The big story this week (along with plenty of hyperbole) is Flame/Flamer/sKyWIper malware which has been evading detection for years and targeting systems in the Middle East. We also got some detailed and useful information from Apple in the form of an iOS Security Guide and Scripting Guy offers up several useful techniqes for using PowerShell in forensics.
If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.
Flame:
- CrySys Lab analysis of sKyWIper (PDF) (And they used Volatility)
- SourceFire video overview of Flame and how it spreads.
- Iran National CERT (MAHER) technical survey of "Flamer"
- Flame uses "Stuxnet-like cyberespionage"
- Flame is part of a "Massive cyber-attack"
- Flame is "Massive Spy Malware"
- Flame is "boring BLOATWARE"
- Flame is FUD (opinion)
- Flame sample for analysis
Tools:
- NirSoft released a new version of SysExporter that can read Windows 7 Explorer data and a new tool called OutlookAddressBookView that (unsurprisingly) displays the details of all recipients stored in the address books of Microsoft Outlook.
- A very nice forensic report-writing cheatsheet and diagram.
- An update to the Safari Forensics Tools.
Good Reads:
- PowerShell to do evil: PowerSploit - A PowerShell Post-Exploitation Framework
- PowerShell to find evil:
- Apple releases an iOS Security Guide (PDF)
- Detailed technical walkthrough of using RegRipper with IE, including some useful info for debugging plugins.
- Video from AIDE 2012 on Anti-Forensics.
- Some of the Briefings for BlackHat 2012 are posted and several of them are related to malware analysis and forensics.
- A rather comprehensive inventory of the CERTs in Europe.
- 4096 byte sector drives, NTFS and forensic tools
News:
- Breach of Oracle PeopleSoft systems at University of Nebraska Lincoln could have exposed 640,000 records and authorities now suspect a student.
- Airliners have back doors and some of the chips in airliners do as well
- The Honeynet Project has extended their deadline (to July 1st) for Forensics Challenge 11: "Dive into Exploit"
Levity:
Coming Events:
- Techno Security 2012 Myrtle Beach, SC - June 03 - 06, 2012
- Mobile Forensics Conference - Myrtle Beach, SC - June 03 - 06, 2012
- 27th IFIP International Information Security and Privacy Conference - Heraklion, Crete, Greece - June 04 - 06, 2012
- Audio Engineering Society Audio Forensics - Denver, CO - June 14 - 16, 2012
- 24th Annual FIRST Conference - Malta - June 17 - 22, 2012
- Sans Forensics and Incident Response Summit - Austin, TX - June 20 - 27, 2012
- SANS Canberra 2012 - Canberra, Australia - July 2 - 10, 2012
- SANSFIRE 2012 - Washington, DC - July 6 - 15, 2012
- Symposium On Usable Privacy and Security (SOUPS 2012) - Washington, DC - July 11 - 13, 2012
- BLackhat USA - Las Vegas, NV - July 21 - 26, 2012
- DEF CON 20 - Las Vegas, NV - July 26 - 29, 2012
- Sans San Francisco 2012 - San Francisco, CA - July 30 - Aug 06, 2012
- DFRWS 2012 Conference - Washington, DC - Aug 05 - 08, 2012
- SANS Boston 2012 - Boston, MA - Aug 06 - 11, 2012
- USENIX Security '12 - Bellevue, WA - Aug 06 - 10, 2012
- 7th USENIX Workshop on Hot Topics in Security (HOTSEC '12) - Bellevue, WA - Aug 07, 2012
- 2012 Malware Technical Exchange Meeting (Security Clearance Required) - El Segundo, CA - Aug 14 - 16, 2012
- 7th ARES conference (ARES 2012) - Prague, Czech Republic - Aug 20 - 24, 2012
- First International Workshop on Security Ontologies and Taxonomies (SecOnT 2012) - University of Economics, Prague, Czech Republic - Aug 20 - 24, 2012
- SANS Virginia Beach - Virginia Beach, VA - Aug 20 - 31, 2012
- SANS Crystal City - Arlington, VA - Sep 06 - 11, 2012
- European Symposium on Research in Computer Security - Pisa, Italy - Sep 10 - 12, 2012
- 15th International Symposium on Research in Attacks, Intrusions and Defenses - Vrije Universiteit, Amsterdam, The Netherlands - Sep 12 - 14, 2012
- HTCIA International Conference & Training Expo - Hershey, PA - Sep 16 - 19, 2012
- SANS Network Security 2012 - Las Vegas, NV - Sep 16 - 24, 2012
- VirusBulletin 2012 - Dallas, TX - Sep 26 - 28, 2012
- GrrCon - Grand Rapids, MI - Sep 27 - 28, 2012
- 2012 Open Source Digital Forensics Conference - Chantilly, VA - Oct 3, 2012
Call For Papers:
- Grrcon - Due June 01, 2012
- Applied Computer Security Applications Conference - Due Jun 01, 2012
- 4th International Conference on Digital Forensics & Cyber Crime - Due Jun 01, 2012
- 2012 International Workshop on Computational Forensics Due Jun 08, 2012
- Third ICST International Conference on Digital Forensics and Cyber Crime - Due Jun 12, 2012
- The Evidence Conference - Due Jun 15, 2011
- IEEE International Workshop on Information Security and Forensics - Due Jun 24, 2012
- International Computer Science and Engineering Conference - Due Jun 30, 2012
- DoD Cybercrime Conference 2013 - Due July 6, 2012
- 7th International Conference on Legal, Security and Privacy Issues in IT Law - Due Aug 25 , 2012
- 2012 secau Security Congress - Due Sep 30, 2012
About the author:
Digital Forensics Case Leads for 2012-06-01 was compiled by Rob Dewhirst GCFA, GCIH, CISSP. Rob is a security analyst and CSIRT lead for a Tier I University in the midwest and a private DFIR consultant.