SANS Digital Forensics and Incident Response Blog

Greetings Forensicators, Incident Responders and other cool people. I've called this week's article The Gauntlet Edition because a number of organizations have recently thrown down the gauntlet and introduced some cool forensics challenges. Sometimes, the best tool in our arsenal is neither software, nor hardware, nor even our wetware. In many cases, the best tool we can have is a challenge. More than anything else I can think of, it's the process of working a case and rising to a new challenge that really causes us to sharpen our skills. Whether the problem is new to the community, or just new to us, working it through to a solution or an answer is what really causes us to upgrade our wetware.

In that spirit, I've provided a list of recently announced and upcoming challenges, along with our usual assortment of cool tools, good reads and other forensic fun. I encourage you all to pick up The Gauntlet and try your hand at one or more of the challenges listed below. Even if you're new to the field or are not confident in your abilities, give it a try and see how far you get. Even if you don't submit a solution, your attempt to work through one or more of these challenges will make the winning submissions more meaningful when they are announced and available for reading.

If you know of Challenges I've missed, please let us know in the comments section. Also, if you have news or links to share, you can send them to us at caseleads [AT] sans [DOT] org.

• SANS Digital Forensics and Incident Response Challenge - Ann's Aurora: An Advanced Persistent Threat-based challenge. Submissions for this challenge are due by 6/27/2010 (11:59:59pm UTC-11). "In other words, if it's still 6/27/10 anywhere in the world, you can submit your entry." Winners will be announced June 8, 2010 at the SANS Forensics and Incident Response Summit in Washington D.C. There are prizes for the top 3 teams.
• DFRWS 2010 Forensics Challenge - This year's DFRWS challenge involves mobile device forensics, in the form of NAND and NOR flash memory analysis from a Sony Ericsson K800i Cybershot. Submissions are due by July 25, 2010.
• DOD Cyber Crime Center (DC3) Forensics Challenge - Solution submissions for this challenge are due by 11/2/2010. The web site is not quite as intuitive as one would like, so to view details about the challenge you'll need look at their detailed rules (PDF) by clicking Challenge > Rules > click here (PDF). There are 22 single-scenario challenges with points for each challenge assigned based on the difficulty level of the challenge.
• The Honeynet Project's Forensic Challenge 2010/4 will be posted on June 1st. No other information is available as of this writing.

Tools:

• There's a new tool in the Windows Sysinternals arsenal. RAMMap 1.0 is an "advanced physical memory usage analysis utility" for Windows Vista and higher.
• On May 23rd, Brian Carrier released The Sleuth Kit 3.1.2, which contains bug fixes detailed in the release news. Among the changes are fixes to speed up FAT directory and OrphanFiles listings, a couple of NTFS processing fixes, and some errors fixed in mmls and ifind.
• AccessData has released Command Line versions of FTK Imager for Windows, Mac OS X, and Linux (Red Hat & Debian based distributions). I haven't had an opportunity to work with these yet, so if you have any thoughts you'd like to share, please post them to the comments section.
• If you use a Tableau TD1 Forensic Duplicator, you'll want to go download Tableau Firmware Update v6.70. It adds support for .E01 disk-to-file images and support for several localized languages. See the revision history for details.

Good Reads:

• Rich Mogull has an interesting post over on the Securosis blog: FireStarter: The Only Value/Loss Metric That Matters. He discusses the difficulty (nay, impossibility?) of valuing information assets and predicting losses due to a security incident. Then, over on his TaoSecurity blog, Richard Bejtlich picks this up an runs with it, briefly discussing the difficulty of calculating the cost of an incident after it has happened. And if we can't easily or successfully calculate losses from an incident that has already occurred, we have little-to-no hope of projecting future costs of incidents.
• Over at Law Technology News, Leonard Deutchman has an thorough and interesting article on the application of the Plain View doctrine to computer searches. In his article, To Avoid 'Plain View,' Investigators Need Blinders, Mr. Deutchman provides some background on reasons that the 1st, 4th and 7th U.S. Circuit Courts of Appeal have applied the plain view doctrine to computer searches, where the 9th Circuit Court rejected it, then goes on to provide some insightful analysis of the issue.

News:

• KrebsOnSecurity: Fraud Bazaar Carders.cc Hacked - the German-based forum dedicated to helping criminals sell stolen financial data was hacked, and some of its data posted to Rapidshare.com, further exposing the data of many identity/banking theft victims.

Levity:

• Hyperbole and a Half blog by Allie Brosh. It's not technical, but it's funny. READ IT! :-)
• Check out the JeffandCeleste blog over on Blogspot. Talented comic makers with some darkness in their humor. Be sure to check out both the Beatrice and Genre Squad comic strips.

Coming Events:

• SANSFire 2010 in Baltimore, MD will host a wealth of leading SANS classes, including Forensics 408: Computer Forensics Essentials, Forensics 508: Computer Forensic Investigations and Incident Response, & Forensics 558: Network Forensics. June 6-14, 2010.
• ISACA International Conference 6-9 June 2010 Cancun, Mexico
• The Sleuth Kit and Open Source Digital Forensics Conference, June 9, 2010 in Chantilly, VA.
• SANS Forensics 408: Computer Forensics Essentials in Salt Lake City, June 14 — 18, 2010
• SANS WhatWorks in Forensics and Incident Response 2010: Washington, DC, Jul 8-15
• High Tech Crime International Annual Conference: Sept 20-23rd Atlanta GA

Digital Forensics Case Leads for 20100527 was compiled by Gregory Pendergast, incident handler and digital forensicator at Virginia Commonwealth University.