Monday, July 21, 2008

BRAP Forensics

Sometimes I have to marvel at the little pearls (as opposed to Perl!!) I find through sites like eEvidence...Christina's diligence in ensuring that there is always new information added to the site really makes it worthwhile to stop by at least once a month and see what's new.

One of the items I really enjoyed was Hal Berghel's article on BRAP Forensics. In this article, Hal talks about some of the nice little bits of debris or (in his words) "guano" left behind by browsers and applications, as well as OLE file (MS Word) metadata and Recycle Bin/INFO2 file analysis. Hal also mentions Registry analysis, particularly of the NTUSER.DAT file. For the most part, Hal refers to these tidbits in negative terms but for forensic analysts working on an examination, these tidbits can be priceless. I've used many of these techniques...sometimes in combination...to extract some extremely useful information from an examination.

Resources
Mandiant's WebHistorian