Wednesday, March 18, 2009

Linkfest

This will be a short "linkfest"...

Ovie and Bret posted a new CyberSpeak podcast recently. In this podcast, they interviewed Drew Fahey of e-Fense, and talked about the reasons behind Helix becoming a commercial tool. I agree with Drew's reasoning...I can't say that I've been a huge user of Helix, although I do have copies of the CDs for various versions of Helix. I have run into folks that use Helix (in some cases, almost exclusively), so it behooves me to be a bit familiar with the tool sets, particularly when it's a customer and they're trying to provide me with some needed information.

One of the links from the show was for ADrive.com, an online storage and backup site. A while back, I blogged on the GMail Drive, an application that would allow you to use your GMail account as a backup/storage facility. Googling turns up a number of sites available for this kind of functionality, including VMN.NET, and an ExtremeTech article that lists six free online storage sites. Given some of the media attention that's been directed at insider threats, particularly in a down economy, this is yet another avenue of data leakage to be on the lookout for. When performing incident response or analysis in these situations, you may want to look for artifacts of online storage sites

2 comments:

Anonymous said...

It's interesting that you posted this because I was having a similar discussion with my co-workers yesterday. Long term I think this will start to be an issue when you look at say Amazon's "cloud based storage" and the sites you mentioned. How are you going to get at that data in a forensic matter (or can you even)? Where is the data stored (is it split amongst different data centers)? Worse case scenario is now people don't even need USB storage devices anymore. They just upload the data to these services.

H. Carvey said...

Tom,

You're right. There will be artifacts available...just as there are now with USB thumb drives and web-based email...but beyond that, its a matter of what the victim company wants to pursue.

I'd recommend that the victim contact law enforcement, if the situation permits.