Digital Forensics

  • Most Topular Stories

  • "DFIRCON EAST Smartphone Forensics Challenge"

    SANS Digital Forensics and Incident Response Blog
    hmahalik
    17 Jul 2014 | 12:58 am
    DFIRCON EAST Smartphone Forensics Challenge: https://www.surveymonkey.com/s/Smartphone-ChallengeThe smartphone dataset contains Malware and an iOS backup file. The goal is to highlight application data often missed by forensic tools. Your job? Find it.The object of our challenge is simple: Download the smartphone dataset and attempt to answer the 6 questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 4 of the 6 questions will be entered into a drawing to win a FREE DFIR OnDemand course. The contest ends on September 30th, 2014…
  • File system ops, testing phase 2

    Windows Incident Response
    Harlan Carvey
    24 Jul 2014 | 1:11 pm
    As I mentioned in my previous post on this topic, there were two other tests that I wanted to conduct with respect to file system operations and the effects an analyst might expect to observe within the MFT, and the USN change journal.  My thoughts were that if an intruder were accessing a system via RDP, they might not do the drag-and-drop method to move files, or if they were accessing the system via a RAT and they only had command line access, they might use native, command line tools to conduct file operations.Testing ProtocolAll of the same conditions exist from the previous tests,…
  • Authorization Vulnerability in Yahoo! Pipes

    Checkmate
    Vinesh Redkar
    2 Jul 2014 | 10:51 pm
    Recently, I found an interesting issue qualifying on Yahoo! Pipes. But before going into the details of this specific issue, let’s understand some basic points. What does Authorization mean? In general, authorization relates to the set of activities which a user can perform once logged on to a particular system. This is typically divided into Read More... The post Authorization Vulnerability in Yahoo! Pipes appeared first on Checkmate.
  • Cloud Computing Stymies Digital Forensics Investigations

    Forensic Focus
    28 Jul 2014 | 3:28 am
    In recent years, cloud computing has made the leap from an emerging technology to government mainstay, allowing agencies an IT avenue to share services, save money and increase efficiency. However, cloud computing still presents some major technical challenges in government, as illustrated by a recent draft report issued by the National Institute of Standards and Technology. Prepared by the NIST Cloud Computing Forensic Science Working Group, the report summarizes a staggering 65 challenges cloud computing presents to forensics investigators who sift through bits and bytes of digital evidence…
  • Phil Weber Hosts #viaTalks: Design Challenges in Mobile App Development on 8/5

    viaForensics
    Linnea
    24 Jul 2014 | 3:20 pm
    Phil Weber (@PhilipWeber), Director of User Experience at viaForensics, will be hosting a viaTalk on August 5 at 1pm CDT. He will explore the three big-picture steps toward providing a fantastic user experience to consumers of mobile apps. Phase 1 The first phase is designing a successful prototype for the app. The designers mock up an app and engineer an effective flow, making sure the content is easily accessible. Phase 2 The next step is to build the app via a collaborative effort with the mobile developers. This requires a delicate balance to correct issues that arise from one side while…
  • add this feed to my.Alltop

    SANS Digital Forensics and Incident Response Blog

  • "DFIRCON EAST Smartphone Forensics Challenge"

    hmahalik
    17 Jul 2014 | 12:58 am
    DFIRCON EAST Smartphone Forensics Challenge: https://www.surveymonkey.com/s/Smartphone-ChallengeThe smartphone dataset contains Malware and an iOS backup file. The goal is to highlight application data often missed by forensic tools. Your job? Find it.The object of our challenge is simple: Download the smartphone dataset and attempt to answer the 6 questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 4 of the 6 questions will be entered into a drawing to win a FREE DFIR OnDemand course. The contest ends on September 30th, 2014…
  • "Hibernation Slack: Unallocated Data from the Deep Past"

    johnmccash
    30 Jun 2014 | 9:36 pm
    Hi Folks,I was recently doing some forensic research on a laptop which had been formatted and factory-reinstalled (using the preinstalled HPA partition it shipped with), and then used normally by another user for six months prior to collection. I wasn't really expecting to be able to recover much of anything from before the format, but it's always worth a look. My initial examination showed that even unallocated space had been largely overwritten during the six month post reinstall period. Even the fragments I was able to recover from file slack were largely useless. Then I got some very…
  • "Getting the most out of Smartphone Forensic Exams - SANS Advanced Smartphone Forensics Poster Release"

    cindymurphy2412
    24 Jun 2014 | 2:13 am
    Getting the most out of Smartphone Forensic Exams — SANS Advanced Smartphone Forensics Poster ReleaseThere is one certain thing in the DFIR field, and that is that there are far more facts, details and artifacts to remember than can easily be retained in any forensic examiner's brain. SANS has produced an incredibly helpful array of Posters and Cheat Sheets for DFIR in order to assist examiners with those tidbits of information than can help to jumpstart their forensics exams and or intrusion and incident response investigations. The most recent addition to the SANS DFIR poster…
  • "SRP Streams in MS Office Documents Reveal Earlier Versions of Malicious Macros"

    Lenny Zeltser
    5 Jun 2014 | 4:16 am
    SRP streams in Microsoft Office documents can reveal older versions of VBA macro code used by the adversary in earlier attacks. After the attacker modifies the malicious document for a new attack, Microsoft Office sometimes retains a cache of the earlier macro inside these streams, allowing analysts to expand their understanding of the incident and derive valuable threat intelligence. In other words, SRP streams can help investigators travel back in time.
  • "Managing and Exploring Malware Samples with Viper"

    Lenny Zeltser
    4 Jun 2014 | 12:23 am
    Keeping track of all the samples on your plate can become cumbersome and at times, next to impossible; that's where projects like Viper come in. Viper is "a framework to store, classify and investigate binary files." The following article, contributed by David Westcott, explains how to get started with this tool.
 
  • add this feed to my.Alltop

    Windows Incident Response

  • File system ops, testing phase 2

    Harlan Carvey
    24 Jul 2014 | 1:11 pm
    As I mentioned in my previous post on this topic, there were two other tests that I wanted to conduct with respect to file system operations and the effects an analyst might expect to observe within the MFT, and the USN change journal.  My thoughts were that if an intruder were accessing a system via RDP, they might not do the drag-and-drop method to move files, or if they were accessing the system via a RAT and they only had command line access, they might use native, command line tools to conduct file operations.Testing ProtocolAll of the same conditions exist from the previous tests,…
  • File system ops, effects on MFT records

    Harlan Carvey
    22 Jul 2014 | 2:48 pm
    I recently conducted some testing of different actions on a Windows 7 system, with the specific purpose of identifying artifacts within the file system (in this case, the MFT and the USN change journal), particularly within individual records.  I wanted to take a look at the effects of different actions to see what they "look like" within the individual records, as well as within the USN change journal, in hopes that things would pop out that could be used during forensic exams.  Once I completed my testing, I decided to share what I'd done and what I'd found, in hopes that others…
  • Random Stuff

    Harlan Carvey
    10 Jul 2014 | 5:28 am
    Host-Based Digital AnalysisThere are a lot of folks with different skill sets and specialties involved in targeted threat analysis and threat intel collection and dissemination.  There are a lot of researchers with specific skill sets in network traffic analysis, malware reverse engineering, etc.One of the benefits I find in host-based analysis is that the disk is one of the least volatile of the data sources.  Ever been asked to answer the "what data left our organization" definitively?  Most often, the answer to that question is, if you didn't conduct full packet capture when…
  • RegRipper

    Harlan Carvey
    30 Jun 2014 | 4:36 pm
    Just a reminder to everyone out there that the OFFICIAL download link for the most current version of RegRipper is available from the link found here, or here (i.e., at the [RegRipper download]" link).Some folks have reached to me recently and said, "I have the most recent download...", and that's apparently not been the case.  I left the Google Code page for RegRipper populated in part because there is some information that I put in the Wiki pages that I still want to be able to access.Just a note...if you think that the download link is broken, be sure to check to see if…
  • Book Writing: To Self-Publish, or Not

    Harlan Carvey
    22 May 2014 | 4:10 am
    The CEIC Conference is going on as I write this, and Suzanne Widup's author panel went on yesterday.  I'm not at the conference, so like many others, I live vicariously through what gets Tweeted about the conference, as well as about specific portions of the conference, such as the panel.I saw a question posted to Twitter, in which the tweeter asked, "for the panel, why not self-publish like RTFM?" My initial thought was, you need to consider the members of the panel and the books they've written or co-authored; those titles really don't lend themselves too well to a format…
  • add this feed to my.Alltop

    Checkmate

  • Authorization Vulnerability in Yahoo! Pipes

    Vinesh Redkar
    2 Jul 2014 | 10:51 pm
    Recently, I found an interesting issue qualifying on Yahoo! Pipes. But before going into the details of this specific issue, let’s understand some basic points. What does Authorization mean? In general, authorization relates to the set of activities which a user can perform once logged on to a particular system. This is typically divided into Read More... The post Authorization Vulnerability in Yahoo! Pipes appeared first on Checkmate.
  • LinkedIn Cross-Site-Scripting (XSS) & Content Spoofing Vulnerability

    Sunil Yadav
    30 Jun 2014 | 8:47 pm
    Couple of days back, I reported XSS and Content Spoofing on LinkedIn. Here are the details of the issues. Cross Site Scripting: What is Cross Site Scripting? XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session Read More... The post LinkedIn Cross-Site-Scripting (XSS) & Content Spoofing Vulnerability appeared first on Checkmate.
  • IT Act 2000 – Penalties, Offences With Case Studies

    checkmate
    24 Jun 2014 | 2:57 am
    Objectives of IT legislation in India The Government of India enacted its Information Technology Act 2000 with the objectives stating officially as: “to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as “electronic commerce”, which involve the use of alternatives to Read More... The post IT Act 2000 – Penalties, Offences With Case Studies appeared first on Checkmate.
  • Owning The Enterprise With HTTP PUT

    Omair
    30 Apr 2014 | 3:35 am
    During a routine penetration testing engagement, we found an IIS webserver with HTTP methods (verbs) like PUT and DELETE enabled on it. During enumeration of the web server we figured it was configured to run PHP as well. The PUT method allows an attacker to place a file on the server. Uploading a web shell Read More... The post Owning The Enterprise With HTTP PUT appeared first on Checkmate.
  • Analysis of Malware: Detecting Behavior & Anti-Reversing Techniques

    Sanoop Thomas
    17 Apr 2014 | 2:42 am
    Scenario: One of our clients observed a suspicious behavior in a program and wanted us to analyze and identify if any malicious activities were being performed by the same. The program wasn’t detected by their anti-virus solution during ‘file access operations’. However, some unusual outbound network traffic triggered alerts from the network monitoring team. Filename Read More... The post Analysis of Malware: Detecting Behavior & Anti-Reversing Techniques appeared first on Checkmate.
 
  • add this feed to my.Alltop

    Forensic Focus

  • Cloud Computing Stymies Digital Forensics Investigations

    28 Jul 2014 | 3:28 am
    In recent years, cloud computing has made the leap from an emerging technology to government mainstay, allowing agencies an IT avenue to share services, save money and increase efficiency. However, cloud computing still presents some major technical challenges in government, as illustrated by a recent draft report issued by the National Institute of Standards and Technology. Prepared by the NIST Cloud Computing Forensic Science Working Group, the report summarizes a staggering 65 challenges cloud computing presents to forensics investigators who sift through bits and bytes of digital evidence…
  • Interview with Oleg Fedorov, CEO and Founder, Oxygen Software

    24 Jul 2014 | 3:48 am
    Oleg, please tell us about your role at Oxygen Software and why you decided to set up the company in 2000. I started out as a developer, but in 1999 I decided that I needed a new challenge since I wanted to grow as a professional. I was advised to look into the market of Shareware and so I quit all my jobs and started Oxygen Software. Soon after, my friend Oleg Davydov joined me and we began to try different software markets. That was the time of the “Matrix” cult movie. Do you remember the phones used by the actors? They were custom ones, but very similar to the Nokia 7110. It was a…
  • Forensic Focus Forum Round-Up

    18 Jul 2014 | 8:10 am
    Welcome to this round-up of recent posts to the Forensic Focus forums. Forum members discuss the best way to retrieve Facebook profile data. What does it mean when a mail header shows two X-Originating IP addresses? Forensic imaging of a USB with a corrupt file system. Forum members discuss how to find an XLS file on a computer that has been reformatted. Unexpected SQLite field data in WhatsApp databases provokes discussion on the forum. Forum members discuss how to process several thousand images on a hard drive. Do you have any recommendations for mobile forensic tools? Add yours in the…
  • Dark net 'used by tens of thousands of paedophiles'

    16 Jul 2014 | 6:29 am
    Tens of thousands of paedophiles are using the so-called dark net to trade images of sexual abuse, an investigation by BBC News indicates. One site receives as many as 500 page views per second, its founder says. Figures from another site suggest Brits are heavily involved in producing and distributing illegal obscene images. Britain's National Crime Agency warned in its 2014 threat assessment that abusers were turning to anonymous sites and encryption technology... Read More (BBC)
  • Finding and Analyzing Document Files with IEF

    15 Jul 2014 | 7:29 am
    Analyzing documents to prove their authenticity has been one of the cornerstones of computer forensics and is still an important part of the investigative process to this day. Whether you’re investigating documents in a fraud case, an IP theft, or from a malware/phishing intrusion, proper document analysis is essential to help uncover the truth in many investigations. New to Internet Evidence Finder v6.4 is the ability to recover and analyze documents found on a suspect’s PC. Available with the OS & Business Apps module, IEF is now able to recover Microsoft Office documents including…
  • add this feed to my.Alltop

    viaForensics

  • Phil Weber Hosts #viaTalks: Design Challenges in Mobile App Development on 8/5

    Linnea
    24 Jul 2014 | 3:20 pm
    Phil Weber (@PhilipWeber), Director of User Experience at viaForensics, will be hosting a viaTalk on August 5 at 1pm CDT. He will explore the three big-picture steps toward providing a fantastic user experience to consumers of mobile apps. Phase 1 The first phase is designing a successful prototype for the app. The designers mock up an app and engineer an effective flow, making sure the content is easily accessible. Phase 2 The next step is to build the app via a collaborative effort with the mobile developers. This requires a delicate balance to correct issues that arise from one side while…
  • All your notes in Evernote belongs to me

    Sebastián
    23 Jul 2014 | 3:52 pm
    Recently, while security testing the Evernote mobile app I uncovered some vulnerabilities in the Evernote applications for both Android and iOS. I disclosed these vulnerabilities to Evernote previously (see section 11, “Disclosure Timeline”), and for one of my disclosures I was added to the Evernote Hall of Fame. I detail the vulnerabilities below and include proof of concept videos. iOS As of the time of this writing, the iOS version has not been patched against the vulnerabilities discussed below. If you would like to be notified when a patched version is available, download…
  • New viaExtract 2.3 New Features: Deleted Data Recovery, ‘su’ Support, More

    KevinS
    23 Jul 2014 | 9:51 am
    viaExtract, our forensic software that offers guided data acquisitions, flexible reporting, and cutting-edge utilities for Android devices, just got even more powerful as it now includes deleted data recovery, ‘su’ support, additional data acquired during logical acquisitions, and much more. How To Purchase Deleted Data Recovery Get to the data you weren’t supposed to see. viaExtract now acquires deleted data from SQLite databases by automatically parsing SMS, Calls, and downloads – providing you more data than ever before. Deleted data recovered in viaExtract…
  • When a vulnerability is not really a vulnerability

    Andrew Hoog
    17 Jul 2014 | 2:30 pm
    A recently disclosed vulnerability in Google’s iOS Gmail App has seen some significant headlines. The vulnerability allows attackers to perform Man-in-the-Middle attacks to view and even modify encrypted communications. Which sounds pretty scary, until you dig a little deeper. “The problem… is that Gmail on iOS currently lacks what’s known as ‘certificate pinning… [which is a] measure that developers can build in to their apps to mitigate attacks that dupe victims into installing a malicious configuration profile.” (ZDNet, 2014) It’s like saying…
  • CEO Andrew Hoog to present at Tech in Motion: Chicago on 7/23

    Linnea
    17 Jul 2014 | 11:49 am
    viaForensics co-founder and CEO Andrew Hoog (@ahoog42) will be giving a presentation next week at the Future of Mobile Security and Scalability event held by Tech in Motion: Chicago. About the Demo Andrew will demonstrate how an attacker targets and compromises a mobile device. Then, he will show how this attacker can gain access to sensitive corporate data. After the demonstration, Andrew will join the panelists to discuss the current landscape of mobile security, including behavior monitoring and whitelisting, as well as possibilities and risks for the future, and finish up with a Q&A…
 
  • add this feed to my.Alltop

    DFI News All

  • The Apple Backdoor that Wasn't

    eaustin
    28 Jul 2014 | 6:04 am
    Recently, a hacker who's been campaigning to make a point about Apple security by playing fast and loose with the now widely-accepted definition of "backdoor" struck gold when journalists didn't do their homework and erroneously reported a diagnostic mechanism as a nefarious, malfeasant, secret opening to their private data.Read more about The Apple Backdoor that Wasn'tComments
  • Talk Forensics - Expert Witness Testimony

    eaustin
    28 Jul 2014 | 5:33 am
    Today we’ll discuss the challenges of testifying as an expert witness. As you work a case you must assume that you will be called to testify at trial.Read more about Talk Forensics - Expert Witness TestimonyComments
  • Have Police Really Cracked Tor?

    eaustin
    25 Jul 2014 | 8:03 am
    Have the UK police successfully broken anonymity on the internet? They certainly seemed to imply as much when the National Crime Agency proudly announced recently that it had made 660 arrests after an operation to identify people viewing indecent images of children online.Read more about Have Police Really Cracked Tor?Comments
  • Hackers Only Need to Get It Right Once, Security Needs to Get It Right Every Time

    eaustin
    25 Jul 2014 | 7:46 am
    Hackers only need to find one weak point to steal valuable information. On the flip side, you need to account for every possible vulnerability across your entire infrastructure. Doesn't seem fair, but it's the world we live in — we must band together, think like the bad guys and take action to protect what matters.  Read more about Hackers Only Need to Get It Right Once, Security Needs to Get It Right Every TimeComments
  • Internet Explorer is the 'Sweet Spot' for Cyber Criminals

    eaustin
    25 Jul 2014 | 7:25 am
    Microsoft's Internet Explorer (IE) has become the most patched software product, receiving more security patches in the first six months of this year than Adobe or Oracle software, a report by Bromium Labs has found.Read more about Internet Explorer is the 'Sweet Spot' for Cyber CriminalsComments
Log in