We had a great Forensic Lunch today. We didn't have any official guests this week , just Matthew, You and I talking about what was interesting to us this week. We talked about:
1. The SANS DFIR Summit
2. The For 408 class I am currently assisting with
3. The research into USB Device history that is leading to a race for application development between Eric Zimmerman and myself
Here are the links to he USB device lookups I found:
Official list of Vendors from USB.org (requires you to convert from decimal to hex to match in the registry) http://www.usb.org/developers/tools/c...
The Linux USB driver list of known USB Vendors and Products:
http://www.linux-usb.org/usb.ids
4. A good discussion about programming in DFIR and the movement towards common output formats and moving data between tools.
Sarah Edwards, @iamevltwin, talking about her presentation on Mac/OSX malware.
Lee Whitefield, @lee_whitfield, talking about the current Trucrypt conspiracy theories and what may have happened
For those listening here are our conference recommendations:
Large conference: CEIC
Mid size but vendor sponsored: PFIC
Mid size but independent : HTCIA
Small and very technical: SANS DFIR Summit and OSDFCon
Today we had: Austin Colby from Black Bag talking about whats new with Blacklight, Macqusition and much more. You can find out more at https://www.blackbagtech.com Steve Whalen, @sumurillc, talking about whats new at Sumuri including Paladin, Recon and others. Steve also talked about his new project Mission: No More Victims https://www.indiegogo.com/projects/mi... Sheryl Falk, @sherylfalk, talking about her talk at CEIC all about Data Breaches Matthew and I talking all about the official release of the Triforce! You can go here and find out all about it and buy your own license at http://www.gettriforce.com
Live from CEIC talking about the best talks of the day and special guests!
Suzanne Widup, @suzannewidup, talking about her talk at CEIC on the DBIR and her new book
Ken Mizota, @kenm_encase, the product manager for Encase investigation products talking about whats new v7 and the upcoming v8
David Dym, @dave873, talking about his talk on SQLite forensics
Live from ADUC join us as we talk about what's going on here and what new information is being revealed
Mari DeGrazia, @maridegrazia, talking about her research into the Thunderbird email client, its variations and the tool she has put out to work with it. You can read her post about this on her blog as well as grab the tool here: http://az4n6.blogspot.com/2014/04/wha...
Hal Pomeranz, @halpomeranz, talking about his research into Encrypted iTunes backups. How to extract out whats contained within them and when they were made, very cool stuff. Here are the links Hal mentioned:
Stack overflow discussion of the manifest.mbdb file:
http://stackoverflow.com/questions/30...
Link to download Hal's tool here:
https://github.com/halpomeranz/mbdbls
Lucas Zaichkowsky, @LucasErratus, from AccessData talking about his work there and a new reveal of their unified cybersecurity/response/forensics platform. Very cool stuff that I didn't realize they were already viewing. I'll have to get a better understanding of this technology!
We had a very interesting forensic lunch today. Lee Whitfield, @lee_whitfield and Suzanne Widdup, SuzanneWidup, joined us and your comments in an open discussion. We discussed an article linked by Brian Moran located here: http://eandt.theiet.org/news/2014/apr... all about how some malware researchers are accessing bad guy forums using Heartbleed.
We also got linked to a great case brief by Jason Alvarado, US v Jarrett, you can read here: http://lawschoolcasebriefs.com/LawSch... that is all about an anonymous vigilante in Turkey who provided evidence to the FBI about a pedophile. Who in the end got the evidence thrown out of court as the vigilante was not a government agent and the evidence was inadmissible.
All in all a very interesting 45 minutes of discussion, we also talked about my beard, and I hope you agree this experiment was semi-successful. I plan to try this again and hopefully more of you will participate!
Shelly Giesbrecht, @nerdiosity, talking about her upcoming talk at the SANS DFIR Summit called '10 Ways To Make Your SOC More Awesome', learn more about the event here and you can hear a leadup to it on a SANS Webinar here: https://www.sans.org/webcasts/10-ways...
We also talked a bit about the National Collegiate Cyber Defense Competition where I am currently leading the red team before I had to run back to the fun! Also no audio issues!
Santiago Ayala, @darthsaac, talking about his career in DFIR leading up to his nomination for a Forensic 4cast award nomination as Digital Forensic Examiner of the year! Listen to what Santiago has to say to see if you want to vote for him!
Lee Reiber, @celldet, talking about a couple things:
His upcoming trainings at the AccessData Users Conference on MPE+ , mobile forensics and python scripting with MPE+: https://www.ad-users.com/
His upcoming talk at the SANS DFIR Summit called Peeling the Application Like an Onion which focuses on analysis of mobile applications, check out more here
and a good discussion on mobile forensics in its current state and where things are headed.
Chris Pogue, @cpbeefcake, talking about a couple things:
His upcoming talk at the SANS DFIR Summit called The Life Cycle of Cybercrime which focuses on the complete life of a case from where it starts to how law enforcement gets involved locally and globally, check out more here
All about Sniper forensics, his team at Trustwave and the difficulties of doing DFIR around the world.
Anthony Di Bello from Guidance Software talking about CEIC. CEIC is our industries biggest conference and we will be there. If you are interested go here http://www.guidancesoftware.com/ceic/... and follow them on twitter @encase
David Dym talking about his upcoming talk on SQLite forensics at CEIC and the early release of a new tool called SQLiteDiver which comes in GUI and CLI forms. You can download SQLiteDiver here: http://www.easymetadata.com/Downloads... and you can see Dave talk about it and SQLite forensics at CEIC!
Dave Hull from Microsoft, you can follow Dave on Twitter @davehull , his blog http://trustedsignal.blogspot.com/ and on github https://github.com/davehull.
You should come to the SANS DFIR Summit and see him there as well!
Vico Marizale and Joe Sylve from 504ensics came back for their 3rd week of commitment! @vicomarziale and @jsylve. You should get involved with their new registry timestamp project by emailing them info@504labs.com to get their tool and start helping to discover unknown registry timestamps!
Vico Marziale from 504ensics, discussing their memory differencing project amongst other topics
Lee Whitfield discussing the upcoming deadline for Forensic 4cast award nominations and the trouble with time machines
Vico Marziale, @vicomarziale Talking about the research being done at 504ENSICS Labs and specifically into the OSX Spotlight index.
You can get a copy of spotlight inspector here:
http://www.504ensics.com/tools/spotlight-inspector-digital-forensics-app-for-mac-osx/
You can read the 504ensiecs blog here
http://www.504ensics.com/blog/
You can see the rest of their website and tools here:
http://www.504ensics.com/
Nasa Quba & Kausar Khizra - Talking about their research on Windows 8 File History!
You can see Nasa & Khizra at the SANS DFIR Summit this june go into depth into this research during an hour presentation on the topic!
Go here to learn more: https://bitly.com/David-Summit14
To contact Nasa & Khizra their linkedin page is here:
http://www.linkedin.com/in/kausarkhizra/
http://www.linkedin.com/pub/nasa-quba...
We had another great Forensic Lunch today, I hope you will consider making time in your Friday to watch it live someday as I think its just way more fun live. This week we had in order of appearance:
Jake Williams, @malwarejake, talking about the results of the SANS Endpoint Security survey and the positions they are looking to hire at the Mayo Clinic for those of you looking for senior DFIR positions!
You can also train with jake next month in Orlando and elsewhere, go here to see the classes he's teaching https://www.sans.org/instructors/jake....
SANS/Guidance Endpoint Security Survey Webcast - http://bit.ly/1hYUYMU
Alissa's Memory Forensics Class - Orlando, http://bit.ly/1e0ZEkD
Jake's Log Management and Forensics Class - Orlando, http://bit.ly/PBqkQy
Jake and Alissa's Memory Forensics vLive class - http://bit.ly/1imyw0V
Brian Baskin, @bbaskin, talking about his research, blog (ghetto forensics), books (here is an amazon link), and his work at DC3 where they are looking for people interested in DFIR with a clearance who live in the Baltimore area! Reach out to him if you are interested.
Vladimir Katalov, @vkatalov, the CEO of Elcomsoft talking about upcoming research regarding iCloud key chain recovery from network traffic, Blackberry 10 backups, accessing cloud storage and which gpus work well for long term password cracking. You can go to elcomsoft's website here and these are my favorite tools they sell:
Elcomsoft Phone Password Breaker http://www.elcomsoft.com/eppb.html, great for cracking encrypted phone backups and accessing iCloud backups!
Elcomsoft iOS Toolkit, http://www.elcomsoft.com/eift.html, great for low level working in iOS forensics.
Elcomsoft password cracking bundle, http://www.elcomsoft.com/eprb.html, a nice collection of there password cracking tools
This week with
Doug Collins, talking about his career in DFIR and how to become a regular Sunday Funday winner
Mark Spencer. @arsenalrecon, talking about his work at Arsenal Experts and their tools (Registry Recon and Arsenal Image Mounter)
Sebastian Nerz, @tirsales, discussing the state of DFIR in Germany/EU
Today's Forensic Lunch was great and really focused on IR and static malware analysis. If you are interested in either of those topics, boy do we have a great show for you. This week we had:
Jack Crook, @jackcr, talking about his work in IR, how he got started, his forensic challenges and his work in building local DFIR community. You can read his blog here, http://blog.handlerdiaries.com/, and learn more about his community efforts in Virginia.
Marc Ochsenmeier, @ochsenmeier, giving us the history of his tool PeStudio and an overview of how it works as well as the future of the tool. His website is http://winitor.com/ where you can download PeStudio for yourself as its free for non-commercial use!
Rob Fuller, @mubix, talking about his new project, project mentor http://www.projectmentor.net/ where Rob is offering to help mentor you into developing the real technical skills in infosec and dfir to get into the industry and other noble aspirations.
David Dym, @dave873, talking about the latest version of Metadiver which is available to download at http://www.easymetadata.com/wp/ which can crawl a directory and pull out all the metadata it can find into xls, json, xml and other formats. He also makes shadowkit.
Kevin Stokes talking about how to extend and expand our USB Multiboot Dongle, you can download the dongle image here: https://mega.co.nz/#!i45WhQya!SQILk0T...
Zoltan Szabo, talking about his stance on Digital Forensics as a science.You can email him at zoltandfw@gmail.com if you want to give your feedback to his opinions.
We have an amazing Forensic Lunch this week!
Robert Wallace & Matt Bromiley from talking about how they are using elastic search to work with big data breaches
Willi Ballenthin,+Willi Ballenthin talking about his work in DFIR and he's recently released tools working with NTFS. You can read Willi's blog here: http://www.williballenthin.com/ and follow him on twitter @williballenthin
Brian Moran,+Brian Moran talking about his work in memory forensics, POS Malware and other fun topics. You can read Brian Moran's blog here: and follow him on twitter @brianjmoran
We had a very interesting Forensic Lunch this week! This weeks guests:
Ian Duffy, +Ian Duffy , talking about his research into the Microsoft Office compound file format.
You can read Ian's blogs on this topic here: http://forensecurity.blogspot.com/201...
Andrew Case, +Andrew Case , discussing his work in the memory forensics and Volatility The Volatility project page is here: http://code.google.com/p/volatility/ You can pre-order the memory forensics book here: http://www.amazon.com/gp/product/1118... You can find out more about Volatility training here: http://volatility-labs.blogspot.com/2... Volatility Community Documentation can be found here: http://code.google.com/p/volatility/w... You can find out more about Bsides NOLA here: http://www.securitybsides.com/w/page/...
Read the blog analyzing ADD that Andrew talked about here: http://blog.handlerdiaries.com/?p=363
Matthew and I showing the latest changes for this months Beta release of ANJP.
This weeks guests are:
Jacob Williams, @malwarejake, talking about his proof of concept code shown at shmoocon check it out here: http://malwarejake.blogspot.com/2014/... and download the tool/memory samples here http://code.google.com/p/attention-de...
Hal Pomeranz, @hal_pomeranz, talking about the scripts he's been sharing via GitHub for the DFIR Community: https://github.com/halpomeranz/dfis
Lee Whitfield, @lee_whitfield, talking about his new series of internet safety videos that you can show to your friends and family, found here: https://www.youtube.com/user/mrleewhi...
Sarah Edwards talking about her OSX Forensics class for SANS, signup for the beta here:http://computer-forensics.sans.org/bl...
Craig Ball talking about his work as a Special Master within the Civil Courts and his perspectives on DFIR, you can read more from Craig at his website: http://craigball.com/
Matthew and I talking about the v3 Beta, the NCCDC Red Team intern position opening for CCDC alumni and more.
Sean Conover from Sony Online Entertainment talking about his work doing memory analysis and forensics to stop game cheats. Follow him at https://twitter.com/seanconover
Nicole Ibrahim, now from G-C Partners, talking about her research into USB storage drivers including MSC, MTP and PTP. You can read Nicole's Blog here: http://nicoleibrahim.com/
Lee Whitfield, from Digital Discovery, talking about the forensic 4cast awards which are now available for 2014 nominations! You can nominate someone here: http://forensic4cast.com/2014/01/4cas...
This week we had:
Rob Lee, @robtlee http://computer-forensics.sans.org/, talking about the new SANS FOR 408 class and the interesting journey into Windows 8 forensics.This included some really interesting discussions into artifacts being created across synced devices!
Mari DeGrazia, @maridegrazia http://az4n6.blogspot.com/, talking about her research into Google analytics cookies. This included a demo of her tool and its output. It allows you to recover so much more information if your trying to discover not only if a website was visited but at what times and to what extent.
Matthew and I talked about detecting files being created from alternative NTFS drivers, such as ntfs-3g, using artifacts within the $MFT only!
This week Mari DeGrazia join us to talk about her work building a python parser for recovering deleted data from SQLite databases and Eric Zimmerman came on to talk to us about passing the new X-ways Xpert certification and the upcoming OSTriage v2 which will be available for non law enforcement use!
You can read Mari's blog here: http://az4n6.blogspot.com/
To read up more on OsTraige read the forensic focus thread here: http://www.forensicfocus.com/Forums/v...