SANS Digital Forensics and Incident Response Blog: Author - Dave Hull

Digital Forensic Case Leads: Forensic 4Cast Voting is Open

Short post this week, as yours truly is under the weather. I hate colds, but they are far more miserable in the summer when the weather is beautiful.

It's con season. Last week was SANSFire, and this week started off with the Pen Test Summit, and FIRST and in the coming weeks we'll see the Forensics Summit (details below), Black Hat and Defcon. I love this time of year and can't wait to see what great tools and discoveries will be released in the coming months.

Tools:

  • For anyone who has ever had to dig through the registry piecing together information about various USB devices that have been plugged into a system, here's a useful tool that will do the heavy lifting for you. That link will take you to a post that discusses the various registry artifacts in play and includes a link to the tool.
  • Mandiant has

...


Digital Forensics Case Leads: Good reads and coming events

It's been a very busy week this week, so this week's Case Leads post is all about brevity. There were a bunch of great articles put out this week and I'm sure I've missed a few. At the end of this week's post there's an email address for the Case Leads series. If you have written or read something you think should be included in the weekly round up, please let us know.

Last week I posted a few sites that regularly publish lists of domains that are known to be serving malware. I'm working on a project that's scraping some of these sites and building lists of IPs for use in a network security monitoring program. What I didn't know at the time was that malwaredomains.com has a text file that they regularly update with new domain names. This makes my task much easier.

For fun this week, I took the text file and extracted the hostnames from all the uncommented lines in

...


Digital Forensic Case Leads: Malware hunting

Incident responders and digital forensics investigators are on the front-lines in the battle against malware. We need good intelligence for tracking its origins and command and control structures. This intelligence can help us limit malware's access to our networks and help us find it. When we do find it, we need good tools for eradicating it. For this week's Case Leads, I've been looking into some resources and tools that can aid in these efforts.
Tools:

  • First up, a new, to me, malware removal tool called Malwarebytes. As I said, it's new to me, and I've only done a little playing around in the lab, but I've been told by others that it works great. I'm blocking out some time to delve into the tool more extensively and will have more to say about it then.
  • Two sites that provide lists of sites known to be distributing malware, http://www.malwaredomains.com/

...


Digital Forensics Case Leads: Google's "password system" code stolen?

Additional details of the attack against Google were reported in the New York Times this week. The claim is that some portion of Google's authentication system code, Gaia, may have been stolen as part of the "Aurora" breach. The bulk of this week's Case Leads was inspired by my own pursuits of late. I've been revisiting some forgotten skills in an attempt to brush up and have been researching information on some new (to me) technologies of interest.

Tools:

  • My tool of choice this week is IDA Pro, the disassembler that should be in any malware analyst's kit. I was exposed to IDA Pro a few years ago in Lenny Zeltser's Reverse-Engineering Malware course. Unfortunately for me, I'm a bit rusty on its usage, but am getting back into it.

Good

...


Case Leads: On the horizon — SIFT 2, Volume Shadows

I started this week traveling home from teaching SANS Forensics 508 to a great group of people in the Boston area. This week's Case Leads is my effort to catch up on the latest goings on and some older items.

Tools:

...