Hacking Exposed Computer Forensics Blog

Showing posts with label Saturday reading. Show all posts

Daily Blog #376: Saturday Reading 4/16/16

Saturday Reading by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,

It's Saturday! Soccer Games, Birthday Parties and forensics oh my! That is my weekend, how's yous? If its raining where you are and the kids are going nuts here are some good links to distract you.

1. Diider Stevens posted an index of all the posts he's made in March, https://blog.didierstevens.com/2016/04/17/overview-of-content-published-in-march/. If you are at all interested in malicious document deconstruction and reverse engineer it's worth your time to read.

2. If you've done any work on ransomware and other drive by malware deployments this article by Brian Krebs on the the sentencing of the black hole kit author is worth a read, http://krebsonsecurity.com/2016/04/blackhole-exploit-kit-author-gets-8-years/

3. Harlan has a new blog up this week with some links to various incident response articles he's found interesting, http://windowsir.blogspot.com/2016/04/links.html. This includes a link to the newly published 2nd edition of Windows Registry Forensics!

4. Mary Ellen has a post up with a presentation she made regarding the analysis of phishing attacks, http://manhattanmennonite.blogspot.com/2016/04/gone-phishing.html, The presentation also links to a Malware lab. Maybe this will see more posts from Mary Ellen.

5. Adam over at Hexcorn has a very interesting write up on EICAR, http://www.hexacorn.com/blog/2016/04/10/a-few-things-about-eicar-that-you-may-be-not-aware-of/. I wasn't aware of EICAR until Adam posted about it and found the whole read fascinating. EICAR is apparently a standard file created to allow anti virus developers test their own software and as Adam discusses others have made their own variations.

6. In a bit of inception posting, Random Access has a weekly reading list of his own on his blog. This is his post from 4/10/16, https://thisweekin4n6.wordpress.com/2016/04/10/week-14-2016/. He does a very good job covering things I miss and frankly I should just be copying and pasting his posts here, but I think that's looked down on.

So Phil, if you are reading this. Do you want to post here on Saturdays?

That's all for this week! Did I miss something? Post a link to a blog or site I need to add to my feedly below.

Daily Blog #369: Saturday Reading 4/9/16

Hello Reader,

It's Saturday! I'm excited to post my first Saturday Reading in almost two years!. While I get to work on seeing whats changed in the world of rss feeds and twitter tags since I last did this, here is this weeks Saturday Reading!

1. We had a great forensic lunch this week. We had Jared Atkinson talking all about how to do forensics on a live system or mounted image with his Powershell framework PowerForensics.

You can grab your own copy of PowerForensics on Github here: https://github.com/Invoke-IR/PowerForensics
Read his Blog here: www.invoke-ir.com
Vote for him in the Forensic4Cast Awards here: https://forensic4cast.com/forensic-4cast-awards/

Reminder I'm up for voting in another category as well!

and of course you can follow him on Twitter here: https://twitter.com/jaredcatkinson

You can watch the episode on youtube here: https://www.youtube.com/watch?v=uCffFc4r4-k

2. Adam over at Hexacorn is continuing to update his tool DeXRAY which can examine, extract and detail information about the malware that 20 different anti virus products. If you've ever been frustrated that the very thing you need to analyze is being withheld by an anti virus products quarantine this should help.

Read more about it and download it here: http://www.hexacorn.com/blog/2016/04/06/dexray-twentin-quarantino/

3. On the CYB3RCRIM3 blog there is a neat post covering the basic facts and a judges ultimate opinion regarding a civil case that involved the Computer Fraud and Abuse Act (CFAA). While there are alot of criminal cases out there that have CFAA charges there are few civil CFAA cases that I know of, outside of the ones I've been involved in.

4. Harlan has a new post up on his blog Windows Incident Response. It covers some new WMI persistence techniques he's seen used by attackers in the wild. Not only does Harlan link to a blog he wrote for SecureWorks on the topic but he also linked to a presentation written by Matt Graeber from Mandiant.

5. Also on Harlan's Blog he's let us know that the 2nd version of Windows Registry Forensic is out!

Read more about here and get a copy for yourself! http://windowsir.blogspot.com/2016/04/windows-registry-forensics-2e.html

6. The 2016 Volatility Plugin Contest is live! If you have an idea or just want to go through the learning process of how to write a Volatility plugin for cash and prizes you should go here: http://volatility-labs.blogspot.com/2016/04/the-2016-volatility-plugin-contest-is.html

Did I miss something? Let me know in the comments below!

Daily Blog #363: Saturday Reading 6/21/14

Hello Reader,
It's Saturday! I don't know about you but it's been a long week. While we both finishing tracking down those miscreants we've been hunting this week, here's some links to make you think while volatility runs in this weeks Saturday Reading!

1. We had a great forensic lunch this week. We had (in order of appearance)

Blazer Catzen, of Catzen Forensics, talking all about File System Tunneling in an extensive piece of research that goes beyond the STDINFO and into the File Name attributes and Object IDs. Blazer has two presentations he has done on the subject so I hope to talk him into a guest blog about it, if he does not put up his own blog first.
Detective Cindy Murphy, with the Madison Wisconsin police talking all about Mobile Forensics and her journey in DFIR.

For those who watched the link to the SANS Work Study program is here:
https://www.sans.org/work-study

You can watch it here: https://www.youtube.com/watch?feature=player_embedded&list=UUZ7mQV3j4GNX-LU1IKPVQZg&v=bI9T2-bnbM0

2. AppleExaminer has updated the OSX and IOS focus lists, cheat sheets of where to look for artifacts. Get it here: http://www.appleexaminer.com/files/b79f4470195d89b9d6a6ec0e4f8799fa-68.html

3. Craig Ball has a new post up and his perspective as a special master is always interesting. This week he is talking about an issue he is facing where he's trying to understand someones motive for inflating their fees http://ballinyourcourt.wordpress.com/2014/06/19/unconscionable/

4. Corey Harrell has posted up a review of Harlan's updated WFA http://journeyintoir.blogspot.com/2014/06/review-of-windows-forensic-analysis-4th.html

5. Matthew, my partner in lunch, posted a new entry to his new blog. Talking all about additional fields stored within the prefetch files revealing file record numbers and sequence numbers http://forensicmatt.blogspot.com/2014/06/possible-new-field-identified-in.html

That's all for this week!

Daily Blog #356: Saturday Reading 6/14/14

Hello Reader,
It's been a long couple of weeks for me and I'm enjoying a little down time this weekend. What better way to wind down then with some good reads to help next weeks work be even better with new information and new tools. It's time for links to make you think in this weeks Saturday Reading!

1. The forensic lunch this week again had no guests but plenty of content:
This week we talked about:
The SANS DFIR Summit, our favorite talks and what makes it stand out as a conference
Dave Hull's, @davehull project Kansa http://github.com/davehull/kansa
An in depth discussion of Volume Shadow Copies discssuing:

How to identify how much shadow copies are active on a volume (without VSS Admin)
Evidence of Automatic vs Manual VSC deletion
What different tools show for how many VSCs exist
What you can and can't implictily trust
How to validate what you see

More about what forensic tools should provide to an examiner at a minimum
And BBQ Summit talk!

2. Matt has his own blog back up to talk about all things beard worthy, this weeks entry is all about good forensic dev work. You can read his first blog post here http://forensicmatt.blogspot.com/2014/06/what-makes-great-tool-in-dfir.html

3. All of the presentation materials from the SANS DFIR Summit are now online for your viewing, https://digital-forensics.sans.org/community/summits . In the neat future there should be videos of them up as well!

4. Adrian aka Cheeky4N6Monkey has a new post up this week discussing some internal structures and data sources in examining Windows Phone 8 devices, http://cheeky4n6monkey.blogspot.com/2014/06/monkeying-around-with-windows-phone-80.html. Cool stuff!

5. On the plaso blog there is a write up by Ashley all about how to get your Plaso timeline into Elastic Search (and then Kibana) http://blog.kiddaland.net/2014/06/ill-take-some-elasticsearchkibana-with.html

6. The Forensic 4:Cast awards have come and gone, come see who won on the 4:cast Blog (Hint I did!) https://forensic4cast.com/2014/06/4cast-awards-2014-2/

Daily Blog #349: Saturday Reading 6/7/14

Hello Reader,
It's been a long and enjoyable week helping out in FOR408 here at the SANS DFIR Summit. I've haven't kept up with blogs much this week as I focused on what was happening in class and work, but that's OK as it lead to me finding some new sources tonight! So get ready for more links to make you think in this week's Saturday Reading.

1. We had a great Forensic Lunch today. We didn't have any official guests this week , just Matthew, You and I talking about what was interesting to us this week. We talked about:

1. The SANS DFIR Summit
2. The For 408 class I am currently assisting with
3. The research into USB Device history that is leading to a race for application development between Eric Zimmerman and myself
Here are the links to he USB device lookups I found:
Official list of Vendors from USB.org (requires you to convert from decimal to hex to match in the registry) http://www.usb.org/developers/tools/comp_dump
The Linux USB driver list of known USB Vendors and Products:
http://www.linux-usb.org/usb.ids
4. A good discussion about programming in DFIR and the movement towards common output formats and moving data between tools.

You can watch it here: https://www.youtube.com/watch?v=I5PaghWRj8k

2. Kristinn has released version 1.1.0 of Plaso, you can read whats new here http://blog.kiddaland.net/2014/06/what-is-one-to-say-about-june-time-of.html and take advantage of all the work happening in that project.

3. Lenny Zeltser has a new blog post up on the SANS DFIR Blog all about recovering evidence of older versions of malicious office macros within documents, read it here http://digital-forensics.sans.org/blog/2014/06/05/srp-streams-in-office-documents-reveal-earlier-macros.

4. On the threat geek blog is a good write up on how to avoid screwing up your next IR job, http://www.threatgeek.com/2014/06/how-to-screw-up-an-incident-response.html.

5. Sarah Edwards has a new blog post up on her new mac4n6 blog all about HFS+ http://www.mac4n6.com/blog/2014/6/2/omg-hfs-ftw as a file systems person I highly recommend it.

6. Corey Harrell has a new post up following up on last years triage focused talk with one focused on root cause analysis, read it here http://journeyintoir.blogspot.com/2014/06/malware-root-cause-analysis-dont-be.html

7. Jack Crook has a new blog up all about the deciding factors when deciding if your IR and SOC team should be silo'd http://blog.handlerdiaries.com/?p=613

Also Read: Daily Blog #348

Saturday reading

Daily Blog #342 Saturday Reading 5/31/14

Hello Reader,
It's Saturday! Another week of forensics has passed us by and its time reflect on facts hard fought and mysteries left to solve. It's time for more links to make you think in this weeks Saturday Reading.

1. We had a fun Forensic Lunch this week with:

Sarah Edwards, @iamevltwin, talking about her presentation on Mac/OSX malware at the SANS DFIR Summit. Here are the slides from her presentation at Bsides NOLA https://googledrive.com/host/0B_qgg13Ykpypekw4d2hwLVJmeDg/REMacMalware.pdf
Lee Whitefield, @lee_whitfield, talking about the current Trucrypt conspiracy theories and what may have happened

You can watch it here: https://www.youtube.com/watch?v=4ZWP9ZZ71bk

2. Over on the Apple Examiner blog here is a new writeup on making a portable OSX triage workstation, if you are a OSX user its a good read http://www.appleexaminer.com/MacsAndOS/Analysis/HowTo/PFW/PFW.html

3. The volatility blog has been updated with a large set of information, including updates on their book and the announcement of their yearly plugin contest. Get involved and win a prize! http://volatility-labs.blogspot.com/2014/05/volatility-update-all-things.html

4. On the Digital Forensic Tips blog there is a writeup on how to deal with Trucrypt in your investigations, its a good summary and worth a read http://digitalforensicstips.com/2014/05/some-basic-options-when-dealing-with-truecrypt-aka-finally-a-forensics-post/

5. On the hexacorn blog Adam has a write up about a new malware variant that is targeting Windows Sidebar gadgets, http://www.hexacorn.com/blog/2014/05/24/upatres-gadgetry/

6. Brian Moran has a new blog up in his series on artifacts of Bluetooth data exfil, read part 4 here http://brimorlabs.blogspot.com/2014/05/bluetooth-for-data-exfiltration-say_29.html

7. The papers presented at DFWRS EU 2014 are up and I'm looking forward to reading new research, http://dfrws.org/2014eu/program.shtml, you might seem some blog posts pop up on the most interesting to me

8. Glen Edwards, Jr and Ian Ahl of fireye put up their slides from Bsides NOLA called 'Mo' Memory No Problems' https://speakerdeck.com/hiddenillusion/mo-memory-no-problem

9. The Open Security Research blog has been updated with a how to guide to remote memory acquisition in Linux, very cool http://blog.opensecurityresearch.com/2014/05/acquiring-linux-memory-from-server-far.html

10. J Michel has posted a step by step walk through of a journey into chip off, something I'm very interested in http://blog.j-michel.org/post/86992432269/from-nand-chip-to-files

Daily Blog #335: Saturday Reading 5/24/14 - TriForce, CEIC, and More

Hello Reader,
It's Saturday and after a long two weeks in Las Vegas it was back to the lab with expert reports and declarations waiting for me to write. If you are like me and recovering your work load its time to keep up with the latest research to see how you can keep ahead of whats coming next. Time for more links to make you think in this weeks Saturday Reading.

0. We launched the Triforce ANJP! Go check it out and buy a copy at LINK N/A

1. The Forensic Lunch this week was live from CEIC, with a total of three shows! You can watch them here:

Day 1: http://hackingexposedcomputerforensicsblog.blogspot.com/2014/05/daily-blog-331-forensic-lunch-live-from.html
Day 2: http://hackingexposedcomputerforensicsblog.blogspot.com/2014/05/daily-blog-332-forensic-lunch-live-from.html

2. Brian Moran has been very, very busy this week. Not only sending in a guest post to my blog but posting 4 blog posts of his own.

The first is a write up all about advanced analysis of the ZeroAccess rootkit and updates to his Windows response toolkit, http://brimorlabs.blogspot.com/2014/05/zeroaccess-windows-command-line-code.html

The next post is a three part series about data exfiltration using BlueTooth and the analysis to detect it
Part 1: http://brimorlabs.blogspot.com/2014/05/bluetooth-for-data-exfiltration-say.html
Part 2: http://brimorlabs.blogspot.com/2014/05/bluetooth-for-data-exfiltration-say_22.html
Part 3: http://brimorlabs.blogspot.com/2014/05/bluetooth-for-data-exfiltration-say_23.html

3. Sharon Nelson has a new blog post up covering a case involving a network engineer who decided to take down his old employer on the way out, http://ridethelightning.senseient.com/2014/05/network-engineer-sentenced-to-four-years-for-destroying-company-data.html. Read this to keep your office space dreams at bay.

4. Harlan has a new post up all about self publishing your next book. If you are considering writing a book please read Harlan's blog and carefully and understand the level of effort involved. Once you've done so carefully consider your next steps and what route to market you want to take:
http://windowsir.blogspot.com/2014/05/book-writing-to-self-publish-or-not.html

5. Adam from Hexacorn is back with part 12 of the beyond the run key series, this week with a focus on Rover autostart mechanism http://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/

6. Ryan over at Obsidian Forensics has a new blog up talking about the process of porting his previously perl tool Hindsight to python http://www.obsidianforensics.com/blog/python-version-of-hindsight-released/

7. Version 5 of REMnux has been released, a handy reverse engineering distribution gets better http://blog.zeltser.com/post/86508269224/remnux-v5-release-for-malware-analysts

8. A new release candidate for Plaso is out, Kristinn and team are asking that everyone test and report any bugs they find get a copy here:

https://googledrive.com/host/0B30H7z4S52FleW5vUHBnblJfcjg/1.1.0/RC1

The Most/Recent Articles