A key component of any investigation is the type of data exfiltrated. If sensitive data is on a compromised machine, risk is increased significantly. Also, there is a patch work of legislation covering various types of data which is considered sensitive (http://www.reyrey.com/regulations/). In general, social security and credit card numbers are at the top of the concern list. Since many states have encryption exemptions, a forensicator needs to know, does any media storage in the case have sensitive data in the clear?
Data can be encrypted by system administrators/DBAs or by attackers. Attackers usually encrypt data as part of the staging process prior to data exfiltation. Attackers commonly password protected and compressed the data as a .rar file. With strong passwords (32+ character pass-phrases) .rar files can be difficult to almost impossible to open with normal computing power.
Using a cross
Memory analysis skills are one of the most in-demand skills for digital forensics, incident response, and malware analysts today. SANS is introducing a brand new 5-day class dedicated to Windows Memory Forensics. The hands-on course, written by memory forensics pioneer Jesse Kornblum, is incredibly comprehensive and a crucial course for any investigator who is analyzing intrusions.
SANS is offering a 10% discount off the FOR526 course for the following events: Discount Code: WINDEX
Security West 2013 - San Diego, CA - May 9-13 - http://www.sans.org/info/128955
It begins on Day 0: A 3-4 letter government agency contacts your organization about some data that was found at another location. Don't ask us how we know, but you should probably check out several of your systems. You are compromised by the APT.
Most organizations are left speechless as 90% of all intrusions are now discovered due to 3rd party notification. And in many cases, the APT has been on your network for years.
Learn how to hunt for the APT in this completely brand new training course from SANS - FOR508: Advanced Incident Response and Forensics Course.
The NEW FOR508 APT-based course debuted at SANS Security West
In this weeks CaseLeads, there's a bunch of new useful tools that might come in handy in certain situations while handling incidents PDF Analysis, Malware Analysis, Honeypots and MAC forensics! A sequel of a multi-part series on protecting our credentials whilehandling incidents. When some weird registry keys appear in log2timeline results, you discover an attack vector on manipulating execution chain? More and more on Prefetch Analysis Challenging forensicators, The Honeynet Project publishs a cool challenge for fun and profit. More on that weird DUQU source code guess what it is? When a digital lock refuses to unlock for the FEDS, guess what they do? STEGO techniques comes to light again using foreign languages!? And finally raids are not only in games! in our real life @ The Pirates bay?
If you have an item you'd like to contribute toDigital Forensics CaseLeads, please send it to email@example.com.
With LinkedIn scoring the number two spot in social networking and Google+ trying to get up to speed it will make it an interesting time for social networks. There are some good reads by Little Mac, Harlan Carvey and Chris Pogue. See what Dilbert and BOFH are up to as well as checking out the upcoming conferences and training and the call for papers for numerous conferences.
If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to firstname.lastname@example.org.