Blog: SANS Digital Forensics and Incident Response Blog: Author - Maher Yamout

Blog: SANS Digital Forensics and Incident Response Blog:

Digital Forensics Case Leads: First ICS HoneyPot, IEF EnScripts, Android Forensics, Unit 61398 - The APT1 guys, CALEA Act and more...

In this issue of Case Leads, we will see the first Industrial Control System Honeypot, test some useful IEF EnScripts for EnCase, an article on APT1 hackers resuming their attacks on US targets, What about the CALEA Act, Android Forensics tips and tricks, voice descrambling DIY... Continue reading this week of Case Leads.

If you have an item you'd like to contribute toDigital Forensics Case Leads, please send it to caseleads@sans.org.

Tools:


  • Fellows at the Honeynet Project has announced the first version (and first of its kind i think) of Conpot. Conpot is an Industrial Control System Honeypot with the goal to collect intelligence about the motives and methods of adversaries targeting ICS systems. By default the honeypot will simulate a Siemens SIMATIC S7-200 with a module that is always available in a real setup to provide network connectivity. This
...

Digital Forensics Case Leads: Sleeper Malware targets diplomatic entities in Europe & Asia, banking trojan travelling through Skype, DropBox decryption, PE file analysis, and retrieving iPhone VoiceMail

In this issue of Case Leads, Magnet Forensics updates its IEF with new neat features, Analysing PE file with python, retrieving iPhone voicemail with Perl, sleeper APT target diplomats, banking trojans travelling through Skype... Continue reading this week of Case Leads.

If you have an item you'd like to contribute toDigital Forensics Case Leads, please send it to caseleads@sans.org.

Tools:


  • Magnet Forensics (Formerly JAD Software) has unveiled v5.8 of its industry-leading forensic software, INTERNET EVIDENCE FINDER' (IEF) — including several exciting forensic firsts!! Like DropBox Decryption, Web Video Recovery, Google Maps Tiles & Geo-Location Visualization, Support for NewsGroup Messages and other new artifacts added.

...

Case Leads: Real-time visualisation of attacks; Tracking Emails through headers; Coke gets hacked?; Quantum physics in digital forensics!; UK cybercrime victims gets IR team

In this week of Case Leads, Coke gets hacked and act silently. Cyber attack on Russian Government releasing 2.5 million records!!! A scottish research demonstrating how can Quantum Physics assist in solving e-crimes, Russia's cybercrime market to the light, UK cybercrime victims hire IR teams to investigate, Why SSD drives destroy court evidence? Real-time visualisation of attacks using the HoneyMap! Continue reading this week of Case Leads.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.

Tools:


  • The HoneyMap shows real-time visualisation of attacks against the Honeynet Project's sensors deployed around the world. It leverages the internal data sharing protocol hpfeeds as its data source. Read this post to learn about the technical details and frequently asked
...

Digital Forensics Case Leads: Giants are the biggest buyers, Freezing the cold-boot attack on disk encryption, dropping malware using the famous WhatsApp, Hacker get caught while chatting!!! IPOD, Android and SSDs, this week on Case Leads

In this week of Case Leads, Google buys VirusTotal, a new attack vector that counter cold-boot attack on RAMs, new tools that assist in malware detection and analysis, mozillas hidden camera!!! check it out! IPOD timestamps secrets comes to light, a hacker get caught while chatting, oops! The almighty Volatility update to 2.2 RC1 with over 50 new plugins that affects the majority of modules... Continue reading this week of Case Leads.

If you have an item you'd like to contribute toDigital Forensics Case Leads, please send it to caseleads@sans.org.

Tools:


  • OfficeMalScanner, a toolkit that alerts you for potentially infected documents, now updated with an interesting new tool, RTFScan - as the name shows, now scanning RTF file format.

  • Santoku Linux is a new linux distro that is specialised at mobile
...

Digital Forensics Case Leads: Skype acting weird, Mircosoft backdooring Skype! Volatility with x64 support... Facebook censoring chats for criminal activities!? A Russian hacker challenge Apple by bypassing Apple Store authentication mechanism and get apps for free!!! All that and more, this week on Case Leads

In this week of Case Leads, we hear lot of Skype problems, claims that Microsoft is backdooring Skype and Facebook censoring chats for illegal activities
Moreover, Apple seems to fail on fixing a bug found by a Russian hacker that enable an attacker to bypass authentication mechanism and let him get paid apps for free. New tools for parsing INDX artifacts from NTFS volumes Volatility now support x64 and new plugins for printers and more! Find out the date range of evtx files to help triaging in 'Good Reads'.. Continue reading this week of Case Leads.


If you have an item you'd like to contribute toDigital Forensics Case Leads, please send it to caseleads@sans.org.


<strong>Tools:</strong>
<ul>
<li><a href="http://www.tzworks.net/prototype_page.php?proto_id=21"> WISP </a> is a new tool for parsing 'INDX' artifacts from Windows NTFS volumes. The tool is ...