Daily Blog #55: Saturday Reading 8/16/13

Hello Reader,
      Wait, It's Saturday? Where did the week go? It's time for another Saturday Reading where I list out what I've been reading this week and what tools we've been trying out. Let's get started.

1. We had another Forensic Lunch yesterday, http://www.youtube.com/watch?v=wOHG_pwHyRo, Brian Lockery came on to talk about the crimes against children conference and his products. We talked about our efforts to get TSK's api to bind to perl and Matthew talked about his formal education towards a bachelor in computer forensics.

2. If you watched the forensic lunch you heard me talk about SWIG, http://swig.org/, which is a pretty neat project. If you want to bind a C/C++ API to your choice of language (C#, Java, Perl, Python, Ruby, etc..) it will auto generate code to wrap the functions and make them available. It takes some work to learn but it does work!

3. I finally got the website for the book done , http://www.learndfir.com, and the links are all up for the new book. Just click on the cover to be taken to it! Next we need to upload the images we made for the analysis chapters so you can solve the cases at home.

4. Are you a perl monk like I am? If so you should check out Inline C, http://search.cpan.org/~sisyphus/Inline-0.53/C/C-Cookbook.pod#The_Main_Course, which allows you to embed C and call out to C libraries within perl. The code gets compiled at run time and then cached allowing for C speed with perl execution.

5. For those of you who heard Matthew talking about his college experience getting a degree in computer forensics here are the programs he is graduating from. He is getting his Bacehlors in Information Assurance and Forensics from OSU IT http://www.osuit.edu/academics/information_technologies/ba_about.html and got his associates in forensics from Richland https://www1.dcccd.edu/catalog/programs/degree.cfm?degree=digi_forensics_aas&loc=8

6. James Webb has proferred a maturity model for organizations to measure their incident reponse capabiltiies against, I thought it was a good write up, http://blog.jameswebb.me/2013/08/modeling-ir-program-maturity.html

7. Over on the SANS blog Ira Victor has a nice writeup on his experience at Blackhat and Defcon, http://computer-forensics.sans.org/blog/2013/08/11/case-leads-a-forensicators-take-on-blackhatdefconbsides. These are traditionally very infosec focused conferences so Ira has found those takeaways that are most relevant to forensics.

8. If you watched last week's forensic lunch we talked about extended mapi parsing in Outlook. David Nides was nice enough to share a free package that parses this data, http://www.dimastr.com/redemption/home.htm, called Outlook Redemption. Check it out!

That's all this week, make sure you come back tomorrow for Sunday Funday! Another challenge and another prize for those that are ready to flex their forensic mental muscles!

Daily Blog #48: Saturday Reading 8/10/13

Hello Reader,
            It's Saturday! Hooray! The week is over and fedex pickup ends earlier today meaning you either have extra time in the lab or a some time at home. Either way, get some coffee and lets get our forensic reading going.

1. Joachim Metz has updated his volume shadow specification paper, not this week bu recently enough that I didn't read it until this week. If you are at all curious about how the volume shadow service data structures are stored then read this for what I believe to be the most detailed guide outside of whatever internal team at Microsoft developed it. In addition if you care more about the usage of volume shadow copies in your analysis and the existence of unallocated space in VSC's you should read this paper he presented which will answer questions you didn't even know you had.

2. Did you read yesterday's blog? No? Oh well we had another Forensic Lunch with David Nides, Kyle Maxwell, Joseph Shaw and the fine fellows I work with at G-C Partners. Tune in and keep up with what I think was a great hour of forensic discussion.

3. Andrea London has posted the slides for her talk at DefCon http://www.strozfriedberg.com/wp-content/uploads/2013/08/DefCon-2013.pdf tilted 'The Evidence Self Destructing Message Apps Leave Behind'. Her talk covers a wider base of these applications than I've seen covered before and it's a good read as she and Kyle O'Meara go deep into the file system internals and network traffic exchanged.

4. Lenny Zeltser posted a nice retrospective of how teaching Malware Analysis has grown, http://blog.zeltser.com/post/57795714681/teaching-malware-analysis-and-the-expanding-corpus-of. It's a nice short read and reinforced the idea that his advice remains the same 10 years later:

• Too many variables to research without assistance
• Ask colleagues, search Web sites, mailing lists, virus databases
• Share your findings via personal Web sites, incidents and malware mailing lists

5. If you are doing USB device forensics and have a Windows 8 system that Woanware's USB Device Forensics application does not support yet then check out TzWork's USB Storage Parser. So far its the only tool that I have that take the multiple Windows 8 USB artifacts and combines them to a single report of activity.

6. Hal Pomeranz put out a new Command Line Kung Fu entry this week, http://blog.commandlinekungfu.com/2013/08/episode-169-move-me-maybe.html, always a good read.

7.  On an earlier Forensic Lunch you may have heard Rob Fuller talk about anti-forensic hard drive custom firmwares. Going more into that topic here is a great article about Hard Drive hacking and showing how these firmware changes are researched, implemented and performed. If you are dealing with an advanced subject you might want to be aware of these new possibilities! http://spritesmods.com/?art=hddhack

8. In this week Forensic Lunch we talked about parsing carved binary plists. For those of you looking to implement your own parsers or just try to understand the format better here are two sources. The first is the OSX code for binary plists, http://opensource.apple.com/source/CF/CF-550/CFBinaryPList.c, and a great write up on plist forensics by CCL http://www.cclgroupltd.com/images/property%20lists%20in%20digital%20forensics%20new.pdf.

That's all I have for this Saturday Reading. I hope these links are enough to get you through your day. Tomorrow is Sunday Funday and I have yet another challenge waiting for you to solve. This week we will have 'winners choice' where the winner can pick from a free ticket to PFIC or a year license to AccessData's Triage tool!

Daily Blog #41: Saturday Reading 8/3/13

Hello Reader,
           It's Saturday and after a long week of working, heck you might be in the office working right now, its time to let the disks image, the indexes run and the hashes hash while you sip some coffee and do some forensic reading.

1. If you haven't watched/listen to it already we had a pretty great Forensic Lunch yesterday, you can watch it here http://www.youtube.com/watch?v=UG8ZZM7S5nk. This week we talked about HTML5 offline caching in gmail with Blazer Catzen, the life of an internal corporate forensics person with Brandon Foley, Shadow Kit with David Dym and updates to some OSX forensics and the Triforce. Give it a watch and next week you can watch us live and participate here Google+ Event.

2. Speaking of Blazer Catzen he had a great presentation at Techno Forensics on file system tunneling. He said we could upload and share the slides from his presentation and you can download it here: click here for the zip of the presentation and reference spreadsheets

3. In the Forensic Lunch I talked about an article from a couple years ago describing the offline gmail storage we were talking about and the risks to the user, you can read it here http://geeknizer.com/pros-cons-of-html-5-local-database-storage-and-future-of-web-apps/. 

4. I'm a big fan of WinFE and over on the WinFE blog they had a good write up on getting WinFE to build with Autopsy 3. If you are looking for a free and open source portable toolkit thats still windows based read about how to get it all together, http://winfe.wordpress.com/2013/07/15/more-on-winfe-and-autopsy/.

5. We talked about Shadow Kit this week so here's a link to read more about it and grab a copy, http://redrocktx.blogspot.com/p/shadowkit.html. You should then read this post, http://redrocktx.blogspot.com/2012/04/shadowkit-working-with-disk-images.html, which is a great write up on how to get your forensic image into a vhd format so Windows will treat it as a physical local device rather than as a network attached device as it does with FTK Imager and other mounting technqiues.

6. If you are working with Windows 8 or Windows Server 2012 then you'll be happy to read the latest SANS blog entry by Chad Tilbury pointing out which tools now support their memory structures, you can read it here: http://computer-forensics.sans.org/blog/2013/07/30/windows-8-server-2012-memory-forensics.

7. A new blog I found and has just been updated this week is from French expert Zythron. He has a humorous yet factual writeup of a case he worked on and his process and approach, http://zythom-en.blogspot.com/2013/07/filling-up-on-pr0n.html.

Thats what I have for you this week, have an article or blog that you think I'm missing? Leave a comment and leave a link, I'm always trying to learn more and find more researchers who are sharing their data.