The Forensic Lunch!
The twice a month live videocast/podcast all about #DFIR!
This broadcast is all about running an isolated virtual network on Intels newest NUC, the Skull Canyon. Watch the video to see us demonstrate running 5 vms in an isolated virtual network on a small, fast and low powered portable system.
You can get the Intel NUC Skull Canyon at amazon here: https://smile.amazon.com/Intel-NUC-Ki...
or at your local Microcenter or Fry's
This is the M.2 NVME SSD Drive I'm using to get 2GB/s reads and 1.5GB/s writes: https://smile.amazon.com/Samsung-950-...
This is the memory I used: https://smile.amazon.com/Crucial-16GB...
Here is the link to the free version of ESXI v6: https://my.vmware.com/en/web/vmware/e...
Expect a blog post where I go through the process
The Forensic Lunch!
The twice a month live videocast/podcast all about #DFIR !\
This broadcast:
Matt Bromiley, +Matt Bromiley talking about filters he has made for Elastic Handler and work
Talking about the 1st Annual Defcon Forensic CTF
Updates to EventMonkey to work with EVTXtract from Willi Ballenthin and bringing in descriptions
and more!
Download the Defcon Forensics CTF Here:
https://forum.defcon.org/forum/defcon...
The password to extract:
,sli38pdsf;aj8387f*HKlnelne7fy7GUHMBNWlo9udsijw_kn3ohfsa8y^%%T
Submit your answers here:
whymirosh@gmail.com
Link to event monkey:
https://github.com/devgc/EventMonkey
It's the Forensic Lunch!
The twice a month live videocast/podcast all about DFIR
This episode's guests:
Phil Hagen
Eric Zimmerman
Links:
- Twitter: @SOF_ELK
- Config/code repo: http://for572.com/sof-elk-git
- VM readme (w/ instructions and download link):
It's the Forensic Lunch!
The twice monthly videocast/podcast just about #DFIR join us as we talk about whats new and what new things you can do!
This broadcast we are taking the time to update you on our own tools.
We talked about:
Pancake Viewer, an open source tool to visually explore forensic images and shadow copies (like an open source ftk imager), https://github.com/forensicmatt/PancakeViewer
Event Monkey, an open source and multi threaded event log parser that outputs to sqlite and ElasticSearch, https://github.com/devgc/EventMonkey
Event Monkey Monitor, a tool we are working on releasing that lets you monitor event logs in real time
pytskUSBDeviceForensics, a version of WoanWare's USB Device Forensics program that allows you to feed in images, https://github.com/woanware/usbdeviceforensics/blob/master/pyTskusbdeviceforensics.py
This episode is live from Enfuse with
Jake Williams and Heather Mahalik
Paul Shomo of Guidance Software
Ashley Hernandez of Guidance Software
Jeff Hedlesky of Guidance Software
Forensic Lunch live from EnFuse with Rob Batzloff talking about Encase 8, and James Wiebe talking about new advancements at CRU
The Forensic Lunch!
A special episode hosted by Nicole Ibrahim and featuring in no
particular order:
Mari Degrazia
Cindy Murphy
Heather Mahalik
Sarah Edwards
Shelly Giesbrecht
The forensic lunch!
The one hour, mostly, DFIR videocast/podcast
This weeks guest:
Jared Atkinson,@jaredcatkinson, talking about about DFIR in powershell or as he calls his toolset PowerForensics
What a great Forensic Lunch today with Jared Atkinson talking all about how to do forensics on a live system or mounted image with his Powershell framework PowerForensics.
You can grab your own copy of PowerForensics on Github here:
https://github.com/Invoke-IR/PowerForensics
Read his Blog here:
www.invoke-ir.com
Vote for him in the Forensic4Cast Awards here:
https://forensic4cast.com/forensic-4cast-awards/
Reminder I'm up for voting in another category as well!
and of course you can follow him on Twitter here:
https://twitter.com/jaredcatkinson
Btw, if you want to learn Windows Forensic with me I'm schedule to teach SANS FOR408 Windows Forensics in Houston May 9-14. You can find out more here:
https://www.sans.org/event/houston-2016/course/windows-forensic-analysis
The Forensic Lunch!
The one hour, mostly, videocast/podcast all about DFIR.
This weeks guests:
Maxime Lamothe-Brassard of Refraction Point talking about his project Lima Charlie https://github.com/refractionPOINT/li...
Ryan Nolette, Security Operations Lead at Carbon Black, talking about all of the ransomware variants he's been seeing and how shadow copies are affected
Us talking about how different tools deal with shadow copies and accessing deleted shadow copies
It's the forensic lunch!
This broadcast James and I go through the results of our testing of different file carving tools:
X-Ways Forensics
Bulk Extractor
Blade
Blackbag Blacklight
It's the Forensic Lunch! The one hour, mostly, videocast/podcast all about DFIR!
This weeks guests:
Austin Colby, Joe Sylve and Vico Marziale from Black Bag talking about the newest additions to the new version coming out in a matter of days.
The Forensic Lunch!
The 1 hour, usually, videocast/podcast that brings you the latest in new DFIR research, topics and people.
This weeks guests:
Hal Pomeranz,@hal_pomeranz, of Deer Run associates talking about updates to his Linux Memory Grabber and some research into bash_history behavior.
You can get the linux memory grabber he discussed here https://github.com/halpomeranz/lmg
Hal can be reached at hal@deer-run.com
Eric Zimmerman,@EricRZimmerman, of Kroll's cyber security practice talking about prefetch and explaining his tool to get more, as well as whats new in Windows 10 prefetch
You can get Eric's prefetch parser here: https://github.com/EricZimmerman/Prefetch
http://www.kroll.com/en-us/who-we-are/kroll-experts/eric-zimmerman
Matthew and I showing how to use the hfs+ journal parser and what to do with it
You can get the HFS+ Journal parser here: https://www.gettriforce.com/product/hfs-journal-parser/
The first new lunch of the new year with
Sarah Holmes of the Foreman project (Open Source DFIR Matter Management), You can get a copy (and contribute to!) foreman here:
https://bitbucket.org/lowmanio/foreman/
You can contact Sarah here: sarah@lowmanio.co.uk
Michael Robinson of the Black T-Shirt Cyber Forensics Challenge talking about well the Black T-Shirt Cyber Forensics Challenge
You can join the Black T-Shirt Cyber Forensics Challenge here:
http://cyberforensicschallenge.com/
You can contact them at cyberforensicschallenge@gmail.com
Our FSEvents tool will be released just as soon as we write documentation for it. Want an early release for testing? Email me dcowen@g-cpartners.com
Forensic Lunch!
This episode we are live from Google in Mountain View, California getting an update on their development projects.
Included are:
LibYAL
Forensic Artifact project
GRR (Google Rapid Response)
Rekall memory analysis platform
Plaso
Timesketch and more!
Forensic Lunch!
This weeks guests:
Andrew Case,@attrc, from the Volatility Project talking about Volatility 2.5, new plugins and the winners of this years Volatility Plugin Contest
Yogesh Kahtri, from Champlain, talking about SRUM forensics in Windows 8.1+. A truly amazing new artifact
Matt and I talking about our new open source tool Elastic Handler
The Forensic Lunch!
In this episode we are broadcasting live from OSDFCon with the following content:
1. A revised set of rules from our popular forensic game. This time we follow $10,000 pyramid rules to see which of two forensic teams can win!
2. Brian Carrier from Basis Technology talking about whats new Autopsy 4.0
3. Rob Fry from Netflix talking about their new open source framework called Fido and hanging with Kevin Spacey
4. Matthew and I talking about our new automation, normalization and correlation framework ElasticHandler
This week on the forensic lunch we have:
Dave Hawkins talking about his firms currently unbeaten contest, lampbash.work
Chris Pavan, talking about his computer forensics program at Cal State Fullerton and his work in IR at Bechtel
James Habben talking about his web based front end to volatility called eVOLVe and all the cool things you can do with it
This broadcast we have:
Mari Degrazia talking about testing MFT parsers and what goes into them.
Lee Whitfield talking about the events of the week
Suzanne Widdup talking about her work on the Verizon DBIR and a solicitation for your involvement
A talk about Cortana's location tracking storage