Tuesday, September 08, 2009


Been out of pocket, enjoying my temporary unemployment for a while, and now I'm back in the game...

Richard Bejtlich posted his review of WFA 2/e on Amazon...thanks, RB! It's validating to see luminaries in the security industry picking up, reading, and commenting on books like mine, particularly because Richard is so well known for NSM, something my book doesn't really cover.

Thanks to a recent comment to one of my blog posts, I was led to the Eating Security blog...always nice to get different perspectives on topics. I like some of the recent posts about IR teams and documentation, as well as the "does it make sense" test. I've done considerable work over the years with respect to CSIRP development and IR team testing, and I like to see how others approach the problem. While each customer brings a unique perspective to the problem through their own infrastructure and team organization, it's always interesting to see the thoughts that others have...most often due to the fact that developing a new IR team with a customer doesn't allow for a great deal of feedback beyond, "wow...okay...this is new."

Speaking of CSIRP development, here's an interesting blog post that I picked up a while back. Interesting how information on "crisis management" so easily maps to a CSIRP.

The guys over at cmdLabs had a nice post on SQLite for forensics nerds that has some good information...something to read, maybe play around with a bit, and bookmark.

Claus had an excellent forensic roundup post recently...he really can cover a LOT of stuff. I'm still sifting through this one. Claus and I read each other's blogs pretty regularly, so you see not only crosslinks but comments, as well...but Claus never ceases to amaze me with the breadth of useful information he's able to come up with. He's got a couple of links for pcap visualization that I need to take a look at.

All in all, not a bad catch this time around.

Addendum: Just a bit later, I ran across a couple of interesting blogs, and rather than wait to post another blog entry, I thought I'd add them here...

ForensicInnovations had an interesting blog, and the post that initially got my attention was Push for Live Forensics. I started into the post expecting yet another argument for developing a live response process, and got some of that...but the post ends with an announcement for a data profiler product that appears to provide a list of various file types found on the system. I'm not entirely sure how I'd use such a product, as rather than "show me all of the file types" I might take the approach of just "show me all graphics images", or something a bit more directed (based on the goals of my response).

I also found Simple Techniques that Fool Forensics Tools in the archive, as well as a couple of other posts. There's mention of NTFS Alternate Data Streams in this post, something I've been writing about for years, and oddly enough, is still something that is an effective hiding place for data, as many sysadmins and forensic analysts still do not understand how ADSs are used by the OS, let alone by the bad guys.

Also, I found a link to this CyberCrime blog that has some interesting stuff to read.

RegRipper used to validate Neeris infection...with lots of other good stuff in the post, as well...a good deal of which I use in creating timelines for analysis...

1 comment:

nr said...

Harlan, thanks for the plug. Richard also mentioned my IR team posts on his blog fairly recently.

The comment about Richard's review of your book is funny to me because Richard and I have talked in the past about it being nice to get external validation sometimes. It can be tough to get input or feedback from peers who aren't immediate coworkers, so seeing comments from people like you or Richard definitely eases my paranoia that I'm doing it all wrong. ;)