Digital Forensics

  • Most Topular Stories

  • "DFIRCON EAST Smartphone Forensics Challenge"

    SANS Digital Forensics and Incident Response Blog
    hmahalik
    17 Jul 2014 | 12:58 am
    DFIRCON EAST Smartphone Forensics Challenge: https://www.surveymonkey.com/s/Smartphone-ChallengeThe smartphone dataset contains Malware and an iOS backup file. The goal is to highlight application data often missed by forensic tools. Your job? Find it.The object of our challenge is simple: Download the smartphone dataset and attempt to answer the 6 questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 4 of the 6 questions will be entered into a drawing to win a FREE DFIR OnDemand course. The contest ends on September 30th, 2014…
  • File system ops, effects on MFT records

    Windows Incident Response
    Harlan Carvey
    22 Jul 2014 | 2:48 pm
    I recently conducted some testing of different actions on a Windows 7 system, with the specific purpose of identifying artifacts within the file system (in this case, the MFT and the USN change journal), particularly within individual records.  I wanted to take a look at the effects of different actions to see what they "look like" within the individual records, as well as within the USN change journal, in hopes that things would pop out that could be used during forensic exams.  Once I completed my testing, I decided to share what I'd done and what I'd found, in hopes that others…
  • Authorization Vulnerability in Yahoo! Pipes

    Checkmate
    Vinesh Redkar
    2 Jul 2014 | 10:51 pm
    Recently, I found an interesting issue qualifying on Yahoo! Pipes. But before going into the details of this specific issue, let’s understand some basic points. What does Authorization mean? In general, authorization relates to the set of activities which a user can perform once logged on to a particular system. This is typically divided into Read More... The post Authorization Vulnerability in Yahoo! Pipes appeared first on Checkmate.
  • Forensic Focus Forum Round-Up

    Forensic Focus
    18 Jul 2014 | 8:10 am
    Welcome to this round-up of recent posts to the Forensic Focus forums. Forum members discuss the best way to retrieve Facebook profile data. What does it mean when a mail header shows two X-Originating IP addresses? Forensic imaging of a USB with a corrupt file system. Forum members discuss how to find an XLS file on a computer that has been reformatted. Unexpected SQLite field data in WhatsApp databases provokes discussion on the forum. Forum members discuss how to process several thousand images on a hard drive. Do you have any recommendations for mobile forensic tools? Add yours in the…
  • The Luxury of Privacy

    (ISC)2 Blog
    David Harley
    29 Jun 2014 | 9:47 am
    The Luxury of Privacy I was asked – as happens from time to time – for commentary for an upcoming security article. (As also happens from time to time, I have no idea whether the journalist has used it or not. Since the request came via an agency, I don’t actually know the who or where, either, so I feel quite comfortable about expanding on that commentary here…) In this case, the topic was a report from Silent Circle. I’d be happy to provide a link to it, but I haven’t been able to find one. Apparently, though, the report summarizes the opinions of 1,000 people in the UK…
  • add this feed to my.Alltop

    SANS Digital Forensics and Incident Response Blog

  • "DFIRCON EAST Smartphone Forensics Challenge"

    hmahalik
    17 Jul 2014 | 12:58 am
    DFIRCON EAST Smartphone Forensics Challenge: https://www.surveymonkey.com/s/Smartphone-ChallengeThe smartphone dataset contains Malware and an iOS backup file. The goal is to highlight application data often missed by forensic tools. Your job? Find it.The object of our challenge is simple: Download the smartphone dataset and attempt to answer the 6 questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 4 of the 6 questions will be entered into a drawing to win a FREE DFIR OnDemand course. The contest ends on September 30th, 2014…
  • "Hibernation Slack: Unallocated Data from the Deep Past"

    johnmccash
    30 Jun 2014 | 9:36 pm
    Hi Folks,I was recently doing some forensic research on a laptop which had been formatted and factory-reinstalled (using the preinstalled HPA partition it shipped with), and then used normally by another user for six months prior to collection. I wasn't really expecting to be able to recover much of anything from before the format, but it's always worth a look. My initial examination showed that even unallocated space had been largely overwritten during the six month post reinstall period. Even the fragments I was able to recover from file slack were largely useless. Then I got some very…
  • "Getting the most out of Smartphone Forensic Exams - SANS Advanced Smartphone Forensics Poster Release"

    cindymurphy2412
    24 Jun 2014 | 2:13 am
    Getting the most out of Smartphone Forensic Exams — SANS Advanced Smartphone Forensics Poster ReleaseThere is one certain thing in the DFIR field, and that is that there are far more facts, details and artifacts to remember than can easily be retained in any forensic examiner's brain. SANS has produced an incredibly helpful array of Posters and Cheat Sheets for DFIR in order to assist examiners with those tidbits of information than can help to jumpstart their forensics exams and or intrusion and incident response investigations. The most recent addition to the SANS DFIR poster…
  • "SRP Streams in MS Office Documents Reveal Earlier Versions of Malicious Macros"

    Lenny Zeltser
    5 Jun 2014 | 4:16 am
    SRP streams in Microsoft Office documents can reveal older versions of VBA macro code used by the adversary in earlier attacks. After the attacker modifies the malicious document for a new attack, Microsoft Office sometimes retains a cache of the earlier macro inside these streams, allowing analysts to expand their understanding of the incident and derive valuable threat intelligence. In other words, SRP streams can help investigators travel back in time.
  • "Managing and Exploring Malware Samples with Viper"

    Lenny Zeltser
    4 Jun 2014 | 12:23 am
    Keeping track of all the samples on your plate can become cumbersome and at times, next to impossible; that's where projects like Viper come in. Viper is "a framework to store, classify and investigate binary files." The following article, contributed by David Westcott, explains how to get started with this tool.
 
  • add this feed to my.Alltop

    Windows Incident Response

  • File system ops, effects on MFT records

    Harlan Carvey
    22 Jul 2014 | 2:48 pm
    I recently conducted some testing of different actions on a Windows 7 system, with the specific purpose of identifying artifacts within the file system (in this case, the MFT and the USN change journal), particularly within individual records.  I wanted to take a look at the effects of different actions to see what they "look like" within the individual records, as well as within the USN change journal, in hopes that things would pop out that could be used during forensic exams.  Once I completed my testing, I decided to share what I'd done and what I'd found, in hopes that others…
  • Random Stuff

    Harlan Carvey
    10 Jul 2014 | 5:28 am
    Host-Based Digital AnalysisThere are a lot of folks with different skill sets and specialties involved in targeted threat analysis and threat intel collection and dissemination.  There are a lot of researchers with specific skill sets in network traffic analysis, malware reverse engineering, etc.One of the benefits I find in host-based analysis is that the disk is one of the least volatile of the data sources.  Ever been asked to answer the "what data left our organization" definitively?  Most often, the answer to that question is, if you didn't conduct full packet capture when…
  • RegRipper

    Harlan Carvey
    30 Jun 2014 | 4:36 pm
    Just a reminder to everyone out there that the OFFICIAL download link for the most current version of RegRipper is available from the link found here, or here (i.e., at the [RegRipper download]" link).Some folks have reached to me recently and said, "I have the most recent download...", and that's apparently not been the case.  I left the Google Code page for RegRipper populated in part because there is some information that I put in the Wiki pages that I still want to be able to access.Just a note...if you think that the download link is broken, be sure to check to see if…
  • Book Writing: To Self-Publish, or Not

    Harlan Carvey
    22 May 2014 | 4:10 am
    The CEIC Conference is going on as I write this, and Suzanne Widup's author panel went on yesterday.  I'm not at the conference, so like many others, I live vicariously through what gets Tweeted about the conference, as well as about specific portions of the conference, such as the panel.I saw a question posted to Twitter, in which the tweeter asked, "for the panel, why not self-publish like RTFM?" My initial thought was, you need to consider the members of the panel and the books they've written or co-authored; those titles really don't lend themselves too well to a format…
  • Artifacts

    Harlan Carvey
    17 May 2014 | 5:11 am
    I received a request right before WFA 4/e hit the streets...after the writing and editing was complete and while the printed book was being shipped...to "talk about anti-forensics".  Unfortunately, at this point, I still haven't heard any more than just that, but I've had more than a couple of instances where knowledge of artifacts and Windows structures has allowed me to gather valuable data for analysis, even when the bad guy took steps, however unknowingly, to remove other artifacts.  I say "unknowingly" because sometimes the steps taken may not specifically be intended to be…
  • add this feed to my.Alltop

    Checkmate

  • Authorization Vulnerability in Yahoo! Pipes

    Vinesh Redkar
    2 Jul 2014 | 10:51 pm
    Recently, I found an interesting issue qualifying on Yahoo! Pipes. But before going into the details of this specific issue, let’s understand some basic points. What does Authorization mean? In general, authorization relates to the set of activities which a user can perform once logged on to a particular system. This is typically divided into Read More... The post Authorization Vulnerability in Yahoo! Pipes appeared first on Checkmate.
  • LinkedIn Cross-Site-Scripting (XSS) & Content Spoofing Vulnerability

    Sunil Yadav
    30 Jun 2014 | 8:47 pm
    Couple of days back, I reported XSS and Content Spoofing on LinkedIn. Here are the details of the issues. Cross Site Scripting: What is Cross Site Scripting? XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session Read More... The post LinkedIn Cross-Site-Scripting (XSS) & Content Spoofing Vulnerability appeared first on Checkmate.
  • IT Act 2000 – Penalties, Offences With Case Studies

    checkmate
    24 Jun 2014 | 2:57 am
    Objectives of IT legislation in India The Government of India enacted its Information Technology Act 2000 with the objectives stating officially as: “to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as “electronic commerce”, which involve the use of alternatives to Read More... The post IT Act 2000 – Penalties, Offences With Case Studies appeared first on Checkmate.
  • Owning The Enterprise With HTTP PUT

    Omair
    30 Apr 2014 | 3:35 am
    During a routine penetration testing engagement, we found an IIS webserver with HTTP methods (verbs) like PUT and DELETE enabled on it. During enumeration of the web server we figured it was configured to run PHP as well. The PUT method allows an attacker to place a file on the server. Uploading a web shell Read More... The post Owning The Enterprise With HTTP PUT appeared first on Checkmate.
  • Analysis of Malware: Detecting Behavior & Anti-Reversing Techniques

    Sanoop Thomas
    17 Apr 2014 | 2:42 am
    Scenario: One of our clients observed a suspicious behavior in a program and wanted us to analyze and identify if any malicious activities were being performed by the same. The program wasn’t detected by their anti-virus solution during ‘file access operations’. However, some unusual outbound network traffic triggered alerts from the network monitoring team. Filename Read More... The post Analysis of Malware: Detecting Behavior & Anti-Reversing Techniques appeared first on Checkmate.
 
  • add this feed to my.Alltop

    Forensic Focus

  • Forensic Focus Forum Round-Up

    18 Jul 2014 | 8:10 am
    Welcome to this round-up of recent posts to the Forensic Focus forums. Forum members discuss the best way to retrieve Facebook profile data. What does it mean when a mail header shows two X-Originating IP addresses? Forensic imaging of a USB with a corrupt file system. Forum members discuss how to find an XLS file on a computer that has been reformatted. Unexpected SQLite field data in WhatsApp databases provokes discussion on the forum. Forum members discuss how to process several thousand images on a hard drive. Do you have any recommendations for mobile forensic tools? Add yours in the…
  • Dark net 'used by tens of thousands of paedophiles'

    16 Jul 2014 | 6:29 am
    Tens of thousands of paedophiles are using the so-called dark net to trade images of sexual abuse, an investigation by BBC News indicates. One site receives as many as 500 page views per second, its founder says. Figures from another site suggest Brits are heavily involved in producing and distributing illegal obscene images. Britain's National Crime Agency warned in its 2014 threat assessment that abusers were turning to anonymous sites and encryption technology... Read More (BBC)
  • Finding and Analyzing Document Files with IEF

    15 Jul 2014 | 7:29 am
    Analyzing documents to prove their authenticity has been one of the cornerstones of computer forensics and is still an important part of the investigative process to this day. Whether you’re investigating documents in a fraud case, an IP theft, or from a malware/phishing intrusion, proper document analysis is essential to help uncover the truth in many investigations. New to Internet Evidence Finder v6.4 is the ability to recover and analyze documents found on a suspect’s PC. Available with the OS & Business Apps module, IEF is now able to recover Microsoft Office documents including…
  • Approximate Matching Helps Digital Forensics Find Similar Artifacts Among Data

    15 Jul 2014 | 6:28 am
    According to the National Institute of Standards and Technology (NIST), approximate matching is a technology that can be used in a variety of settings, including digital forensics, security monitoring and data filtering. It involves locating similarities among pieces of digital data to match objects that are alike or to find objects that contain other objects. Such technology will likely become invaluable in upcoming years as the amount of information collected and used becomes even more overwhelming... Read More (ITBusinessEdge)
  • Job Vacancies: Various Digital Forensics Posts (Blackthorn, London)

    14 Jul 2014 | 7:41 am
    Due to continued growth and expansion Blackthorn are looking to recruit to a number of digital forensic positions in London. We are particularly looking for the following: Computer Analysts (3 years plus experience) Computer Analysts (1-2 years experience) Mobile Device Specialists (1 year plus experience) Experienced Cell Site Specialists We would also like to hear from you if you have skills in areas such as Incident Response and Network Forensics. Ideally you will have experience of law enforcement and corporate work but candidates will be considered if they have experience in either...
  • add this feed to my.Alltop

    (ISC)2 Blog

  • The Luxury of Privacy

    David Harley
    29 Jun 2014 | 9:47 am
    The Luxury of Privacy I was asked – as happens from time to time – for commentary for an upcoming security article. (As also happens from time to time, I have no idea whether the journalist has used it or not. Since the request came via an agency, I don’t actually know the who or where, either, so I feel quite comfortable about expanding on that commentary here…) In this case, the topic was a report from Silent Circle. I’d be happy to provide a link to it, but I haven’t been able to find one. Apparently, though, the report summarizes the opinions of 1,000 people in the UK…
  • So. What is special about Infosecurity Europe?

    Lea Hatzopoulos
    24 Apr 2014 | 12:56 pm
    This year will be my 7th Infosecurity Europe as an (ISC)2 staff member. For those who are not familiar, Infosecurity Europe (we call it “infosec”) is the largest tradeshow for security professionals where 13,000 people meet over 3 days. What is so special about Infosec and why would an (ISC)2 member care? Infosec attracts the largest number of (ISC)2 members from Europe - more than 600 over 3 days. This is a good opportunity for each member to learn something new: whether it is CPEs related, (ISC)2 programmes, at the free extensive education sessions, products showcased in the…
  • Look to (ISC)2 for Cybersecurity Resources and Support for Academia

    Dr. Jo Portillo
    17 Apr 2014 | 12:08 pm
    As (ISC)2 celebrates its 25th anniversary, we continue to branch out to offer new ways to help meet the demand for more skilled cybersecurity professionals through community support programs. To help provide cybersecurity resources and support to the global academic community, I am proud to announce the launch of the (ISC)2 Global Academic Program (GAP)! My name is Dr. Jo Portillo and I am in charge of managing the development and implementation of this program. As an educator and advocate for academic-industry collaboration, I am thrilled to introduce this initiative, which has been part of…
  • Assessing decision-making skills of information security professionals is crucial for developing and sustaining talent.

    Jason Young
    17 Mar 2014 | 10:06 am
    I have been intrigued by the recent dialogue surrounding how to keep security professionals up to date with the latest information.  More specifically, identifying the skills that are critical for individuals to have as defined by their leadership to protect the business from future disaster.  Everything from in-depth security best practices to software development skills to industry specific protocol and regional variations has been noted as important.  My question to leadership is this:   How have you assessed your security professionals’ decision-making…
  • What will it take to Prioritize Security in Healthcare?

    Amanda D'Alessandro
    28 Feb 2014 | 6:57 am
    With security breaches dominating news headlines daily, those responsible for securing our systems, networks, and devices are struggling to keep pace with the evolving threat landscape. Perhaps some of the most concerning potential breach data comes from the healthcare industry where we entrust our most personal information—social security number, birth date, medical history—as well as our immediate family members’ sensitive information to medical care providers. Further, medical devices rely on secure IT networks to function properly and deliver continuous, critical care to patients…
 
  • add this feed to my.Alltop

    viaForensics

  • New viaExtract 2.3 New Features: Deleted Data Recovery, ‘su’ Support, More

    KevinS
    23 Jul 2014 | 9:51 am
    viaExtract, our forensic software that offers guided data acquisitions, flexible reporting, and cutting-edge utilities for Android devices, just got even more powerful as it now includes deleted data recovery, ‘su’ support, additional data acquired during logical acquisitions, and much more. How To Purchase Deleted Data Recovery Get to the data you weren’t supposed to see. viaExtract now acquires deleted data from SQLite databases by automatically parsing SMS, Calls, and downloads – providing you more data than ever before. Deleted data recovered in viaExtract…
  • When a vulnerability is not really a vulnerability

    Andrew Hoog
    17 Jul 2014 | 2:30 pm
    A recently disclosed vulnerability in Google’s iOS Gmail App has seen some significant headlines. The vulnerability allows attackers to perform Man-in-the-Middle attacks to view and even modify encrypted communications. Which sounds pretty scary, until you dig a little deeper. “The problem… is that Gmail on iOS currently lacks what’s known as ‘certificate pinning… [which is a] measure that developers can build in to their apps to mitigate attacks that dupe victims into installing a malicious configuration profile.” (ZDNet, 2014) It’s like saying…
  • CEO Andrew Hoog to present at Tech in Motion: Chicago on 7/23

    Linnea
    17 Jul 2014 | 11:49 am
    viaForensics co-founder and CEO Andrew Hoog (@ahoog42) will be giving a presentation next week at the Future of Mobile Security and Scalability event held by Tech in Motion: Chicago. About the Demo Andrew will demonstrate how an attacker targets and compromises a mobile device. Then, he will show how this attacker can gain access to sensitive corporate data. After the demonstration, Andrew will join the panelists to discuss the current landscape of mobile security, including behavior monitoring and whitelisting, as well as possibilities and risks for the future, and finish up with a Q&A…
  • Top 3 Tips for BYOD Employers

    Andrew Hoog
    15 Jul 2014 | 10:43 am
    Recently I sat down with Avnet CIO Steve Phillips to talk about mobile security during the invitation-only Avnet IT Security Summit. Steve and I touched upon a number of key topics in mobile security, from targeted attacks, to leaky apps, to the ineffectiveness of mobile anti-virus programs. During the discussion, I shared my top three tips for IT professionals managing a BYOD workplace: Measure To understand the risks your enterprise faces, you need a way to measure and quantify it. Only then will you be able to take concrete actions to mitigate this risk. Educate your employees Your…
  • July 8 webinar – Embracing BYOD and BYOSecurity

    KevinS
    7 Jul 2014 | 9:53 am
    Webinar: Embracing BYOD and BYOSecurity – How you can do it, and do it right When: July 8, 2014, 1:00 PM CDT Abstract While BYOD continues to proliferate in the workplace, security has failed to catch up. CEO Andrew Hoog will discuss current BYOD trends, uncover some myths about BYOD, and will provide best practices for BYOD implementations. Register To register for the webinar “BYOD and BYOSecurity” on July 8, on your desktop click this link: Register for the webinar Click the link “Embracing BYOSecurityin BYOD…” and follow the prompts to register. Note, this…
  • add this feed to my.Alltop

    DFI News All

  • Device Stops Hackers from Crashing Cars

    eaustin
    23 Jul 2014 | 8:20 am
    Last year two Darpa-funded security researchers, Charlie Miller and Chris Valasek, spent months cracking into a Ford Escape and a Toyota Prius, terrifying each other with tricks like slamming on the brakes or hijacking the vehicles’ steering with only digital commands sent from a laptop plugged into a standard data port under the dash.Read more about Device Stops Hackers from Crashing CarsComments
  • Digital Forensics in the Mobile, BYOD, Cloud Era

    eaustin
    23 Jul 2014 | 7:59 am
    Read more about Digital Forensics in the Mobile, BYOD, Cloud EraComments
  • British Experts to Analyze MH17 Black Boxes

    eaustin
    23 Jul 2014 | 7:42 am
    Read more about British Experts to Analyze MH17 Black Boxes Comments
  • Hacker Worms His Way into WSJ Computer Systems

    eaustin
    23 Jul 2014 | 7:07 am
    The Wall Street Journal was forced to take systems offline following a security breach, as yet another online publication suffers cyber attack. According to the paper's publisher Dow Jones & Co, computer systems hosting the WSJ's news graphics were infiltrated by outside parties, and the security breach resulted in systems being taken offline to isolate the cyber attack.Read more about Hacker Worms His Way into WSJ Computer SystemsComments
  • Nigeria's 419 Abandoning Phishing for the Malware Hunt

    eaustin
    23 Jul 2014 | 7:01 am
    Read more about Nigeria's 419 Abandoning Phishing for the Malware HuntComments
Log in