Thursday, June 02, 2011


NoVA Forensics Meetup
Last night's meetup, our second such get-together, was a rousing success!   Chris Witter gave a great presentation that covered a lot of the different aspects of building a packet capture engine "on da cheap", and all told, we had a total of 38 attendees!

*For those interested, there's a new version of Wireshark available.

I think that we're doing well enough to begin working on a format for these events, so that's something I'll be coming up with for the next meetup (on 6 July).  I think that pretty much what things will look like is an intro, then have everyone go around and introduce themselves, and then we'll kick the presentation off around 7:30pm.  This will give a bit more time for folks to show up.

Also, it might be a good idea to have two shorter talks, as opposed to one presentation...perhaps not every time, but every now and again.  Maybe something like a demo of a very specific tool or technique that you can present in about 20 min or so.

Finally, I'd like to ask everyone to take a moment and think about what they might like to hear about in a presentation, or a topic for a presentation that they'd be willing to give.  Also, try to think of a question or two that you might have for the group...we had a very diverse group of folks at last night's meeting, ranging from very experienced DFIR folks to IT staff and folks who are very new to the industry.

So...a big thanks to everyone who attended last night...we hope to see you again, and hey...bring a friend!  And a huge thanks to Christopher for stepping up and giving an excellent presentation!

DFwOST Reviews
If you're on the fence regarding purchasing "Digital Forensics with Open Source Tools", take a look at these reviews on Amazon.  They're all pretty glowing, and there's even one from a "shark tamer" (is that even possible??).

Upcoming Speaking Events
I have a couple of opportunities for speaking coming up over the next months (and I'll be submitting to other CfPs), and I find myself making some changes to how I'm going to be presenting the material in question.

My next speaking engagement is OSDFC on 14 June; I will be giving a presentation entitled "Extending RegRipper".  As I've been preparing the presentation, I'm finding that I'm putting more text into the slides than I normally would, but I think that under the circumstances, that makes pretty good sense.  After all, what I'm talking about in the presentation is kind of new; after all, I've found (not surprisingly) that there are a good number of forensic analysts that have neither heard of nor used RegRipper, and I'm talking about extending the tool into a forensic scanner framework (which is, itself, a little something different).  I don't usually read from my slides, but I this case, I think that it's important to put the actual text on the screen so that attendees can see it, read it, and marinate on it.  I still plan to do a good deal of discussion and delve into things not explicitly listed in the slides (unfortunately, the set up doesn't allow for a demo...), but my hope is that by putting some of the explicit text in the slides, this will ultimately generate some discussion.

I'm also giving a presentation in August on timeline creation and analysis; similar to the above presentation, this one is going to have some slides in it that contain a good deal of text, but again, I think that there's a very good reason for doing this; some of the things I talk about in the presentation may be somewhat new to many attendees.  As such, I'd like to have certain things phrased in an explicit manner, so that when (not "if"...) discussion ensues, and someone says, "But you said...", we can go right back to the slide and address the question.  Also, I feel like I'd like to have the statement(s) being discussed sitting up there for folks to refer back to during the discussion, so that it has a better chance of crystallizing in their minds.  While I prefer the "hit-and-run" tactic of just having bullet statements (or not even using slides at all), there are really some things that are important enough to not only have explicitly stated on the slides, but to also include in the slide pack for later reference.

I've run across a couple of interesting blogs recently.  For example, the guys at Crucial Security still have a blog up and running, even though they're now part of Harris Corp.  There are a couple of very useful posts to this blog, such as this one regarding VM files essential for forensic investigations.  There's also this one regarding malware issues from an operational perspective...which, IMHO, would be far more useful when tied in with malware characteristics.

I've found the Girl, Unallocated blog to be a good read, and I have to say, I've really enjoyed the slant the author takes on some of the topics she presents in her posts.  Sometimes it's good to be less serious, even while remaining on-point...taking a whimsical approach can be a good thing at times.  I have also found some of her posts thought-provoking, such as this one on structured analysis...I've often heard forensicators state, "...sometimes we don't know what we're looking for...", and I have to say, that's bull.  No one just acquires images from systems at random, so when a system is acquired, there's a reason for it, and that reason can lead us to what we're looking for, or trying to prove or disprove.


Anonymous said...

I think you may have typo'd the date of the next meet. I'm pretty sure you said last night that it's July 6, not June 6.

Keydet89 said...

Good catch, thanks! Fixed.

Dennis said...

Good find on the "Girl, Unallocated" blog. I've been reading it over...she's a hoot (and you're both bringing up some very good things to ponder).

Girl, Unallocated said...

Thank you for the mention! Never thought I could actually be thought-provoking... I think I'll add that to my CV, right after "a hoot." :D

Keydet89 said...

Don't get so thing you may not know about me is that I tend to take something I read or hear, roll it around, let it marinate, noodle it over (hungry yet??), and just generally think about it. Some of your stuff has posed some serious questions...for example, many analysts find a malware file through an AV scan and declare that a win...but how many go about taking the extra step to see if actually ran???

Good stuff...

Anonymous said...

I hope the "Digital Forensic with Open Source Tools" book will be made available on Safari Books like the other Syngress titles!