Live from CEIC with Michael Robinson, Ronald Clark and more!
In this episode:
We discuss the Ashley Madison Data Leak and it's implications for DFIR
David Dym, @dave873, talks about the newest version of Metadiver and it's ability to show even more metadata, including the contents of pst files and extended mapi!
Get it at: www.easymetadata.com
Matthew and I talk about our new open source project GC LNK Parser which exposes all of the shell item data we didn't know was there! (Except Joachim Metz)
We also preview our integration of our tools to Elastic Search, a preview of our OSDF Con talk and a short talk about things to come in Triforce.
Also SANS FOR578, Cyber Threat Intelligence, is now available publicly! Learn more about it here:
The SANS Poster on Rekall Memory forensics is out as well and you can get it here:
In this episode recorded in front of a live audience:
Our first game of Forensic Passphrase
Vitaliy Mokosiy of Atola talking about Atola Insight Forensic and its cool direct firmware controls
Brain Carrier of Basis Technology talking about Autopsy 3, Plugin development with Python and OSDF Con
Brian Moran of BriMor Labs talking about his live response scripts and new trends in attacker activities
Join Matt and I and current guests:
Eric Zimmerman, talking deleted registry key analysis and new features in Registry Explorer and more!
You can get the #DFIRSummit release here:
Guests are Matt Bromiley
Dimitry from Bocasoft
Live from CEIC. Ben LeMere from Berla, Jeff the Product Evanglist from Guidance Software, Amber Shroader from Paraben, and more!
The you should have filed your taxes edition!
This week is all about the Forensic 4cast awards. We cover all of the nominees and make our official votes.
The thank goodness April Fools day is over edition
Guests this week:
Devon Kerr talking about his work at Mandiant/Fireeye and his research into WMI for both IR and attacker usage.
You can email Devon here: email@example.com
and you can follow him on twitter here: https://twitter.com/_devonkerr_
Get cool tools from the Mandiant github here: https://github.com/mandiant
Watch Devon talk more about WMI and IR at the SANS DFIR Summit: http://dfir.to/1BvOw7G
Matthew and I going into the Automating DFIR series and our upcoming talk at CEIC
We are on the CEIC agenda here:
We had another great Forensic Lunch! This broadcast we had:
James Carder of the Mayo Clinic, @carderjames, talking all about automating your response process to separate the random attacks from sophisticated attacks. You can hear James talk about this and much more at the SANS DFIR Summit where he'll be a panelist! If you want to work with James Mayo Clinic is hiring.
Mayo Clinic Infosec and IR Jobs: http://www.mayo-clinic-jobs.com/go/in...
Contact James Carder: firstname.lastname@example.org
Special Agent Eric Zimmerman of the FBI, @EricRZimmerman , talking about his upcoming in depth Shellbags talk at the SANS DFIR Summit as well as his new tool called Registry Explorer. RE and Eric's research into windows registries will be continued in the next broadcast. Whether you are interested in registries from a research, academic or investigative perspective this is a must see, and FREE, tool!
Eric's Blog: http://binaryforay.blogspot.com/
Registry Explorer: http://binaryforay.blogspot.com/p/sof...
Guests this broadcast:
Ben LeMere of Berla talking about Vehicle Forensics, Embedded Systems, Cam bus networks and all the fun he's been having with doing forensics on car entertainment systems. You may be very surprised but what he has to say!
Lee Whitfield talking about Superfish, what happened and what you need to know.
Robin Keir of Crowdstrike talking about his research and role at Crowdstrike, specifically Superfetch and CrowdResponse
Forensic 4cast Award Nominations:https://forensic4cast.com/forensic-4c...
The after Thanksgiving Hangover edition:
This week we had Eric Zimmerman, @ericrzimmerman, talking about Shellbags, his tool Shellbag explorer and our research into new things we can determine from them.
We had an interesting Forensic Lunch today with:
Rob Fuller, @mubix, talking about his new project, project mentor http://www.projectmentor.net/ where Rob is offering to help mentor you into developing the real technical skills in infosec and dfir to get into the industry and other noble aspirations.
David Dym, @dave873, talking about the latest version of Metadiver which is available to download at http://www.easymetadata.com/wp/ which can crawl a directory and pull out all the metadata it can find into xls, json, xml and other formats. He also makes shadowkit.
Kevin Stokes talking about how to extend and expand our USB Multiboot Dongle, you can download the dongle image here: https://mega.co.nz/#!i45WhQya!SQILk0T...
Zoltan Szabo, talking about his stance on Digital Forensics as a science.You can email him at email@example.com if you want to give your feedback to his opinions.
This week with:
Yogesh Kahtri talking about his Windows 8 registry forensics research (You can read it here http://www.swiftforensics.com/ and email him firstname.lastname@example.org)
Dan Pullega talking about his extensive research into Windows Shellbags (http://www.4n6k.com/2013/12/shellbags... and email Dan at email@example.com)
David Dym talking about his new tool MetaDiver (You can download it here http://www.easymetadata.com/wp/)
and Matthew and myself talking about v3 of ANJP and demoing the auto detection of CD Burning.
Robert Haist, talking about his research with page_brute in recovering command execution and other fun things from the pagefile, read his blog about it here: http://blog.roberthaist.com/2013/12/r...
Amber Shroader, talking about Device Seizure 6.5 and a great discussion on what happens behind the scenes in your mobile forensics tools as well as the future of cloud phone data acquisition. You can find out more about Device Seizure here: http://www.paraben.com/device-seizure...
Joakim Schicht, discussing his tools and research, including how he approaches these projects and develops them. You can find his google code repository here: http://code.google.com/p/mft2csv/ with all the tools mentioned today and more!
The Forensic Lunch!
This week we have the Chief Evangelist of Accessdata Tim Leehealey, here to talk to us about FTK 6, whats going on at accessdata and your questions.
Anuj Soni, discussing webshells and attacker tools
Jason Trost, discussing the Modern Honey Net project he's working on at Threatstream
Matt Bromiley talking about the work we are done to extend the MHN reporting by integrating elastic search and Kibana to visualize the data
• My SANS Webcast on web shells: https://www.sans.org/webcasts/closing...
• The upcoming FOR610 course in Monterey: http://www.sans.org/event/dfir2015/co...
• My bio and instructor page: http://www.sans.org/instructors/anuj-...
- Webacoo https://github.com/anestisb/WeBaCoo
Threatstream Github: https://github.com/threatstream
Jason's Github: https://github.com/jt6211
Modern Honey Network:http://threatstream.github.io/mhn/
MHN Visualization Series: http://www.505forensics.com/honeypot-...
Forensic 4cast awards nomination:https://forensic4cast.com/forensic-4c...
Facebook Threatexchange: https://threatexchange.fb.com/
This weeks guests:
Kyle Maxwell - Threat Intel and Honeypots
Lenny Zeltser - Malware Reversing, attacker tools and capturing malware
To join the community MHN project discussion on this show email us at firstname.lastname@example.org
The first forensic lunch of the new year!
We had an open chat with a discussion of honeypots with Ken Pryor
More about Shellbag research with Eric Zimmerman and other topics!
This week we had:
Matt Bromiley, @505forensics, talking about NoSQL injection attacks and forensics to detect them. You can read more about it on his blog http://www.505forensics.com/
Matt Harrigan, @mattharrigan, of PacketSled, @packetsled, talking about his network visualization tool that is soon to have a free version released. You can sign up for the beta and get this into your hands at http://www.packetsled.com
This time we have the winner of our current SANS DFIR Super Sunday Funday Forensic Contest! We will walk through all the levels revealing how they were done and how they were solved.
We are broadcasting live from HTCIA International Conference with:
Andres Velazquez talking about Forensic in Latin America
Membership director for HTCIA talking about the organization
Latest updates on the Triforce from Matthew and I!
Andrew Case talks about the release of his new book and discusses his research on memory forensics
Lee Whitfield talks about Facebook Messenger and other recent events.
Forensic Lunch this week with:
Blazer Catzen, talking about File system tunneling and metadata misadventures
Cindy Murphy, talking about smart phone forensics and being Cindy Murphy
The SANS DFIR Summit, our favorite talks and what makes it stand out as a conference
Dave Hull's, @davehull project Kansa http://github.com/davehull/kansa
An in depth discussion of Volume Shadow Copies discssuing: How to identify how much shadow copies are active on a volume (without VSS Admin) Evidence of Automatic vs Manual VSC deletion What different tools show for how many VSCs exist What you can and can't implictily trust How to validate what you see
More about what forensic tools should provide to an examiner at a minimum
And BBQ Summit talk!
As discussed the show may change after next week and the weekly shows are no longer required to meet my year of blogging. I'd like to hear your thoughts of what would make show more valuable to. Topics I'd like to hear from you on include but are not limited to:
Frequency, should we keep it once a week or go to twice a month / once amonth
Topics, Are we covering what is important to you? Should we add anything else?
Format, Do you enjoy the guests or us talking more?
Time of day/Day of week, Is there a better time we could be doing this so more of you can watch it live
Let me know in the comments below or email me email@example.com, we do the show for you not us!