SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Volatility and RegRipper, Better Together

This week in Digital Forensics Case Leads brings us an update to macrobber, a guide to combining the power of Volatility and RegRipper, some thoughts on presenting digital forensic evidence, and an easy way for you to become an Advanced Persistent Threat.

Tools:

  • Mark Morgan posted a User Manual for Volatility and RegRipper (PDF) that details combining those tools to perform registry analysis against physical memory images. Note that some of this only works under Linux.
  • Brian Carrier released macrobber v1.02 over at Sleuthkit.org. This version utilizes the new mactime body format.
  • Geoff Black released Timeline Report v1.8.1 which is an EnScript for EnCase 6.x. I haven't had an opportunity to experiment with this yet, but it looks promising. Jamie Levy posted a nice overview of the tool, complete with screen shots.
  • Internet Storm Center has released a beta version of their Find a Hash tool, which allows you to search for individual files or hashes in the NIST National Software Reference Library (NSRL) and the Team Cymru Malware Hash Registry. This powerful combination can help you identify known-good and known-bad files on an individual basis. Have a file you're not sure about? Search by filename, md5 hash or sha1 hash.

Good Reads:

News:

Levity:

Coming Events:

Digital Forensics Case Leads for 20100217 was compiled by Gregory Pendergast of Virginia Commonwealth University. Gregory currently holds the 'jack-of-all-security' title Information Security Analyst, and is responsible for security monitoring, incident response and digital forensics.