Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Plugins galore, Adobe and phpMyAdmin hacked, Sophos AV eats its own head.

This month we're nearing the end of the flood of plugins for the Volatility memory analysis framework, we got a big update to the archive of RegRipper plugins and heard two tales of security companies with major security woes, one of which was self-inflicted.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.

Tools:

  • RTFScan is now part of the OfficeMalScanner Toolkit. Pick it up at http://reconstructer.org. You can take a look at examples of its usage in an ISC Diary entry from earlier this month.

  • API Monitor provides a very convenient way for observing and controlling the API calls made by processes in your malware analysis lab.

  • Exeinfo PE identifies common packers, similarly to PEiD. In addition, it can identify some non-executable file formats (such as OLE), can carve files out of other files and can suggest unpacking tools.

  • FakeNet conveniently intercepts network traffic and simulates common services on a Windows host. (HT to @lennyzeltser for those three tool tips above).
  • The Month of Volatility Plugins is coming to a close (October 5th). Be sure and review all the plugins released so far month at the Volatility Blog. There have been plugins released to analyze clipboard data, internet history, caches and much more.
  • This week the RegRipper plugins archive was also updated to add 30 new plugins and update six more.
Good Reading and Listening:
  • Case Leads contributor Ira Victorinterviewed SANS Instructor and digital forensics lawyer Benjamin Wright about a new approach to collecting and examining digital forensics data from cloud services. You can listen to the interview starting at the 15 min mark inEpisode 274 (this week's) of
    http://www.CyberJungleRadio.com. In that same episode is a story about a new program by law enforcement to "tag" mobile devices, and how that might impact future criminal and civil cases.
  • Did the Bahraini government steal commercial malware to spy on dissidents?
  • VirusTotal has added "Webutation" (web reputation) to its reports.
News:Levity:Coming Events:Call For Papers: 

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to caseleads@sans.org.

Digital Forensics Case Leads for 20120929 was compiled by Rob Dewhirst (@robdew) GCFA, GCIH, CISSP. Rob is a security analyst and CSIRT lead for a Tier I research University in the midwest and a private DFIR consultant.

Post a Comment






Captcha

* Indicates a required field.