This "007" edition of Case Leads (20100708) features Russian spies, a mini-write blocker that would make Q proud, an experiment in social networking, Live CDs for Windows and Linux and an online journal on small digital device forensics.
If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to email@example.com.
- Russian spies used a mixture of high tech, low tech and old tech http://www.wired.com/dangerroom/2010/06/alleged-spies-hid-secret-messages-on-public-websites/ The techniques ranged from drive-by (ad-hoc) Wi-Fi, steganography, and burst transmissions.
- Thomas Ryan decided to do a little experiment in social networking known as the Robin Sage affair. His approach is fairly straight forward: create a few profiles on sites like FaceBook, LinkedIn, MySpace, and Twitter, add a photograph and use name that you might expect to be memorable to a certain demographic. Let the ingredients simmer for about a month and what do you get? Apparently over 300 connections, offers of employment and dinner invitations from Congress, the Joint Chiefs and just about anyone in between.
- There is a lot of work currently being done on the Windows Forensic Environment. Also known as WinFE or Windows FE, it is a modified version of Windows PE with the goal of being a Windows based LiveCD/DVD suitable for digital forensics and incident response. Because the project is now quickly evolving, some of the documentation is considered out of date but it is still somewhat useful. This slide deck from Microsoft's Troy Larson about Windows Forensic Environment (WinFE) and this PDF from Brett Shavers provide a good overview and historical context. Brett also posted a brief check list and a couple of videos to help you create your own WinFE ISO. I followed his instructions and used his batch files to quickly create a functional WinFE ISO that included the SysInternals Suite, RegRipper, FTK Imager Lite, and a few other tools. If you decide to dive in and create the ISO without watching the videos, keep in mind you will need run the Windows AIK shell as admin before you run createwinfe.bat. The batch files for creating your own WinFE image are included in a zip file available for download from the site. Brett Shavers, Mauritz Botha, Björn Ganster, and Troy Larson have all contributed files to help create a Windows FE image. Colin Ramsden is also contributing to the effort and though his contribution is not yet available for download, a preview of his work is available.
- The Orion Live CD is a Ubuntu based incident response CD now available at SourceForge. This Live CD was originally based on BackTrack 4 and was developed by John Jarocki to meet the requirements for SANS GCIH gold certification. The paper is less than 50 pages and includes screen shots, tested platforms, and a list of added files. You may find this post useful to gain access root access to the system.
- Not a tool exactly, but a cheat sheet for several tools by Ed Skoudis. Hping, Metasploit, the Meterpreter, and FGDump are all featured.
- In keeping with the spy theme, Q would likely be satisfied with this device. Wiebe Tech has come out with what may be the smallest USB writeblocker. At approximately $200, it may be also be the least expensive USB writeblocker currently on the market.
- An assortment of free tools for digital forensics. Some you may recognize while others may be new to you.
- FOR 408: Computer Forensic Essentials 26-30 July in Scottsdale AZ.
- DefCon — The World's Largest Hacker Conference, Las Vegas July 30th — August 1, Las Vegas [Note: Ira Victor will be covering the conference on The CyberJungle radio program]
- FOR 408 Computer Forensics Essentials at SANS Boston, 2-9 August.
- FOR 508 Computer Forensic Investigations and Incident Response at SANS Portland 23-28 August.
- FOR 558 Network Forensics at SANS Virginia Beach 29 August — 2 September.
Digital Forensics Case Leads for 20100708 was compiled by Ray Strubinger of the Georgia Institute of Technology. Ray leads the digital forensics and incident response team and when the incidents permit, he is involved in various aspects of the Institute's defense-in-depth strategy. If you have an article to suggest for case leads please email it to firstname.lastname@example.org.