SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Book Review: Windows Forensic Analysis

Title: Windows Forensic Analysis - DVD Toolkit 2nd Edition
Author: Harlan Carvey
Publisher: Syngress
Date of Publication: 2009
Price: $69.95 (USA)
ISBN: 978-1597494229
Reviewer: Peter Sheffield
Review

This second edition of Harlan Carvey's excellent book on Windows Forensic Analysis is a fantastic uplift to what I'd classify as the best book I owned on Windows forensics, especially from a practitioners' perspective. This 2nd edition works on multiple levels; with practical advice and guidance for live Windows forensic analysis as well as more in depth discovery guidelines for back your work back in the lab, all augmented by real scripts and utilities that will help you retrieve valuable forensic evidence from a target machine. Chapter 4 on registry analysis is particularly strong with details on audit policy and event log analysis, wireless SSID discovery, understanding autostart, and one of my favorites, the section on how to track USB

... Continue reading Book Review: Windows Forensic Analysis


2010 Digital Foreniscs and Incident Response Summit - Final Agenda Released

"There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that."

Matt Olney (SourceFire) said that when describing the Advanced Persistent Threat attacks earlier this year. He was not joking. The results over the past year clearly indicate that hacking groups are racking up success after success. Over 30 companies have been compromised by the Advanced Persistent Threat. Organized crime utilizing botnets are exploiting ACH fraud daily. Similar groups are penetrating banks and merchants stealing credit card data daily. Fortune 500 companies are beginning to detail data breaches and hacks in their annual stockholders reports.

The enemy is getting better, more bold, and their success rate is impressive. Are we?

We can do better. We need to field a more sophisticated incident responders and forensic investigators. We need lethal forensicators that can detect and eradicate advanced threats immediately.

... Continue reading 2010 Digital Foreniscs and Incident Response Summit - Final Agenda Released


Digital Forensics Case Leads: New RegRipper Feature, An Open Letter to Judges, the DFRWS Challenge and How Not to Seize Smart Phones

This week's installment of Digital Forensics Case Leads features a couple of tools useful for reviewing Window's systems. There is an announcement about a new feature of RegRipper and we have an open letter to the court on the use of neutral digital forensic examiners. The 2010 DFRWS Challenge is underway and law enforcement experiences the remote wiping feature of smart phones.

Keep those suggestions and topics for Digital Forensics Case Leads coming to caseleads at sans.org!

Tools:

  • Miss Identify is a cross-platform tool developed by Jesse Kornblum that identifies mislabeled Window's executables. A mislabeled executable is any executable without an executable extension of exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb.
  • If you've ever lost a software application key, (or need to audit installed software) the

Digital Forensics Case Leads: Guidance Busy this week.

This week big news from Guidance Software, maker of Encase. The U.S. Secret Service will now add more data to the Verizon Breach Report. Microsoft release Office 2010 and several new/updated tools and virtual pit bulls are now protected.

Tools:

Good Reads:

...


Digital Forensics Case Leads: Good reads and coming events

It's been a very busy week this week, so this week's Case Leads post is all about brevity. There were a bunch of great articles put out this week and I'm sure I've missed a few. At the end of this week's post there's an email address for the Case Leads series. If you have written or read something you think should be included in the weekly round up, please let us know.

Last week I posted a few sites that regularly publish lists of domains that are known to be serving malware. I'm working on a project that's scraping some of these sites and building lists of IPs for use in a network security monitoring program. What I didn't know at the time was that malwaredomains.com has a text file that they regularly update with new domain names. This makes my task much easier.

For fun this week, I took the text file and extracted the hostnames from all the uncommented lines in

...