award nomination as Digital Forensic Examiner of the year! Listen to what Santiago has to say to see if you want to vote for him!

Lee Reiber, @celldet, talking about a couple things:
His upcoming trainings at the AccessData Users Conference on MPE+ , mobile forensics and python scripting with MPE+: https://www.ad-users.com/
His upcoming talk at the SANS DFIR Summit called Peeling the Application Like an Onion which focuses on analysis of mobile applications, check out more here
and a good discussion on mobile forensics in its current state and where things are headed.

Chris Pogue, @cpbeefcake, talking about a couple things:
His upcoming talk at the SANS DFIR Summit called The Life Cycle of Cybercrime which focuses on the complete life of a case from where it starts to how law enforcement gets involved locally and globally, check out more here
All about Sniper forensics, his team at Trustwave and the difficulties of doing DFIR around the world.

You can watch it here: https://www.youtube.com/watch?feature=player_embedded&v=d-HeQvRgq5o

2. Adam on the Hexcorn blog is the digital equivalent of a mad scientist. He has continued his Beyond the Run Key series to part 10 now and dives into how to turn MS Office (and sometimes internet explorer) into a persistence mechanism! Crazy stuff, read it here http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/.

3. Dan Pullega has a new post up on his 4n6k blog on an issue I've had to deal with in the past. He's showing how to deal with virtual disks and snapshots, a real issue when you are trying to get a view of the filesystem at X time. Read the post here and get some good solutions to this problem, http://www.4n6k.com/2014/04/forensics-quickie-merging-vmdks.html.

4. Harlan has been talking about TTP's and the need increase your organizations ability to capture and deal with them in order to move up the pyramid and push the pain back at the attacker. The second post in series here, http://windowsir.blogspot.com/2014/04/follow-up-on-ttps-post.html, and links to the first but more importantly it includes highlights from a conversation that took place on Google+ after the first post where some very good discussion went on. If you are trying to raise your organizations ability to detect and respond read this.

5. Julie Desautels has finished up her Google Glass research and has made a very nice and informative guide to Google Glass forensics. If you ever find yourself needing to examine one, and that will likely happen any day, you should keep this bookmarked: http://desautelsja.blogspot.com/2014/04/a-forensic-examiners-guide-to-google.html

That's all for this week, did I miss something? Leave it in the comments below so everyone can read it!

Also Read: Daily Blog #299

Read More

Daily Blog #293: Saturday Reading 4/12/14

Hello Reader,
                It's Saturday! One week behind you, another week ahead. In between those two events let's focus on what we can learn to make next week even better. Here are more links to make you think in this week's Saturday Reading.

1. If it's the first link of the week it must be the forensic lunch! This week we had:

Anthony Di Bello from Guidance Software talking about CEIC. CEIC is our industries biggest conference and we will be there. If you are interested go here http://www.guidancesoftware.com/ceic/Pages/about-ceic.aspx and follow them on twitter @encase

David Dym talking about his upcoming talk on SQLite forensics at CEIC and the early release of a new tool called SQLiteDiver which comes in GUI and CLI forms. You can download SQLiteDiver here: http://www.easymetadata.com/Downloads/SQLiteDiver/ and you can see Dave talk about it and SQLite forensics at CEIC!

You can watch it here: https://www.youtube.com/watch?v=ZEXnP34jf1I&list=UUZ7mQV3j4GNX-LU1IKPVQZg

2. There's a new blog in town, Jan Verhulst's 4ensics.net. He's written a good post on report writing, and a couple things before that, that I think you should take a look at here: http://www.4ensics.net/home/2014/4/2/r8nqt1isgo3lvaxtbcx7xy8iyqu6uq. Thanks to Jan who let me know he started a blog so I can have more sources to review! If you are getting ready to put out research, let me know! I want to help you get your work the most exposure possible.

3. Richard Drinkwater has made a new post on his blog 'Forensics from the sausage factory'. I've always enjoyed Richard's blog and his great analysis, this weeks entry is no different. Richard is facing a common scenario that many of us face, receiving an image without access to the original machine it came from. He did the work to determine the plist that would allow him to know if automatic time syncing via NTP was enabled on OSX. If you get a OSX image in and want to know if the timestamps are accurate this is worth a read, http://forensicsfromthesausagefactory.blogspot.com/2014/04/mac-os-x-set-date-and-time-automatically.html.

4. Jake Williams has a post up on the SANS blog with all of his Heartbleed slides, notes a link to his webcast on the subject. Heartbleed is going to be a ongoing problem for years to come so it would be wise to get up to date on it now, http://digital-forensics.sans.org/blog/2014/04/10/heartbleed-links-simulcast-etc.

5. Chad Tilbury has also a new post up on the SANS blog, his is all about how to use the new CrowdStrike tool CrowdResponse. In reading through the post its clear that this is powerful tool for large scale yara scanning of systems. Make sure to give this a read http://digital-forensics.sans.org/blog/2014/04/09/signature-detection-with-crowdresponse.

6. Andrew Case has a new post up on the Volatility labs blog this week showing how to build a decoder for a piece of shellcode http://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0502.html. If you are trying to become a better malware reverser you should reread this a couple dozen times.

7. Harlan Carvey's latest edition of Windows Forensic Analysis is out this time with a focus on Windows 8 forensics. I own most of Harlan's books and always appreciate the work he puts into making them such a good reference guide going forward, you can buy it here http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Edition/dp/0124171575/.

8. 'Chip_DFIR' is a blog that I just found thanks to the #dfir hash tag on twitter this week. Chip has put a two part post, with the second part posted this week, covering how to recover and analyze deleted Chrome cache artifacts and metadata. You can read it here http://chipdfir.blogspot.co.uk/2014/04/chrome-cache-wheres-stash-part-2.html.

9. Sketchymoose blog has a new post up on using a Live USB boot drive to deal with encrypted drives with drive locked systems, http://sketchymoose.blogspot.co.uk/2014/04/creating-live-usbcd-for-whatever-reason.html. Always good to see good posts showing what people have learned from work in the field.

Also Read: Daily Blog #292

Read More

Daily Blog #286: Saturday Reading 4/5/14

Hello Reader,
                 It's Saturday! After another long week on the DFIR road I hope your canceled flights get you home on time and with good in flight wifi. It's time for more links to make you think with in this week's Saturday Reading.

1. We had a fun forensic lunch this week! This week we had:
Dave Hull from Microsoft, you can follow Dave on Twitter @davehull , his blog http://trustedsignal.blogspot.com/ and on github https://github.com/davehull.
You should come to the SANS DFIR Summit and see him there as well!

Vico Marizale or Joe Sylve from 504ensics came back for their 3rd week of commitment! @vicomarziale and @jsylve. You should get involved with their new registry timestamp project by emailing them info@504labs.com to get their tool and start helping to discover unknown registry timestamps!

If you are not going to ADUC or CEIC you should also consider going to B-Sides NOLA, learn more about it here: 
http://www.securitybsides.com/w/page/71231585/BsidesNola2014

Watch the forensic lunch here: https://www.youtube.com/watch?feature=player_embedded&v=Knr_rdLbgk0

2.  Harlan has a new blog post this week with an update on what he's up to , where he's going to be speaking,an update on the 4th edition of WFA, regripper and some research he's found interesting, http://windowsir.blogspot.com/2014/04/whats-up.html

3. Yogesh Khatri has a new blog post up on the return of thumbcache.db files in Windows 8, http://www.swiftforensics.com/2014/04/windows-8-thumbsdb-files-still-same-and.html. Windows 8 systems are coming to an examination near you so start catching up!

4. Lee Whitfield has posted a blog explaining who all of the nominee's of Forensic 4cast awards are this year, http://forensic4cast.com/2014/04/2014-forensic-4cast-awards-meet-the-nominees/. I'm there twice!

5. Are you a Linux person who wishes they could run RegRipper without wine? Wish no more as Willi Ballenthin has figured out how to do it, for Debian atleast http://www.williballenthin.com/blog/2014/04/02/regripper-on-linux/

6. Yogesh Khatri has been busy this week, he has a second post up on Windows 8 search history forensics, http://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html

7. Anuj Soni has a new post on the SANS DFIR Blog, http://digital-forensics.sans.org/blog/2014/03/31/the-importance-of-command-and-control-analysis-for-incident-response. He explains the value and importance of C2 analysis in your malware investigations.

8. In what Dan Pullega calls a forensic quickie, which is a long post for anyone else!, he explains the value of source code analysis in your dynamic analysis http://www.4n6k.com/2014/03/forensics-quickie-verifying-program.html

That's a pretty great week of new posts, get to reading!

Also Read: Daily Blog #285 

Read More

Daily Blog #279: Saturday Reading 3/29/14

Hello Reader,
        Another week has come and gone. I hope it was filled with factual revelations and case breaking moments. It's time to get ready for next week and all the new artifacts and DFIR knowledge that awaits you in this weeks Saturday Reading.

1. We had an unusual Forensic Lunch this week but still chock full of great DFIR information. This week we had:

Vico Marziale, @vicomarziale, from 504ensics, discussing their memory differencing project amongst other topics

Lee Whitfield, @lee_whitfield, discussing the upcoming deadline for Forensic 4cast award nominations and the trouble with time machines

You can watch it here: https://www.youtube.com/watch?v=fyDPxUXS1FQ&list=UUZ7mQV3j4GNX-LU1IKPVQZg

2.  Harlan has a new blog post up this week on why he writes DFIR books, I have similar reasons to Harlan and found it a great read, http://windowsir.blogspot.com/2014/03/writing-dfir-books_28.html

3. Harlan put up a second post this week advocating for why you should learn how to program if you plan to excel in DFIR something I absolutely agree with, http://windowsir.blogspot.com/2014/03/coding-for-digital-forensic-analysis.html

4. Corey Harrell has a new post up this week talking about yet another program execution artifact. This one covers a new event log that also tracks program execution related to the application compatibility artifacts he's been blogging about, http://journeyintoir.blogspot.com/2014/03/exploring-program-inventory-event-log.html

5. SANS has a new post up on their computer forensics blog with a link to download their know DFIR poster, http://digital-forensics.sans.org/blog/2014/03/26/finding-evil-on-windows-systems-sans-dfir-poster-release. The poster gives a great set of reference knowledge on 'knowing normal' to find evil.

6. Lenny Zelster has put up a series of introductory videos to malware analysis, great watching http://blog.zeltser.com/post/80874760857/introductory-malware-analysis-webcasts

7. Brian Moran has been updating and working on his live response scripts that he's been giving away. In this post Brian goes into how to detect the JackPOS malware using the data collected by his response script http://brimorlabs.blogspot.com/2014/03/windows-live-response-collection-vs.html

That's all for this week, make sure to come back tomorrow for another Sunday Funday challenge!

Also Read: Daily Blog #278

Read More

Daily Blog #272: Saturday Reading 3/22/14

Hello Reader,
          It's Saturday! Put the kids outside (if its above freezing where you are) and brew your favorite beverage because it's time to get ready for the week ahead! It's for more links to make you think in this week's Saturday reading.

1. We had another great forensic lunch this week, this week we had:
Vico Marziale, @vicomarziale Talking about the research being done at 504ENSICS Labs and specifically into the OSX Spotlight index.

You can get a copy of spotlight inspector here:
http://www.504ensics.com/tools/digital-forensics-tool-spotlight-inspector/

You can read the 504ensiecs blog here
http://www.504ensics.com/blog/

You can see the rest of their website and tools here:
http://www.504ensics.com/

Nasa Quba & Kausar Khizra   - Talking about their research on Windows 8 File History!
You can see Nasa & Khizra at the SANS DFIR Summit this june go into depth into this research during an hour presentation on the topic!
Go here to learn more

To contact Nasa  & Khizra their linkedin page is here:
http://www.linkedin.com/in/kausarkhizra/
www.linkedin.com/pub/nasa-quba/39/715/382/

2. Didier Stevens has a new blog up talking about how to find embedded executables with his tool Xorsearch. Very cool stuff read it here: http://blog.didierstevens.com/2014/03/20/xorsearch-finding-embedded-executables/

3.  On the SP Security Blog there is a great writeup on the examination of a rootkit using Volatility, http://spresec.blogspot.com/2014/03/uroburos-rootkit-hook-analysis-and.html Always nice to see how someone else solves these kinds puzzles.

4.  Brian Moran has a new blog post up with his OSX live response scripts, http://brimorlabs.blogspot.com/2014/03/announcing-osx-live-response-bash.html If you are doing live response Brian's scripts are very helpful.

5. Darren Windham has a new blog up this week talking about the side effects of having McAfee installed when you are trying to do memory analysis, http://dfirtx.blogspot.com/2014/03/update-from-this-week-mcafee-and-memory.html

6. Version 3 of the SANS SIFT virtual machine is out,http://digital-forensics.sans.org/community/downloads

7. The Rekall memory forensics blog has a post up on how simple it can be to stop memory acquisitions, very interesting http://rekall-forensic.blogspot.fr/2014/03/how-to-stop-memory-acquisition-by.html

8. Frank McClain has a new blog up talking about his planned talk at this years SANS DFIR Summit, http://forensicaliente.blogspot.com/2014/03/presenting-dfir-shakespeare-style-dfir.html

Did I miss something? Let me know in the comments below!

Also Read: Daily Blog #271

Read More

Daily Blog #265: Saturday Reading 3/15/14

Hello Reader,
          It's Saturday! If you are working the weekend than just think that all those annoying co-workers who normally bug you aren't there today! It's time to learn something new while you watch the progress bars flow on this weeks Saturday Reading.

1. We had another great Forensic Lunch today, I hope you will consider making time in your Friday to watch it live someday as I think its just way more fun live. You can watch it here:
https://www.youtube.com/watch?v=BtB8DA4dQ7s&list=UUZ7mQV3j4GNX-LU1IKPVQZg

This week we had in order of appearance:

Jake Williams, @malwarejake, talking about the results of the SANS Endpoint Security survey and the positions they are looking to hire at the Mayo Clinic for those of  you looking for senior DFIR positions!
You can also train with jake next month in Orlando and elsewhere, go here to see the classes he's teaching https://www.sans.org/instructors/jake-williams.
SANS/Guidance Endpoint Security Survey Webcast - http://bit.ly/1hYUYMU
Alissa's Memory Forensics Class - Orlando, http://bit.ly/1e0ZEkD
Jake's Log Management and Forensics Class - Orlando, http://bit.ly/PBqkQy
Jake and Alissa's Memory Forensics vLive class - http://bit.ly/1imyw0V

Brian Baskin, @bbaskin, talking about his research, blog (ghetto forensics), books (here is an amazon link), and his work at DC3 where they are looking for people interested in DFIR with a clearance who live in the Baltimore area! Reach out to him if you are interested.

Vladimir Katalov, @vkatalov, the CEO of Elcomsoft talking about upcoming research regarding iCloud key chain recovery from network traffic, Blackberry 10 backups, accessing cloud storage and which gpus work well for long term password cracking. You can go to elcomsoft's website here and these are my favorite tools they sell:
Elcomsoft Phone Password Breaker http://www.elcomsoft.com/eppb.html, great for cracking encrypted phone backups and accessing iCloud backups!
Elcomsoft iOS Toolkit, http://www.elcomsoft.com/eift.html, great for low level working in iOS forensics.
Elcomsoft password cracking bundle, http://www.elcomsoft.com/eprb.html, a nice collection of there password cracking tools

2.  Alissa Torres has a cool blog up on the SANS blog about carving network streams from memory dumps, check it out http://digital-forensics.sans.org/blog/2014/03/14/stream-based-memory-analysis-case-study.

3. A reminder there is still time to nominate your favorite DFIR software vendor, blogger, tool maker and personalities for Forensic 4:cast awards, Go here: http://forensic4cast.com/forensic-4cast-awards to nominate. Speaking as someone who was nominated and won an award last year I can say that it really does make the day of the person you nominate to even see their work recognized. So do the community a favor and nominate those who you feel deserve it!

4.  Colby Lahaie has a blog up involving his capstone research to fulfill his degree requirements over at Champlain. He's researching the what the cloud storage program Idrive leaves behind from a disk and network point of view. Keeping up with the cloud can be tough so I am always looking for more information, read it here: http://lahaie4n6.blogspot.com/2014/03/whats-life-like-in-clouds.html

5. Brian Moran has a new post up about lessons learned from his recent weeks in the field, http://brimorlabs.blogspot.com/2014/03/some-quick-lessons-learned.html. Learning lessons from others who are where you may be in the near future can save you a lot of trouble later.

6. Andrew Hay landed at Open DNS and wrote a blog post about life as a researcher, I like it! http://labs.umbrella.com/2014/03/10/only-easy-research-day-was-yesterday/

7. Hidden Illusion has a neat blog post up on using Yara to brute force Xor encoded strings, http://hiddenillusion.blogspot.com/2014/03/bruteforcing-xor-with-yara.html. 

8. Corey Harrell has a new blog up this week talking about how he got into DFIR, I hope someday to get Corey to come on the lunch and talk about himself and his work. http://journeyintoir.blogspot.com/2014/03/lose-yourself-in-dfir-music.html

That's all for this week, let me know if I missed anything either in the comments, twitter or email. I'm always looking for more good things to read!

Also Read: Daily Blog #264

Read More