SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Skype acting weird, Mircosoft backdooring Skype! Volatility with x64 support... Facebook censoring chats for criminal activities!? A Russian hacker challenge Apple by bypassing Apple Store authentication mechanism and get apps for free!!! All that and more, this week on Case Leadsâ¦

In this week of Case Leads, we hear lot of Skype problems, claims that Microsoft is backdooring Skype and Facebook censoring chats for illegal activities?
Moreover, Apple seems to fail on fixing a bug found by a Russian hacker that enable an attacker to bypass authentication mechanism and let him get paid apps for free. New tools for parsing INDX artifacts from NTFS volumes? Volatility now support x64 and new plugins for printers and more! Find out the date range of evtx files to help triaging in 'Good Reads'.. Continue reading? this week of Case Leads.

If you have an item you'd like to contribute toDigital Forensics Case Leads, please send it to caseleads@sans.org.

<strong>Tools:</strong>
<ul>
<li><a href="http://www.tzworks.net/prototype_page.php?proto_id=21"> WISP </a> is a new tool for parsing 'INDX' artifacts from Windows NTFS volumes. The tool is command line based and is geared for outputting data in a parsable CSV format.</li>

<li> The almighty memory forensics tool <a href="http://code.google.com/p/volatility/downloads/list"> 'Volatility' </a> came into a new version "2.1 RC1". The new version has additional plugins and now mostly support x64, all that and more?</li>

<li> <a href="http://www.cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader"> Mac Memory Reader </a> is a simple command-line utility to capture the contents of physical RAM on a suspect computer, letting an investigator gather volatile state information prior to shutting the machine down. Results are stored in a Mach-O binary or raw-format file for later off-line analysis by the investigator.</li>

<li><a href="http://anubis.iseclab.org/"> Anubis </a> (mentioned in a previous CaseLeads) has announced a new tool for the analysis of Android APKs (codename Andrubis)! .</li>

</ul>
&nbsp;
<strong>Good Reads:</strong>
<ul>
<li><a href="http://mnin.blogspot.com/2012/06/quickpost-flame-volatility.html"> This </a> is an interesting post about finding FLAME using volatility.</li>

<li><a href="http://yro.slashdot.org/story/12/07/13/1247257/facebook-scans-chats-and-posts-for-criminal-activity"> The social networking giant - Facebook </a>, has added sleuthing to its array of data-mining capabilities, scanning your posts and chats for criminal activity. If it catches something? i'll leave that to you ;)</li>

<li><a href="http://eprint.iacr.org/2012/374.pdf"> Infiltrate the Vault: </a> Security Analysis and Decryption of Lion Full Disk Encryption. </li>

<li><a href="http://dfstream.blogspot.com/2012/06/quickly-find-date-range-of-evtx-event.html"> From time to time </a>, It's helpful to know the date range that an event log spans, as that information lets you know whether or not you should expect the events from a particular time to be included in the event log, assuming the events you're interested in are being audited. </li>

<li><a href="http://cheeky4n6monkey.blogspot.com/2012/05/perl-script-plays-matchmaker-with.html"> A Perl script </a> plays Matchmaker with ExifTool and SQLite?</li>

</ul>
&nbsp;
<strong>News:</strong>
<ul>
<li><a href="http://yro.slashdot.org/story/12/07/13/1247257/facebook-scans-chats-and-posts-for-criminal-activity"> The social networking giant </a> - Facebook, has added sleuthing to its array of data-mining capabilities, scanning your posts and chats for criminal activity. If it catches something? i'll leave that to you ;)</li>

<li><a href="http://thehackernews.com/2012/07/app-store-bypassed-by-russian-hacker.html"> Apple seems to be falling away from the Russian hacker that bypassed Apple Store without jailbreaking</a>, video lately erased from youtube!</li>

<li><a href="http://www.pentestit.com/skype-source-code/"> After Microsoft acquired skype </a> for 8.5 billion dollars and proceeding to add back doors for government to the program, the software has been hacked and it's source code released, scary thing beware!!!</li>

<li><a href="http://thehackernews.com/2012/07/skype-privacy-bug-that-can-send.html"> What's wrong </a>, didn't you get my Skype msg? oops it's being sent to someone else!!!???</li>

</ul>
&nbsp;

<strong>Coming Events:</strong>
<ul>
<li><a href="https://www.defcon.org/"> DEF CON 20 </a> - Las Vegas, NV - July 26 - 29, 2012 </li>
<li><a href="http://www.sans.org/san-francisco-2012/description.php?tid=4562"> Sans San Francisco 2012 </a> - San Francisco, CA - July 30 - Aug 06, 2012 </li>
<li><a href="http://dfrws.org/index.shtml"> DFRWS 2012 Conference </a> - Washington, DC - Aug 05 - 08, 2012 <li>
<li><a href="http://www.sans.org/boston-2012/description.php?tid=5106"> SANS Boston 2012 </a> - Boston, MA - Aug 06 - 11, 2012 </li>
<li><a href="http://www.usenix.org/event/"> USENIX Security '12 </A> - Bellevue, WA - Aug 06 - 10, 2012 </li>
<li><a href="http://static.usenix.org/events/hotsec12/index.html"> 7th USENIX Workshop on Hot Topics in Security (HOTSEC '12) </A> - Bellevue, WA - Aug 07, 2012 </li>
<li><a href="http://www.cvent.com/d/fcq0jf"> 2012 Malware Technical Exchange Meeting (Security Clearance Required) </a> - El Segundo, CA - Aug 14 - 16, 2012 </li>
<li><a href="http://www.ares-conference.eu/conf/"> 7th ARES conference (ARES 2012) </a> - Prague, Czech Republic - Aug 20 - 24, 2012 </li>
<li><a href="http://www.ares-conference.eu/conf/index.php?option=com_content&view=article&id=50&Itemid=82"> First International Workshop on Security Ontologies and Taxonomies (SecOnT 2012) </a> - University of Economics, Prague, Czech Republic - Aug 20 - 24, 2012 </li>
<li><a href="http://www.sans.org/virginia-beach-2012/description.php?tid=5226"> SANS Virginia Beach </a> - Virginia Beach, VA - Aug 20 - 31, 2012 </li>
<li><a href="http://www.sans.org/crystal-city-2012/description.php?tid=5226"> SANS Crystal City </a> - Arlington, VA - Sep 06 - 11, 2012 </li>
<li><a href="http://www.iit.cnr.it/esorics2012/"> European Symposium on Research in Computer Security </a> - Pisa, Italy - Sep 10 - 12, 2012 </li>
<li><a href="http://www.raid2012.org/"> 15th International Symposium on Research in Attacks, Intrusions and Defenses </a> - Vrije Universiteit, Amsterdam, The Netherlands - Sep 12 - 14, 2012 </li>
<li><a href="http://www.htcia.org/index.shtml"> HTCIA International Conference & Training Expo </a> - Hershey, PA - Sep 16 - 19, 2012 </li>
<li><a href="http://www.sans.org/network-security-2012/description.php?tid=5226"> SANS Network Security 2012 </a> - Las Vegas, NV - Sep 16 - 24, 2012 </li>
<li><a href="http://www.virusbtn.com/conference/vb2012/index.xml"> VirusBulletin 2012 </a> - Dallas, TX - Sep 26 - 28, 2012 </li>
<li><a href="http://grrcon.org/"> GrrCon </a> - Grand Rapids, MI - Sep 27 - 28, 2012 </li>

</ul>
&nbsp;
<strong>Call For Papers:</strong>
<ul>
<li><a href="http://lspi.net/CFP-LSPI.html"> 7th International Conference on Legal, Security and Privacy Issues in IT Law </a> - Due Aug 25 , 2012 </li>
<li><a href="http://conferences.secau.org/"> 2012 secau Security Congress </a> - Due Sep 30, 2012 </li>
</ul>
&nbsp;

<strong>About the author:</strong>

By Maher Yamout, CCNA, CNDA, ECSA, GCFE. Maher Yamout is an Information Security Officer and Digital Forensic Examiner with the Lebanese Ministry of Finance.
He was involved in cyber-security exam item writing with EC-Council and currently with Prometric. Maher is also member of the High Tech Crime Investigation
Association (HTCIA) Europe-at-Large chapter.

<a href="http://code.google.com/p/volatility/downloads/list>

Find us on Google+