This time we have the winner of our current SANS DFIR Super Sunday Funday Forensic Contest! We will walk through all the levels revealing how they were done and how they were solved.
We are broadcasting live from HTCIA International Conference with:
Sumuri Carbon
Andres Velazquez talking about Forensic in Latin America
Membership director for HTCIA talking about the organization
Latest updates on the Triforce from Matthew and I!
Andrew Case talks about the release of his new book and discusses his research on memory forensics
Lee Whitfield talks about Facebook Messenger and other recent events.
Forensic Lunch this week with:
Blazer Catzen, talking about File system tunneling and metadata misadventures
Cindy Murphy, talking about smart phone forensics and being Cindy Murphy
The SANS DFIR Summit, our favorite talks and what makes it stand out as a conference
Dave Hull's, @davehull project Kansa http://github.com/davehull/kansa
An in depth discussion of Volume Shadow Copies discssuing: How to identify how much shadow copies are active on a volume (without VSS Admin) Evidence of Automatic vs Manual VSC deletion What different tools show for how many VSCs exist What you can and can't implictily trust How to validate what you see
More about what forensic tools should provide to an examiner at a minimum
And BBQ Summit talk!
As discussed the show may change after next week and the weekly shows are no longer required to meet my year of blogging. I'd like to hear your thoughts of what would make show more valuable to. Topics I'd like to hear from you on include but are not limited to:
Frequency, should we keep it once a week or go to twice a month / once amonth
Topics, Are we covering what is important to you? Should we add anything else?
Format, Do you enjoy the guests or us talking more?
Time of day/Day of week, Is there a better time we could be doing this so more of you can watch it live
Let me know in the comments below or email me dcowen@g-cpartners.com, we do the show for you not us!
We had a great Forensic Lunch today. We didn't have any official guests this week , just Matthew, You and I talking about what was interesting to us this week. We talked about:
1. The SANS DFIR Summit
2. The For 408 class I am currently assisting with
3. The research into USB Device history that is leading to a race for application development between Eric Zimmerman and myself
Here are the links to he USB device lookups I found:
Official list of Vendors from USB.org (requires you to convert from decimal to hex to match in the registry) http://www.usb.org/developers/tools/c...
The Linux USB driver list of known USB Vendors and Products:
http://www.linux-usb.org/usb.ids
4. A good discussion about programming in DFIR and the movement towards common output formats and moving data between tools.
Sarah Edwards, @iamevltwin, talking about her presentation on Mac/OSX malware.
Lee Whitefield, @lee_whitfield, talking about the current Trucrypt conspiracy theories and what may have happened
For those listening here are our conference recommendations:
Large conference: CEIC
Mid size but vendor sponsored: PFIC
Mid size but independent : HTCIA
Small and very technical: SANS DFIR Summit and OSDFCon
Today we had: Austin Colby from Black Bag talking about whats new with Blacklight, Macqusition and much more. You can find out more at https://www.blackbagtech.com Steve Whalen, @sumurillc, talking about whats new at Sumuri including Paladin, Recon and others. Steve also talked about his new project Mission: No More Victims https://www.indiegogo.com/projects/mi... Sheryl Falk, @sherylfalk, talking about her talk at CEIC all about Data Breaches Matthew and I talking all about the official release of the Triforce! You can go here and find out all about it and buy your own license at http://www.gettriforce.com
Live from CEIC talking about the best talks of the day and special guests!
Suzanne Widup, @suzannewidup, talking about her talk at CEIC on the DBIR and her new book
Ken Mizota, @kenm_encase, the product manager for Encase investigation products talking about whats new v7 and the upcoming v8
David Dym, @dave873, talking about his talk on SQLite forensics
Live from ADUC join us as we talk about what's going on here and what new information is being revealed
Mari DeGrazia, @maridegrazia, talking about her research into the Thunderbird email client, its variations and the tool she has put out to work with it. You can read her post about this on her blog as well as grab the tool here: http://az4n6.blogspot.com/2014/04/wha...
Hal Pomeranz, @halpomeranz, talking about his research into Encrypted iTunes backups. How to extract out whats contained within them and when they were made, very cool stuff. Here are the links Hal mentioned:
Stack overflow discussion of the manifest.mbdb file:
http://stackoverflow.com/questions/30...
Link to download Hal's tool here:
https://github.com/halpomeranz/mbdbls
Lucas Zaichkowsky, @LucasErratus, from AccessData talking about his work there and a new reveal of their unified cybersecurity/response/forensics platform. Very cool stuff that I didn't realize they were already viewing. I'll have to get a better understanding of this technology!
We had a very interesting forensic lunch today. Lee Whitfield, @lee_whitfield and Suzanne Widdup, SuzanneWidup, joined us and your comments in an open discussion. We discussed an article linked by Brian Moran located here: http://eandt.theiet.org/news/2014/apr... all about how some malware researchers are accessing bad guy forums using Heartbleed.
We also got linked to a great case brief by Jason Alvarado, US v Jarrett, you can read here: http://lawschoolcasebriefs.com/LawSch... that is all about an anonymous vigilante in Turkey who provided evidence to the FBI about a pedophile. Who in the end got the evidence thrown out of court as the vigilante was not a government agent and the evidence was inadmissible.
All in all a very interesting 45 minutes of discussion, we also talked about my beard, and I hope you agree this experiment was semi-successful. I plan to try this again and hopefully more of you will participate!
Shelly Giesbrecht, @nerdiosity, talking about her upcoming talk at the SANS DFIR Summit called '10 Ways To Make Your SOC More Awesome', learn more about the event here and you can hear a leadup to it on a SANS Webinar here: https://www.sans.org/webcasts/10-ways...
We also talked a bit about the National Collegiate Cyber Defense Competition where I am currently leading the red team before I had to run back to the fun! Also no audio issues!
Santiago Ayala, @darthsaac, talking about his career in DFIR leading up to his nomination for a Forensic 4cast award nomination as Digital Forensic Examiner of the year! Listen to what Santiago has to say to see if you want to vote for him!
Lee Reiber, @celldet, talking about a couple things:
His upcoming trainings at the AccessData Users Conference on MPE+ , mobile forensics and python scripting with MPE+: https://www.ad-users.com/
His upcoming talk at the SANS DFIR Summit called Peeling the Application Like an Onion which focuses on analysis of mobile applications, check out more here
and a good discussion on mobile forensics in its current state and where things are headed.
Chris Pogue, @cpbeefcake, talking about a couple things:
His upcoming talk at the SANS DFIR Summit called The Life Cycle of Cybercrime which focuses on the complete life of a case from where it starts to how law enforcement gets involved locally and globally, check out more here
All about Sniper forensics, his team at Trustwave and the difficulties of doing DFIR around the world.
Anthony Di Bello from Guidance Software talking about CEIC. CEIC is our industries biggest conference and we will be there. If you are interested go here http://www.guidancesoftware.com/ceic/... and follow them on twitter @encase
David Dym talking about his upcoming talk on SQLite forensics at CEIC and the early release of a new tool called SQLiteDiver which comes in GUI and CLI forms. You can download SQLiteDiver here: http://www.easymetadata.com/Downloads... and you can see Dave talk about it and SQLite forensics at CEIC!
Dave Hull from Microsoft, you can follow Dave on Twitter @davehull , his blog http://trustedsignal.blogspot.com/ and on github https://github.com/davehull.
You should come to the SANS DFIR Summit and see him there as well!
Vico Marizale and Joe Sylve from 504ensics came back for their 3rd week of commitment! @vicomarziale and @jsylve. You should get involved with their new registry timestamp project by emailing them info@504labs.com to get their tool and start helping to discover unknown registry timestamps!
Vico Marziale from 504ensics, discussing their memory differencing project amongst other topics
Lee Whitfield discussing the upcoming deadline for Forensic 4cast award nominations and the trouble with time machines
Vico Marziale, @vicomarziale Talking about the research being done at 504ENSICS Labs and specifically into the OSX Spotlight index.
You can get a copy of spotlight inspector here:
http://www.504ensics.com/tools/spotlight-inspector-digital-forensics-app-for-mac-osx/
You can read the 504ensiecs blog here
http://www.504ensics.com/blog/
You can see the rest of their website and tools here:
http://www.504ensics.com/
Nasa Quba & Kausar Khizra - Talking about their research on Windows 8 File History!
You can see Nasa & Khizra at the SANS DFIR Summit this june go into depth into this research during an hour presentation on the topic!
Go here to learn more: https://bitly.com/David-Summit14
To contact Nasa & Khizra their linkedin page is here:
http://www.linkedin.com/in/kausarkhizra/
http://www.linkedin.com/pub/nasa-quba...
We had another great Forensic Lunch today, I hope you will consider making time in your Friday to watch it live someday as I think its just way more fun live. This week we had in order of appearance:
Jake Williams, @malwarejake, talking about the results of the SANS Endpoint Security survey and the positions they are looking to hire at the Mayo Clinic for those of you looking for senior DFIR positions!
You can also train with jake next month in Orlando and elsewhere, go here to see the classes he's teaching https://www.sans.org/instructors/jake....
SANS/Guidance Endpoint Security Survey Webcast - http://bit.ly/1hYUYMU
Alissa's Memory Forensics Class - Orlando, http://bit.ly/1e0ZEkD
Jake's Log Management and Forensics Class - Orlando, http://bit.ly/PBqkQy
Jake and Alissa's Memory Forensics vLive class - http://bit.ly/1imyw0V
Brian Baskin, @bbaskin, talking about his research, blog (ghetto forensics), books (here is an amazon link), and his work at DC3 where they are looking for people interested in DFIR with a clearance who live in the Baltimore area! Reach out to him if you are interested.
Vladimir Katalov, @vkatalov, the CEO of Elcomsoft talking about upcoming research regarding iCloud key chain recovery from network traffic, Blackberry 10 backups, accessing cloud storage and which gpus work well for long term password cracking. You can go to elcomsoft's website here and these are my favorite tools they sell:
Elcomsoft Phone Password Breaker http://www.elcomsoft.com/eppb.html, great for cracking encrypted phone backups and accessing iCloud backups!
Elcomsoft iOS Toolkit, http://www.elcomsoft.com/eift.html, great for low level working in iOS forensics.
Elcomsoft password cracking bundle, http://www.elcomsoft.com/eprb.html, a nice collection of there password cracking tools
This week with
Doug Collins, talking about his career in DFIR and how to become a regular Sunday Funday winner
Mark Spencer. @arsenalrecon, talking about his work at Arsenal Experts and their tools (Registry Recon and Arsenal Image Mounter)
Sebastian Nerz, @tirsales, discussing the state of DFIR in Germany/EU
Today's Forensic Lunch was great and really focused on IR and static malware analysis. If you are interested in either of those topics, boy do we have a great show for you. This week we had:
Jack Crook, @jackcr, talking about his work in IR, how he got started, his forensic challenges and his work in building local DFIR community. You can read his blog here, http://blog.handlerdiaries.com/, and learn more about his community efforts in Virginia.
Marc Ochsenmeier, @ochsenmeier, giving us the history of his tool PeStudio and an overview of how it works as well as the future of the tool. His website is http://winitor.com/ where you can download PeStudio for yourself as its free for non-commercial use!
Rob Fuller, @mubix, talking about his new project, project mentor http://www.projectmentor.net/ where Rob is offering to help mentor you into developing the real technical skills in infosec and dfir to get into the industry and other noble aspirations.
David Dym, @dave873, talking about the latest version of Metadiver which is available to download at http://www.easymetadata.com/wp/ which can crawl a directory and pull out all the metadata it can find into xls, json, xml and other formats. He also makes shadowkit.
Kevin Stokes talking about how to extend and expand our USB Multiboot Dongle, you can download the dongle image here: https://mega.co.nz/#!i45WhQya!SQILk0T...
Zoltan Szabo, talking about his stance on Digital Forensics as a science.You can email him at zoltandfw@gmail.com if you want to give your feedback to his opinions.
We have an amazing Forensic Lunch this week!
Robert Wallace & Matt Bromiley from talking about how they are using elastic search to work with big data breaches
Willi Ballenthin,+Willi Ballenthin talking about his work in DFIR and he's recently released tools working with NTFS. You can read Willi's blog here: http://www.williballenthin.com/ and follow him on twitter @williballenthin
Brian Moran,+Brian Moran talking about his work in memory forensics, POS Malware and other fun topics. You can read Brian Moran's blog here: and follow him on twitter @brianjmoran
We had a very interesting Forensic Lunch this week! This weeks guests:
Ian Duffy, +Ian Duffy , talking about his research into the Microsoft Office compound file format.
You can read Ian's blogs on this topic here: http://forensecurity.blogspot.com/201...
Andrew Case, +Andrew Case , discussing his work in the memory forensics and Volatility The Volatility project page is here: http://code.google.com/p/volatility/ You can pre-order the memory forensics book here: http://www.amazon.com/gp/product/1118... You can find out more about Volatility training here: http://volatility-labs.blogspot.com/2... Volatility Community Documentation can be found here: http://code.google.com/p/volatility/w... You can find out more about Bsides NOLA here: http://www.securitybsides.com/w/page/...
Read the blog analyzing ADD that Andrew talked about here: http://blog.handlerdiaries.com/?p=363
Matthew and I showing the latest changes for this months Beta release of ANJP.