This weeks guests are:
Jacob Williams, @malwarejake, talking about his proof of concept code shown at shmoocon check it out here: http://malwarejake.blogspot.com/2014/... and download the tool/memory samples here http://code.google.com/p/attention-de...
Hal Pomeranz, @hal_pomeranz, talking about the scripts he's been sharing via GitHub for the DFIR Community: https://github.com/halpomeranz/dfis
Lee Whitfield, @lee_whitfield, talking about his new series of internet safety videos that you can show to your friends and family, found here: https://www.youtube.com/user/mrleewhi...
Sarah Edwards talking about her OSX Forensics class for SANS, signup for the beta here:http://computer-forensics.sans.org/bl...
Craig Ball talking about his work as a Special Master within the Civil Courts and his perspectives on DFIR, you can read more from Craig at his website: http://craigball.com/
Matthew and I talking about the v3 Beta, the NCCDC Red Team intern position opening for CCDC alumni and more.
Sean Conover from Sony Online Entertainment talking about his work doing memory analysis and forensics to stop game cheats. Follow him at https://twitter.com/seanconover
Nicole Ibrahim, now from G-C Partners, talking about her research into USB storage drivers including MSC, MTP and PTP. You can read Nicole's Blog here: http://nicoleibrahim.com/
Lee Whitfield, from Digital Discovery, talking about the forensic 4cast awards which are now available for 2014 nominations! You can nominate someone here: http://forensic4cast.com/2014/01/4cas...
This week we had:
Rob Lee, @robtlee http://computer-forensics.sans.org/, talking about the new SANS FOR 408 class and the interesting journey into Windows 8 forensics.This included some really interesting discussions into artifacts being created across synced devices!
Mari DeGrazia, @maridegrazia http://az4n6.blogspot.com/, talking about her research into Google analytics cookies. This included a demo of her tool and its output. It allows you to recover so much more information if your trying to discover not only if a website was visited but at what times and to what extent.
Matthew and I talked about detecting files being created from alternative NTFS drivers, such as ntfs-3g, using artifacts within the $MFT only!
This week Mari DeGrazia join us to talk about her work building a python parser for recovering deleted data from SQLite databases and Eric Zimmerman came on to talk to us about passing the new X-ways Xpert certification and the upcoming OSTriage v2 which will be available for non law enforcement use!
You can read Mari's blog here: http://az4n6.blogspot.com/
To read up more on OsTraige read the forensic focus thread here: http://www.forensicfocus.com/Forums/v...
Forensic Lunch 11/15/13
This week we have Kristinn Gudjonsson and Ryan Benson with us!
Download Kristinn’s Plaso slides from OSDF here:http://blog.kiddaland.net/2013/11/osd…
See his blog post regarding the visualization module here:http://blog.kiddaland.net/2013/11/vis…
Find the plaso code here: https://code.google.com/p/plaso/
Find Ryan’s Chrome history of artifacts chart here:http://www.obsidianforensics.com/blog…
Find Ryan’s tool Hindsight here:http://code.google.com/p/hindsight-in…
This week we have Sheryl Falk from Winston & Strawn talking about the legal side of breaches, Jonathan Rajewski from Champlain College talking about the undergrad and graduate programs at Champlain and Matthew and myself talking about big new changes in ANJP.
Sheryl is sfalk@winston.com
Jonathan is jtrajewski@champlain.edu
This week on the Forensic Lunch we have David Dym, Rebecca Henderson, Kevin Stokes, Lee Whitfield and myself.
Topics include setmace research and testing, automating metadata extraction with shell and com, manual mobile forensics, lab certification and the intern process in DFIR
IR Roundtable Part 3:
This week on the Forensic Lunch we finished the IR Roundtable with James Lohman and Kyle Maxwell.
Dave and Matthew talk about the updated GUI for ANJP, finding the actions programs leave behind in the file system to create signatures and more!
Forensic Lunch 10/11/13 IR Roundtable Part 2
Join us this week as we continue our IR Roundtable from last week with:
Darren Windham (NGO)
Joseph Shaw (Alvarez)
Kyle Maxwell (Verizon)
James Lohman (G-C)
Great topics regarding how to deal with and scope data exfiltration and dealing with lateral movement and attacker intelligence.
IR Roundtable Part 1
Forensic Lunch this week is a IR Round Table with:
James Lohman (G-C Partners)
Kyle Maxwell (Verizon Business)
Darren Windham (NGO)
Talking about methodologies for approaching incidents, triaging malware and showing ROI to executives
Guests this week:
Harlan Carvey
Zoltan Szabo
Jake Williams
Links for today:
Harlan's Blog: http://windowsir.blogspot.com/
Zoltan's Associates Degree: https://www1.dcccd.edu/catalog/progra...
Jake's FOR 610 Class: http://www.sans.org/vlive/details/for...
Links for this week:
For the VCDB You can get an overview here:
http://public.tableausoftware.com/vie... for VCDB.
The VCDB Github is located here:
https://github.com/vz-risk/VCDB
And the currently open issues is here:
https://github.com/vz-risk/VCDB/issue...
You can visit Tzworks here:
https://www.tzworks.net/
And get the tools shown today here:
LNK Parser: https://www.tzworks.net/prototype_pag...
Jump list parser: https://www.tzworks.net/prototype_pag...
Shellbag parser: https://www.tzworks.net/prototype_pag...
GENA here: https://www.tzworks.net/prototype_pag...
Joachim Metz and Kyle Maxwell talk about maintaining a forensics encylopedia that is accessable to everyone and more!
Eric Zimmerman discusses forensic imaging tools performance
Phil Hagen talks about his new SANS 572 course
Lee Whitfield asks about building a good forensics box
Kyle Maxwell talks about CryptoParty
James discusses Outlook Message Conversation Index
Dave and Matt show their Plist Parser
James talks about parsing MAPI information with a new script.
Kyle talks about research into public data breaches.
Joseph Shaw discusses the insider incidents.
Recap of the crimes against children conference and a tool update with Brian Lockery
Troubles trying to integrate TSK with Perl
The new book website!
The experience and value of a bachelors in computer forensics and more!
David Nides discussing efforts with Plaso.
Joseph Shaw talks about file system forensics.
Kyle discusses the Black Hat defcon challenge.
Talking about HTML5 Offline cache forensics with Blazer Catzen
Life as an internal forensic investigator with Brandon Foley
Update on Shadowkit with David Dym
Plist carving, parsing and embedded plists within plists
Update on the NTFS Triforce
and more!
Link to shadowkit: http://redrocktx.blogspot.com/p/shado…
Link to fiddler: http://fiddler2.com/ (windows ssl proxy)
Link to charles: http://www.charlesproxy.com/ (mac ssl proxy)
Link to honeyproxy: http://honeyproxy.org/ (open source ssl proxy)
Dave Cowen and Matt Seyer talk about Triforce updates, take questions.
Episode 23 with David Cowen, Matthew Seyer, Christian Prickaerts, Carlos Cajigas and Kevin Stokes