SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: RAM Capture Tool DumpIt, Monitoring Applications with Carbon Black, a Brief History of Malware, and the Impact of Technology in Trials

This week's edition of Case Leads features a couple of tools for Windows including a memory capture application, a kernel driver that monitors and reports on interesting processes, and a tool for exporting data from "the Cloud." We've also included a TED talk on the history of malware and we have an article on the role of technology in the recent Casey Anthony trial. Apple released Lion along with a change to the license which now allows the new OS to be virtualized.

As always, if you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.

Tools:

  • Matthieu Suiche has made DumpIt available as a free download. Matthieu describes DumpIt as a fusion of win32dd and win64dd in one executable that does not require the user to respond to any prompts. Running the executable on either a 32 or 64-bit version of Windows generates a copy of the system's physical memory in the same directory from which the tool is run. The size of the application combined with its ease of use makes it ideal to run from a modern USB key.
  • Now and then, someone will post or ask for a tool that will copy the contents of a social networking site. Cloud Export is a Window's application that is capable of downloading (your) content from Google, Twitter, and Identi.ca. The application is still in beta so it may not fully support all the features available on those sites.
  • Harlan Carvey has a brief write up on the recently updated version of Carbon Black from Kyrus Tech. Carbon Black is a kernel driver that monitors applications running on Windows systems and provides information on processes and file writes. An upcoming enhancement will provide information on active network ports, source and destination IP addresses and writes to the registry.

Good Reads:

  • Mikko Hypponen recently gave a TED talk about fighting viruses and defending the net. TED talks are often excellent and this one is no exception. This presentation is especially interesting as it creatively provides a history of the last 25 years of PC-based malware and includes a visit with the authors of the Brain virus from the 1980s.
  • Michael Roach addresses a few issues concerning how technology impacted the Casey Anthony trial and offers speculation that future, high-profile trials may include a social media strategy sessions. The article includes links to other articles about the impact of browser history file analysis and the (mis)interpretation of forensic tool results.

News:

  • Apple's OS X Lion has been un-caged and includes a feature that will likely be of interest to software developers and incident responders alike — support for virtualization. Apple will now allow Lion to be virtualized on Mac hardware running Lion and VMware's Fusion product is ready to support the new capability with "no known important issues."
  • The FBI started the week off with nationwide raids against suspected members of Anonymous. The raids resulted in the arrest of approximately a dozen individuals. Earlier in the month raids in various parts of Europe led to the arrests of a similar number of people who

Levity:

  • DJs know the iPad can be useful. Check out scratching with Iggy de Catt.

Coming Events:

Call For Papers:

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to caseleads@sans.org.

Digital Forensics Case Leads for 20110721 was compiled by Ray Strubinger. Ray regularly leads digital forensics and incident response efforts and when the incidents permit, he is involved in aspects of information security ranging from Data Loss Prevention to Risk Analysis.