Saturday, January 31, 2009

Catching up...

Just trying to catch up a bit...

Matt's really clicking along down at's posted yet another example of using F-Response to access a running, live Exchange server, this time incorporating Nuix desktop. I've gotta say, if you don't know anything at all about F-Response, you're already late to the party. F-Response has completely changed the face of incident response, and its utility grows by leaps and bounds every day...not because Matt does anything like release an update, but because more people become familiar with it, use it, and see how absolutely fantastic it is as a tool.

Didier found out recently that theVigenere encryption used in the UserAssist keys in Window 7 are only to be used in the beta, and the "encryption" method for the final version is going to go back to good ol' ROT-13!

Lance Mueller posted recently about using a Perl module I wrote for parsing Windows Event Logs (.evt, NOT .evtx). I use this quite often myself, and the version of the module that Lance and Mark McKinnon mentioned is different from what's being included on the DVD that will ship with the second edition of Windows Forensic Analysis. I recently used one of the tools that comes with the evt2xls tools called evtrpt to give me the frequency of event records listing, as well as the date range of the records; this way, I could see if the Event Logs contained records within the date range. I also noticed that the Security Event Log was 512Kb, but there were no records...not surprising since RegRipper told me that auditing had been disabled.

Speaking of RegRipper, over on the ForensicIR blog, Hogfly posted about using RegRipper and some of the things he's used it to extract, such as user/group information, firewall configuration, etc. One of the things I am reminded of each time I use RegRipper is how powerful it really is, in part through its flexibility.

Moyix has posted code updates for the Registry modules he created, and over on ForensicZone, there's a post showing how to use the modules to decrypt the passwords extracted from a memory dump.

Speaking of memory, I ran across Gustavo Duarte's blog recently, and I'm STILL reading some of the posts! I have to say, the pictures drew me to it, but the content keeps me coming back!

For those interested in information about how time stamp data can be and is used in forensics, check out the TimeForensics site for some good papers.

Here's a great PDF that addresses issues with U3 devices.


Anonymous said...

Great reading, lots of info, unfortunately the link pointing to the U3 pdf returns a pdf with 0 bytes size

Anonymous said...


the PDF(Battling Anti-Forensics: Beating the U3 Stick) is from the free issue of Journal of Digital Forensic Practice, Volume 1, Issue 4 December 2006 , pages 265 - 273.

Try this link:


Thijs Bosschert said...

Hi people,

Being the author of the U3 PDF I can confirm that linking directly to my paper doesn't work. The PDF seems to be generated on each view by the Informaworld system (not something I have any control over).

The link Caner posted above works like it should. Here it is in a clickable version:
U3 article