Digital Forensics

  • Most Topular Stories

  • What does that "look like"?

    Windows Incident Response
    Harlan Carvey
    21 Aug 2014 | 5:43 pm
    We've heard this question a lot, haven't we? I attended a conference about 2 1/2 years ago, and the agenda for that conference had about half a dozen or more presentations that contained "APT" in their title.  I attended several of them, and I have to say...I walked out of some of them.  However, hearing comments from other attendees, many folks felt exactly the same way; not only were they under-whelmed, but I heard several attendees express their disappointment with respect to the content of these presentations.  During one presentation, the speaker stated that the bad guys,…
  • Air Force Leaders Should Read This Book

    TaoSecurity
    Richard Bejtlich
    21 Aug 2014 | 6:56 pm
    I just finished reading The Icarus Syndrome: The Role of Air Power Theory in the Evolution and Fate of the U.S. Air Force by Carl Builder. He published this book in 1994 and I wish I had read it 20 years ago as a new Air Force second lieutenant. Builder makes many interesting points in the book, but in this brief post I'd like to emphasize one of his concluding points: the importance of a mission statement.Builder offers the following when critiquing the Air Force's mission statement, or lack thereof, around the time of his study:[Previous] Air Force of Staff, General John P. McConnell,…
  • Computer Crime or Legitimate Research?

    Forensic Focus
    22 Aug 2014 | 4:20 am
    One researcher digs into Windows, discovers a flaw (and a fix), and receives $100,000 from Microsoft. Another, threatened with prosecution for alleged hacking, becomes despondent and takes his own life. At the Black Hat 2014 conference, an all-star panel discussed the tough decisions researchers have to make, and the legal landmines that can pop up. The panel started by reviewing five significant legal landmines that could land researchers in a heap of trouble. They admitted this portion of the presentation might seem a bit dry, but encouraged attendees to hold on for full, open discussion...
  • What Will Ease Healthcare's Heartburn Over 'Heartbleed'?

    (ISC)2 Blog
    Dan Waddell
    22 Aug 2014 | 2:00 pm
    One of the latest breaches to hit the news took place at Community Health Systems (CHS), affecting an estimated 4.5 million patients.  According to principal security consultant and founder of TrustedSec, David Kennedy, the initial attack vector was through the infamous OpenSSL “heartbleed” vulnerability that led to the compromise of the information.  What is especially noteworthy about this particular attack is its impact on the healthcare community.  Major data breaches such as the one at Target last year put the spotlight on how retailers need to do a better job at…
  • EnCase v7 EnScript to find files based on MD5 hash values

    Computer Forensics, Malware Analysis & Digital Investigations
    18 Aug 2014 | 5:02 pm
    I had written a version of this years ago for EnCase v6 and I was recently asked to update it for EnCase v7.One EnScript listed below will generate a text files of SELECTED files. That text file can then be used on subsequent cases to help find/identify files with the same hash value.To use, you do not need to generate hash values, the EnScript will do it automatically. The second EnScript is also optimized to first match file sizes first before generating/comparing hash values to help reduce the time needed for the comparison, thus saving the need to hash everything in the…
  • add this feed to my.Alltop

    Windows Incident Response

  • What does that "look like"?

    Harlan Carvey
    21 Aug 2014 | 5:43 pm
    We've heard this question a lot, haven't we? I attended a conference about 2 1/2 years ago, and the agenda for that conference had about half a dozen or more presentations that contained "APT" in their title.  I attended several of them, and I have to say...I walked out of some of them.  However, hearing comments from other attendees, many folks felt exactly the same way; not only were they under-whelmed, but I heard several attendees express their disappointment with respect to the content of these presentations.  During one presentation, the speaker stated that the bad guys,…
  • Book Review: "The Art of Memory Forensics"

    Harlan Carvey
    30 Jul 2014 | 9:42 am
    I recently received a copy of The Art of Memory Forensics (thanks, Jamie!!), with a request that I write a review of the book.  Being a somewhat outspoken proponent of constructive and thoughtful feedback within the DFIR community, I agreed. This is the seminal resource/tome on memory analysis, brought to you by THE top minds in the field.  The book covers Windows, Linux, and Mac memory analysis, and as such must be part of every DFIR analyst's reading and reference list.  The book is 858 pages (not including the ToC, Introduction, and index), and is quite literally packed with…
  • File system ops, testing phase 2

    Harlan Carvey
    24 Jul 2014 | 1:11 pm
    As I mentioned in my previous post on this topic, there were two other tests that I wanted to conduct with respect to file system operations and the effects an analyst might expect to observe within the MFT, and the USN change journal.  My thoughts were that if an intruder were accessing a system via RDP, they might not do the drag-and-drop method to move files, or if they were accessing the system via a RAT and they only had command line access, they might use native, command line tools to conduct file operations.Testing ProtocolAll of the same conditions exist from the previous tests,…
  • File system ops, effects on MFT records

    Harlan Carvey
    22 Jul 2014 | 2:48 pm
    I recently conducted some testing of different actions on a Windows 7 system, with the specific purpose of identifying artifacts within the file system (in this case, the MFT and the USN change journal), particularly within individual records.  I wanted to take a look at the effects of different actions to see what they "look like" within the individual records, as well as within the USN change journal, in hopes that things would pop out that could be used during forensic exams.  Once I completed my testing, I decided to share what I'd done and what I'd found, in hopes that others…
  • Random Stuff

    Harlan Carvey
    10 Jul 2014 | 5:28 am
    Host-Based Digital AnalysisThere are a lot of folks with different skill sets and specialties involved in targeted threat analysis and threat intel collection and dissemination.  There are a lot of researchers with specific skill sets in network traffic analysis, malware reverse engineering, etc.One of the benefits I find in host-based analysis is that the disk is one of the least volatile of the data sources.  Ever been asked to answer the "what data left our organization" definitively?  Most often, the answer to that question is, if you didn't conduct full packet capture when…
 
  • add this feed to my.Alltop

    TaoSecurity

  • Air Force Leaders Should Read This Book

    Richard Bejtlich
    21 Aug 2014 | 6:56 pm
    I just finished reading The Icarus Syndrome: The Role of Air Power Theory in the Evolution and Fate of the U.S. Air Force by Carl Builder. He published this book in 1994 and I wish I had read it 20 years ago as a new Air Force second lieutenant. Builder makes many interesting points in the book, but in this brief post I'd like to emphasize one of his concluding points: the importance of a mission statement.Builder offers the following when critiquing the Air Force's mission statement, or lack thereof, around the time of his study:[Previous] Air Force of Staff, General John P. McConnell,…
  • On the Twenty Years Since My USAFA Graduation

    Richard Bejtlich
    1 Jun 2014 | 4:00 pm
    Twenty years ago today, on 1 June 1994, 1024 of us graduated from the United States Air Force Academy, commissioned as brand new second lieutenants. As of September 2012, over 600 members of the class of 1994 were still in uniform. I expect that number is roughly the same today. Reaching the 20 year mark entitles my classmates still in uniform to retire with lifetime benefits, should they choose to do so. I expect some will, but based on patterns from earlier classes I do not expect a massive exodus. The economy is still in rough shape, and transitioning from the military to the private…
  • Video of Bejtlich at Cyber Crime Conference 2014

    Richard Bejtlich
    14 May 2014 | 9:07 am
    On Tuesday the 29th of April I delivered a keynote at the US Cyber Crime Conference in Leesburg, VA.The video is online although getting to it is more complicated than clicking on a link to YouTube.Here's what I did to access the video.First, visit this link for a "SabreCity" account. Fill in your "information" and click Register.You will then see a rude message saying "Registration for this conference is now closed."That's no problem. From the same browser now visit this link to go to the SabreCity "lobby."Click the "On Demand" button on the right side of the screen. Now you can access all…
  • Brainwashed by The Cult of the Quick

    Richard Bejtlich
    3 May 2014 | 5:59 pm
    Faster is better! Those of us with military backgrounds learned that speed is a "weapon" unto itself, a factor which is "inherently decisive" in military conflict. The benefit of speed was so ingrained into my Air Force training that I didn't recognize I had been brainwashed by what Dr. Thomas Hughes rightly identified as The Cult of the Quick.Dr. Hughes published his article of this title in the Winter 2001 issue of the Aerospace Power Journal. His main point is the following:At a time when the American military has global commitments arrayed at variable threats, both real and potential, the…
  • Five Thoughts on New China Article

    Richard Bejtlich
    24 Apr 2014 | 6:47 am
    I just read a thoughtful article by Michael O'Hanlon and James Steinberg, posted at Brookings and Foreign Policy titled Don't Be a Menace to South (China Sea).It addresses thorny questions regarding China as President Obama visits South Korea, Japan, Malaysia, and the Philippines.I wanted to share five quick thoughts on the article, fully appreciating I don't have all the answers to this complex strategic problem.1. "Many in China see the U.S. rebalance as ill-disguised containment, while many in the United States see Chinese military modernization and territorial assertiveness as…
  • add this feed to my.Alltop

    Forensic Focus

  • Computer Crime or Legitimate Research?

    22 Aug 2014 | 4:20 am
    One researcher digs into Windows, discovers a flaw (and a fix), and receives $100,000 from Microsoft. Another, threatened with prosecution for alleged hacking, becomes despondent and takes his own life. At the Black Hat 2014 conference, an all-star panel discussed the tough decisions researchers have to make, and the legal landmines that can pop up. The panel started by reviewing five significant legal landmines that could land researchers in a heap of trouble. They admitted this portion of the presentation might seem a bit dry, but encouraged attendees to hold on for full, open discussion...
  • Oxygen Forensic® Passware® Analyst Acquires Protected Mobile Devices Data

    20 Aug 2014 | 4:37 am
    Oxygen Forensics announces the release of Oxygen Forensic® Passware® Analyst, a new mobile forensic tool integrating Oxygen’s award-winning acquisition and analytic tools with Passware’s password recovery and data extraction. The new tool integrates mobile acquisition, data extraction, password recovery and evidence analysis into a single smooth workflow. The newly added password recovery module engages automatically if a password-protected or encrypted data backup or image is encountered, offering smooth automatic recovery and extraction of protected data with no manual operations…
  • Forensic Focus Forum Round-Up

    19 Aug 2014 | 1:48 am
    Welcome to this round-up of recent posts to the Forensic Focus forums. A forum member unearths a very old hard drive; how can it be analysed? Is it possible to retrieve IP information by logging into a Hotmail account? Forum members discuss the reasons for using commercial vs. open source software. An MSc student is interested in forensics professionals’ opinions about the key issues investigators face in cloud forensics. Forum members give their recommendations for rebuilding RAID arrays. How can an active file and a deleted file have completely identical timestamps? Forum members discuss…
  • Why are LNK Files Important to Your Digital Forensics Investigation?

    18 Aug 2014 | 6:32 am
    LNK files are excellent artifacts for forensic investigators who are trying to find files that may no longer exist on the system they’re examining. The files might have been wiped or deleted, stored on a USB or network share, so although the file might no longer be there, the LNK files associated with the original file will still exist (and reveal valuable information as to what was executed on the system). LNK files typically contain the following items of evidentiary value... Read More (Magnet Forensics)
  • Interview with Emlyn Butterfield, Course Leader, Leeds Metropolitan University

    14 Aug 2014 | 7:23 am
    Emlyn, you’re currently Course Leader in Computer Forensics, Security & Ethical Hacking at Leeds Metropolitan University. Could you tell us more about the role and how you entered academia? As course leader it is my responsibility to maintain a healthy set of courses. By healthy I mean happy students, staff, good student intakes each year and courses that are fit for purpose. I, along with my team, try to ensure that the courses are designed and refreshed in line with industry: to allow us to do this we utilise industry experts as advisors, providing ideas and critical feedback on the…
 
  • add this feed to my.Alltop

    (ISC)2 Blog

  • What Will Ease Healthcare's Heartburn Over 'Heartbleed'?

    Dan Waddell
    22 Aug 2014 | 2:00 pm
    One of the latest breaches to hit the news took place at Community Health Systems (CHS), affecting an estimated 4.5 million patients.  According to principal security consultant and founder of TrustedSec, David Kennedy, the initial attack vector was through the infamous OpenSSL “heartbleed” vulnerability that led to the compromise of the information.  What is especially noteworthy about this particular attack is its impact on the healthcare community.  Major data breaches such as the one at Target last year put the spotlight on how retailers need to do a better job at…
  • Introducing the Automotive Industry to Information Security: I Am The Cavalry Steers Call to Action

    Hord Tipton
    22 Aug 2014 | 6:41 am
    The Internet of Things (IoT) is already affecting nearly all aspects of life, and it’s just getting started. Some of the most promising IoT applications occur in the auto industry, but as technological innovation outpaces security, millions of Americans’ physical safety is put at risk. Cars can already parallel park themselves, steer you back into your lane if you start drifting, and automatically slow down if you get too close to the vehicle in front of you. More and more cars are being controlled by computers, not humans. It’s not hard to envision cars of the near-future with the…
  • Why we continue to fail on cyber security

    Sorin Mustaca
    30 Jul 2014 | 6:26 am
    I've been asked a lot of times, especially when I was working for an antivirus producer, why can't we simply write a software that always protects the users. Well, there is a short answer and a long answer. Short answer: Because 100% security does not exist and because most people are hackable due to being ignorant on what security is (of course, until he/she is hacked first time, and sometimes not even after such an event). Long answer, which I massively shortened by not touching all areas and not going into details: The reason is the ignorance about everything that might…
  • The Luxury of Privacy

    David Harley
    29 Jun 2014 | 9:47 am
    I was asked – as happens from time to time – for commentary for an upcoming security article. (As also happens from time to time, I have no idea whether the journalist has used it or not. Since the request came via an agency, I don’t actually know the who or where, either, so I feel quite comfortable about expanding on that commentary here…) In this case, the topic was a report from Silent Circle. I’d be happy to provide a link to it, but I haven’t been able to find one. Apparently, though, the report summarizes the opinions of 1,000 people in the UK regarding privacy, just…
  • So. What is special about Infosecurity Europe?

    Lea Hatzopoulos
    24 Apr 2014 | 12:56 pm
    This year will be my 7th Infosecurity Europe as an (ISC)2 staff member. For those who are not familiar, Infosecurity Europe (we call it “infosec”) is the largest tradeshow for security professionals where 13,000 people meet over 3 days. What is so special about Infosec and why would an (ISC)2 member care? Infosec attracts the largest number of (ISC)2 members from Europe - more than 600 over 3 days. This is a good opportunity for each member to learn something new: whether it is CPEs related, (ISC)2 programmes, at the free extensive education sessions, products showcased in the…
  • add this feed to my.Alltop

    Computer Forensics, Malware Analysis & Digital Investigations

  • EnCase v7 EnScript to find files based on MD5 hash values

    18 Aug 2014 | 5:02 pm
    I had written a version of this years ago for EnCase v6 and I was recently asked to update it for EnCase v7.One EnScript listed below will generate a text files of SELECTED files. That text file can then be used on subsequent cases to help find/identify files with the same hash value.To use, you do not need to generate hash values, the EnScript will do it automatically. The second EnScript is also optimized to first match file sizes first before generating/comparing hash values to help reduce the time needed for the comparison, thus saving the need to hash everything in the…
  • EnCase v7 EnScript to quickly provide MD5/SHA1 hash values and entropy of selected files

    10 Apr 2014 | 9:22 pm
    I recently had the need to quickly triage and hash several specific files within a case, but I did not want to (or possibly could not) run the "process evidence" option to generate hash values for *all* files.EnCase v7 has the ability to generate hash values of selected files through the right-click context menu->Entries->Hash/Sig Selected files.The downside to this option is that it requires you to close the "evidence" tab and then reopen it, causing you to lose your place/highlighted file.So I wanted a way to quickly generate the MD5 & SHA1 hash so that I could…
  • EnCase EnScript to show file summary of user's profile by extension

    20 Mar 2014 | 10:33 pm
    This is another "quick hit" EnScript to generate a quick report on the types of files under a user's profile based on file extensions. The EnScript will automatically create an Excel spreadsheet, with a sheet for each user, showing the total number of files for each extension and the total number of bytes for each extension, percentage for each extension and total bytes for each summary. Folders and files with zero logical size are ignored:Download EnCase v6 EnScript Here
  • EnCase EnScript to parse each NTUSER.DAT for RecentDocs

    19 Mar 2014 | 9:20 pm
    This EnScript is another "quick hit" to parse out all the recently accessed files recorded in the user's NTUSER.DAT.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocsWhen run, it will parse each NTUSER.DAT and display the results in console, as well as automatically open Excel (Excel is required to be installed on the examiner's machine in order to use this EnScript) and create a worksheet for each user processed:The EnScript will also create a bookmark for each user. It will put the date the registry key was last modified in the comment section of each…
  • EnCase EnScript to parse & display recent RDP sessions from user's NTUSER.DAT

    19 Mar 2014 | 10:20 am
    This EnScript was designed as a "quick hit" to parse and show the MRU values for the Terminal server client for each user.The EnScript checks the Software\Microsoft\Terminal Server Client\Default for each NTUSER.DAT and displays/bookmarks any values.*The link below has been updated to an EnScript that can be run in either v6 & v7.Download EnCase v6 & v7 here
 
  • add this feed to my.Alltop

    viaForensics

  • viaForensics Awarded Prestigious SBIR Phase III Contract

    KevinS
    20 Aug 2014 | 12:47 pm
    FOR IMMEDIATE RELEASE For more information contact: Ethan Rasiel Lightspeed PR ethan@lightspeedpr.com 917-770-9435 VIAFORENSICS AWARDED PRESTIGIOUS SBIR PHASE III CONTRACT Small Business Innovation Research Contract from U.S. Gov’t Recognizes viaForensics’ Contributions to Mobile Forensics OAK PARK, ILL, August 20, 2014– viaForensics, which helps enterprises and consumers keep mobile data secure and private, is proud to announce that it is the recipient of a Small Business Innovation Research (SBIR) Phase III contract from the Department of Homeland Security (DHS) Science &…
  • Webinar: The Benefits of Jailbreaking iOS Devices

    Linnea
    13 Aug 2014 | 3:04 pm
    The Benefits of Jailbreaking iOS Devices Next Tuesday, August 19, Katie Strzempka (@kstrzemp) Director of Mobile Services is hosting a viaTalk at 1pm CDT. The webinar will discuss the benefits of jailbreaking, a method that allows a user extra privileges on his or her device in order to access more information. Register Why jailbreak? Jailbreaking is a method that is used to get escalated privileges on iOS devices (similar to rooting on Android). The additional privileges allow deeper analysis of both the device and its applications, and increases the possibilities for data recovery.
  • Terence Fernandes hosts #viaTalks

    Linnea
    6 Aug 2014 | 2:57 pm
    How to Complete Free App Security Assessments with viaLab CE Terence Fernandes, mobile security engineer at viaForensics, will be hosting a viaTalk on August 12 at 1pm CDT. He will discuss the features of the new viaLab Community Edition (CE) product to be released shortly. This webinar will show you how to quickly test the security of most applications on Android and iOS Register What is viaLab CE? viaLab CE is the free version of our viaLab enterprise software which does automated testing of mobile applications. Terence will do a live demonstration of viaLab and detail each of the…
  • New viaLab 3.0 Features

    Terence Fernandes
    24 Jul 2014 | 4:34 pm
    Device Provisioning Test your app on any* Android or iOS device. viaLab now automates the device provisioning process, which allows you to take nearly any phone and provision it yourself for use in viaLab. Interested in seeing how your app works on one Android model vs the other? Provision both and test. *NOTE: This feature is still in beta. While we test on as many devices as we can, functionality is not guaranteed on all devices. Please consult our support page for a full listing of known supported devices. Software Based Licensing Free up your USB. Experience the new dongle-free viaLab…
  • Phil Weber Hosts #viaTalks: Design Challenges in Mobile App Development on 8/5

    Linnea
    24 Jul 2014 | 3:20 pm
    Phil Weber (@PhilipWeber), Director of User Experience at viaForensics, will be hosting a viaTalk on August 5 at 1pm CDT. He will explore the three big-picture steps toward providing a fantastic user experience to consumers of mobile apps. Phase 1 The first phase is designing a successful prototype for the app. The designers mock up an app and engineer an effective flow, making sure the content is easily accessible. Phase 2 The next step is to build the app via a collaborative effort with the mobile developers. This requires a delicate balance to correct issues that arise from one side while…
  • add this feed to my.Alltop

    DFI News All

  • Stealing Encryption Keys through the Power of Touch

    eaustin
    22 Aug 2014 | 7:47 am
    Researchers from Tel Aviv University have demonstrated an attack against the GnuPG encryption software that enables them to retrieve decryption keys by touching exposed metal parts of laptop computers.  Read more about Stealing Encryption Keys through the Power of TouchComments
  • Know Your Advanced Persistent Threats' Unknowns

    eaustin
    22 Aug 2014 | 7:26 am
    When APTs (Advanced Persistent Threats) are discovered, network security operations professionals are instantly under pressure to explain and resolve the problems swiftly. Without a robust understanding of the context, network traffic and content, SecOps professionals are often left to rely on informed guesses and not verifiable facts.  Read more about Know Your Advanced Persistent Threats' UnknownsComments
  • Europe Bombarded with Cyber Attacks from Russia

    eaustin
    22 Aug 2014 | 7:22 am
    The majority of cyber attacks on northern European targets come from machines in Russia, while China is the number one source of threats aimed at the US, according to new honeypot data collected by Alert Logic.Read more about Europe Bombarded with Cyber Attacks from RussiaComments
  • Digital Clues Leading the Hunt for ISIS Killer

    eaustin
    22 Aug 2014 | 6:52 am
    Read more about Digital Clues Leading the Hunt for ISIS Killer Comments
  • Hacker or Military? Best of Both in Cyber Security

    eaustin
    22 Aug 2014 | 6:06 am
    How are ex-military and ex-hackers different? For starters, security guys with a military background are more likely to have a “traditional career.” This typically includes a degree from a four-year university, a series of jobs with certifications, and formal recognition that one would expect from a military person.  Read more about Hacker or Military? Best of Both in Cyber SecurityComments
  • add this feed to my.Alltop

    Secure Hunter Anti-Malware » Secure Hunter Blog

  • US warns 'significant number' of major businesses hit by Backoff malware Secure Hunter

    shadmin
    22 Aug 2014 | 3:18 pm
    More than 1,000 major enterprise networks and small and medium businesses in the U.S. have been compromised by a recently discovered malware package called "Backoff" and are probably unaware of it, the U.S. Department of Homeland Security (DHS) said in a cybersecurity alert on Friday. Computerworld Malware and Vulnerabilities News Secure Hunter Anti -Malware The post US warns 'significant number' of major businesses hit by Backoff malware Secure Hunter appeared first on Secure Hunter Anti-Malware.
  • Microsoft engineer: ‘Definitely problems’ with test process after crippling Windows patch Secure Hunter

    shadmin
    22 Aug 2014 | 7:20 am
    A week after Microsoft pulled a Patch Tuesday update that crippled some Windows 7 PCs, the company has yet to provide a working fix for either the original flaw or the resulting problem. Computerworld Malware and Vulnerabilities News Secure Hunter Anti -Malware The post Microsoft engineer: ‘Definitely problems’ with test process after crippling Windows patch Secure Hunter appeared first on Secure Hunter Anti-Malware.
  • UPS now the third company in a week to disclose data breach Secure Hunter

    shadmin
    20 Aug 2014 | 11:20 pm
    Credit and debit card information belonging to customers who did business at 51 UPS Store Inc. locations in 24 U.S. states this year may have been compromised. Computerworld Malware and Vulnerabilities News Secure Hunter Anti -Malware The post UPS now the third company in a week to disclose data breach Secure Hunter appeared first on Secure Hunter Anti-Malware.
  • A New Spin on Rogue Antivirus Secure Hunter

    shadmin
    20 Aug 2014 | 5:52 pm
    Rogue antivirus malware is on the decline, but a new, simpler version of that threat that simply redirects users to the site of a fake malware protection service has been infecting users around the world. Threatpost – English – Global – threatpost.com » Malware Secure Hunter Anti -Malware The post A New Spin on Rogue Antivirus Secure Hunter appeared first on Secure Hunter Anti-Malware.
  • ‘Reveton’ransomware adds powerful password stealer Secure Hunter

    shadmin
    20 Aug 2014 | 7:20 am
    A type of malware called Reveton, which falsely warns users they’ve broken the law and demands payment of a fine, has been upgraded with powerful password stealing functions, according to Avast. Computerworld Malware and Vulnerabilities News Secure Hunter Anti -Malware The post ‘Reveton’ransomware adds powerful password stealer Secure Hunter appeared first on Secure Hunter Anti-Malware.
 
Log in