Sometimes I have to marvel at the little pearls (as opposed to Perl!!) I find through sites like eEvidence...Christina's diligence in ensuring that there is always new information added to the site really makes it worthwhile to stop by at least once a month and see what's new.
One of the items I really enjoyed was Hal Berghel's article on BRAP Forensics. In this article, Hal talks about some of the nice little bits of debris or (in his words) "guano" left behind by browsers and applications, as well as OLE file (MS Word) metadata and Recycle Bin/INFO2 file analysis. Hal also mentions Registry analysis, particularly of the NTUSER.DAT file. For the most part, Hal refers to these tidbits in negative terms but for forensic analysts working on an examination, these tidbits can be priceless. I've used many of these techniques...sometimes in combination...to extract some extremely useful information from an examination.
Resources
Mandiant's WebHistorian
Posts
2 comments:
Kind of along these lines, I found a perl script that parses the history.dat files of firefox: mork.pl, written by Jamie Zawinski.
I modified it to print out the date instead of the timestamp, which you can find here.
You can see an output of the DFRWS 2008 challenge using this here.
-Jamie
wow gold
buy wow gold
cheap wow gold
world of warcraft gold
runescape
runescape money
buy runescape money
wow gold
cheap wow gold
buy wow gold
world of warcraft gold
guild wars
guild wars gold
buy guild wars gold
maple story
maple story mesos
maplestory mesos
age of conan
age of conan gold
buy age of conan gold
aoc gold
buy aoc gold
age of conan
age of conan gold
buy age of conan gold
aoc gold
buy aoc gold
age of conan
age of conan gold
buy age of conan gold
aoc gold
buy aoc gold
Post a Comment