The Forensic Lunch!

The twice a month live videocast/podcast all about #DFIR!

This broadcast is all about running an isolated virtual network on Intels newest NUC, the Skull Canyon. Watch the video to see us demonstrate running 5 vms in an isolated virtual network on a small, fast and low powered portable system.

You can get the Intel NUC Skull Canyon at amazon here: https://smile.amazon.com/Intel-NUC-Ki...

or at your local Microcenter or Fry's

This is the M.2 NVME SSD Drive I'm using to get 2GB/s reads and 1.5GB/s writes: https://smile.amazon.com/Samsung-950-...

This is the memory I used: https://smile.amazon.com/Crucial-16GB...

Here is the link to the free version of ESXI v6: https://my.vmware.com/en/web/vmware/e...

Expect a blog post where I go through the process

The Forensic Lunch!

The twice a month live videocast/podcast all about #DFIR !\

This broadcast:
Matt Bromiley, +Matt Bromiley talking about filters he has made for Elastic Handler and work
Talking about the 1st Annual Defcon Forensic CTF
Updates to EventMonkey to work with EVTXtract from Willi Ballenthin and bringing in descriptions
and more!

Download the Defcon Forensics CTF Here:
https://forum.defcon.org/forum/defcon...

The password to extract:
,sli38pdsf;aj8387f*HKlnelne7fy7GUHMBNWlo9udsijw_kn3ohfsa8y^%%T

Submit your answers here:
whymirosh@gmail.com

Link to event monkey:
https://github.com/devgc/EventMonkey

It's the Forensic Lunch!

The twice a month live videocast/podcast all about DFIR

This episode's guests:
Phil Hagen
Eric Zimmerman

Links:
- Twitter: @SOF_ELK
- Config/code repo: http://for572.com/sof-elk-git
- VM readme (w/ instructions and download link):

It's the Forensic Lunch!

The twice monthly videocast/podcast just about  #DFIR  join us as we talk about whats new and what new things you can do!

This broadcast we are taking the time to update you on our own tools.

We talked about:
Pancake Viewer, an open source tool to visually explore forensic images and shadow copies (like an open source ftk imager), https://github.com/forensicmatt/PancakeViewer
Event Monkey, an open source and multi threaded event log parser that outputs to sqlite and ElasticSearch, https://github.com/devgc/EventMonkey
Event Monkey Monitor, a tool we are working on releasing that lets you monitor event logs in real time
pytskUSBDeviceForensics, a version of WoanWare's USB Device Forensics program that allows you to feed in images, https://github.com/woanware/usbdeviceforensics/blob/master/pyTskusbdeviceforensics.py

This episode is live from Enfuse with

Jake Williams and Heather Mahalik

Paul Shomo of Guidance Software

Ashley Hernandez of Guidance Software

Jeff Hedlesky of Guidance Software

Forensic Lunch live from EnFuse with Rob Batzloff talking about Encase 8, and James Wiebe talking about new advancements at CRU

The Forensic Lunch!

A special episode hosted by Nicole Ibrahim and featuring in no particular order:

Mari Degrazia
Cindy Murphy
Heather Mahalik 
Sarah Edwards
Shelly Giesbrecht

The forensic lunch!

The one hour, mostly, DFIR videocast/podcast

This weeks guest:

Jared Atkinson,@jaredcatkinson, talking about about DFIR in powershell or as he calls his toolset PowerForensics

What a great Forensic Lunch today with Jared Atkinson talking all about how to do forensics on a live system or mounted image with his Powershell framework PowerForensics.

You can grab your own copy of PowerForensics on Github here:
https://github.com/Invoke-IR/PowerForensics

Read his Blog here:
www.invoke-ir.com

Vote for him in the Forensic4Cast Awards here:
https://forensic4cast.com/forensic-4cast-awards/
Reminder I'm up for voting in another category as well!

and of course you can follow him on Twitter here:
https://twitter.com/jaredcatkinson

Btw, if you want to learn Windows Forensic with me I'm schedule to teach SANS FOR408 Windows Forensics in Houston May 9-14. You can find out more here:
https://www.sans.org/event/houston-2016/course/windows-forensic-analysis

The Forensic Lunch!

The one hour, mostly, videocast/podcast all about DFIR.

This weeks guests:
Maxime Lamothe-Brassard of Refraction Point talking about his project Lima Charlie https://github.com/refractionPOINT/li...

Ryan Nolette, Security Operations Lead at Carbon Black, talking about all of the ransomware variants he's been seeing and how shadow copies are affected

Us talking about how different tools deal with shadow copies and accessing deleted shadow copies

It's the forensic lunch!

This broadcast James and I go through the results of our testing of different file carving tools:

X-Ways Forensics

Bulk Extractor

Blade

Blackbag Blacklight

It's the Forensic Lunch! The one hour, mostly, videocast/podcast all about DFIR!

This weeks guests:
Austin Colby, Joe Sylve and Vico Marziale from Black Bag talking about the newest additions to the new version coming out in a matter of days.

The Forensic Lunch!

The 1 hour, usually, videocast/podcast that brings you the latest in new DFIR research, topics and people.

This weeks guests:
Hal Pomeranz,@hal_pomeranz, of Deer Run associates talking about updates to his Linux Memory Grabber and some research into bash_history behavior.

You can get the linux memory grabber he discussed here https://github.com/halpomeranz/lmg

Hal can be reached at hal@deer-run.com

Eric Zimmerman,@EricRZimmerman, of Kroll's cyber security practice talking about prefetch and explaining his tool to get more, as well as whats new in Windows 10 prefetch

You can get Eric's prefetch parser here: https://github.com/EricZimmerman/Prefetch

http://www.kroll.com/en-us/who-we-are/kroll-experts/eric-zimmerman

Matthew and I showing how to use the hfs+ journal parser and what to do with it

You can get the HFS+ Journal parser here: https://www.gettriforce.com/product/hfs-journal-parser/

The first new lunch of the new year with

Sarah Holmes of the Foreman project (Open Source DFIR Matter Management), You can get a copy (and contribute to!) foreman here:
https://bitbucket.org/lowmanio/foreman/

You can contact Sarah here: sarah@lowmanio.co.uk

Michael Robinson of the Black T-Shirt Cyber Forensics Challenge talking about well the Black T-Shirt Cyber Forensics Challenge
You can join the Black T-Shirt Cyber Forensics Challenge here:
http://cyberforensicschallenge.com/

You can contact them at cyberforensicschallenge@gmail.com

Our FSEvents tool will be released just as soon as we write documentation for it. Want an early release for testing? Email me dcowen@g-cpartners.com

Forensic Lunch!

This episode we are live from Google in Mountain View, California getting an update on their development projects.

Included are:

LibYAL

Forensic Artifact project

GRR (Google Rapid Response)

Rekall memory analysis platform

Plaso

Timesketch and more!

Forensic Lunch!
This weeks guests:
Andrew Case,@attrc, from the Volatility Project talking about Volatility 2.5, new plugins and the winners of this years Volatility Plugin Contest

Yogesh Kahtri, from Champlain, talking about SRUM forensics in Windows 8.1+. A truly amazing new artifact

Matt and I talking about our new open source tool Elastic Handler

The Forensic Lunch!

In this episode we are broadcasting live from OSDFCon with the following content:

1. A revised set of rules from our popular forensic game. This time we follow $10,000 pyramid rules to see which of two forensic teams can win!

2. Brian Carrier from Basis Technology talking about whats new Autopsy 4.0

3. Rob Fry from Netflix talking about their new open source framework called Fido and hanging with Kevin Spacey

4. Matthew and I talking about our new automation, normalization and correlation framework ElasticHandler

This week on the forensic lunch we have:

Dave Hawkins talking about his firms currently unbeaten contest, lampbash.work

Chris Pavan, talking about his computer forensics program at Cal State Fullerton and his work in IR at Bechtel

James Habben talking about his web based front end to volatility called eVOLVe and all the cool things you can do with it

This broadcast we have:

Mari Degrazia talking about testing MFT parsers and what goes into them.

Lee Whitfield talking about the events of the week

Suzanne Widdup talking about her work on the Verizon DBIR and a solicitation for your involvement

A talk about Cortana's location tracking storage