Sunday, June 07, 2009

Forensic4Cast and Links

Lee Whitfield of the Forensic4Cast podcast reached out to me this past week, and asked me to be a guest on his podcast on Wed, 10 June.

If you've never listened to Lee's podcast, give it a shot...Matt Shannon of was interviewed, as well as others. Lee's also got a section for technical articles, many of which look to be extremely useful.

Lee's also taking nominations now through 21 June for Forensic4Cast Awards; be sure to place your vote in any or all of the various nomination categories. Take a look at the page to see how everything works, and dates for submissions, voting and the posting of the final results. While this isn't something huge that's going to get you a free pass to RSA next year or something, I do think that it's a great opportunity to show your appreciation for the work done in the various categories. See what Matt's posted as his nominations!

Speaking of podcasts, did you know that CERT has podcasts? Another security podcast out there is ExoticLiability. Man, there's just too much to check out!

Didier's posted some links to PDF analysis tidbits...very cool! Didier's done a great deal of work in the area, and his work reminds me a lot of the ComputerBytesMan's work in the area of MSWord metadata extraction. Now, some folks are going to look at these links and ask, "...okay, but how can I use this?" Far too often, folks will post links to other blogs or blogposts without any real explanation of how the information is useful, valuable, or important. Well, when conducting analysis of a compromised system, one of the questions that comes up very often is, how was the system compromised? What was the infection vector? It's pretty trivial, really, to scan a mounted image with AV software or to locate files that an intruder may have copied onto the system...but sometimes (many times?) we need to find out how they got in. One means of doing so is to run file signature analysis tools across web browser and email attachment cache directories to locate things like PDF documents or Excel spreadsheets the may have been downloaded. Finding such documents, which have recently been identified as having vulnerabilities, may lead to identifying the initial source of compromise or infection.

Moyix recently posted some Windows 7 Registry hives for examination, based on a request from Tim Morgan. I'd taken a look at hives from a Windows 7 VM earlier this year, and found that while key locations may change between various revs and versions of the OS, the binary structure appears to remain the same. Thankfully, MS hasn't moved to an all-XML format for the Registry (right now, a lot of you out there are going, "Dude, shut up!!"). I've been running my RegRipper plugins against the hives and dude...they work great!

Speaking of Registry hives, reviews of Windows Forensic Analysis 2/e are already starting to appear! It appears that some folks really like the Registry analysis chapter...maybe this is something to take off on it's own...what do you think? Should Registry Analysis become it's own book? Personally, I think that there's more than enough information out there for this...let me know your thoughts. Or let Syngress know your thoughts.

Finally, more reviews of WFA 2/e are being posted, and I've gotta thank Larry for his review of Perl Scripting for Windows Security! I greatly appreciate the efforts of those who are posting reviews, regardless of the forum. Thanks, folks!

1 comment:

Rogue said...

I just received my book today. I found out today that a few of my co-workers are aware of your book and plan to purchase it.

Anyway, as a side note, I think that their should be a book on registry forensics, although I have not started the Windows Forensics book yet.