Monday, December 19, 2011

Even More Stuff

Last Thu, we had (at one point) 32 attendees to the #DFIROnline online meetup, and my impression is that overall, it went pretty well.  Mike took the time to post his impressions, as well.

I think it would be very helpful to hear from others who attended and find out what they liked or didn't like about this format.  What works, what doesn't, what would folks like to see?  I know that with the NoVA Forensics Meetups, most (albeit not all) of the comments about content that I received were from out of town folks, and included, "...set up a meetup in my town...".  Well, Mike's brought that to fact, you can battend from anywhere.  Mike's survey results indicated that case studies and malware analysis are things that folks are interested in, and that's a great start.

Also, I've been thinking...what do folks think about moving the NoVA Forensics Meetups to DFIROnline?

For those interested, I posted my slides (in PDF format) to the Win4n6 Yahoo Group Files section.

A a great big, huge, Foster's thanks to Mike for setting this up. 

Cool Stuff
If you do timeline analysis, David Nides has posted a great little log2timeline cheat sheet over on the SANS Forensics blog.  David made this cheat sheet available at the recent SANS360 event as a single laminated sheet...if you weren't able to make it and didn't get one, download the PDF and print out your own.  The content of the cheat sheet goes right along with Rob's SANS360 presentation, which you can watch here (actually, it's the entire set of presentations).

A huge thanks to David for putting this together and making it available.  This is another great example of how someone can contribute to the community, without having to be able to stand up in front of people, or write code. 

Jump Lists
I recently received a question about Windows 7 Jump Lists, and dusted off some of the code I wrote last summer for parsing Jump Lists.  Yes, it's in Perl...but the way I wrote it was to use just core Perl functions (i.e., no esoteric, deprecated, or OS-specific modules) so that it is platform-independent, as well as much easier to install and run.  Also, I wrote it as Perl modules, so I have additional flexibility in output short, I can have a script spit out text in a table format, CSV, or even TLN format.

If you haven't yet, check out Mark Woan's's at version 1.0.5, and does a great job of parsing not only the LNK streams, but also the DestList stream (partial structure of which was first publicly documented here).  It also maps the AppId to an application name...a list of which can be found here, and here

Another use I've found for this code is Windows 8 forensics.  I've had a VirtualBox VM of Windows 8 Dev Build running, but recently set up a laptop (wiped XP off of it forever) to dual boot Win7 & 8, so that I could look at some of the various artifacts available, such as wireless networks within the Registry, the use of a Windows Live account to log into Win8, and the Jump Lists...yep, Win8 uses Jump Lists and at this point, they appear to be consistent in format with the Win7 Jump Lists.

Speaking Engagements
My upcoming speaking engagements include the DoD CyberCrime Conference (the conference even has a Facebook page), where I'll be presenting on Timeline Analysis.  I've also submitted to the CfP for the SANS Forensic Summit this next summer (topic: Windows 7 Forensic Analysis), so we'll see how that goes.


Mike Wilkinson said...

One minor point there Harlan, no self respecting Aussie would drink fosters, there is a reason it's exported!

H. Carvey said...

Not saying you do, Mike, just trying to make my posts more colorful and visually appealing. I prefer to NOT drink the stuff myself...

Jimmy_Weg said...

Along the same lines, Fat Tire is something that we'd trade even-up for Fosters (I'm also a fomer craft beer brewer). I think, however, that I saw Harlan sipping a Paulaner, which is a standard. Unfortuneately, Americans tend toward Miller Lite, and neither the US nor Autralia have enacted the Reinheitsgebot.

H. Carvey said...


I'm a big fan of the Lagunitas "Little Sumpin Wild", but all I can find now is the "Little Sumpin Sumpin"...which is still fine for me.

I went to the Caps game in DC last night, and my lovely bride discovered that you could get Hoegaarden!

Alissa Torres said...

No matter what kind of beer you choose to drink, if you are drinking during the webinar, you are still drinking alone. I am in favor of keeping the NoVa Meetups, as there is some value to meeting in person. I don't drive down too often from MD, but I would think that fractions of the DC/NoVA forensics community would still want to meet. That being said, I have heard the Regional Computer Forensics Group is going to start back up soon. Maybe that will fill the hole...

H. Carvey said...


Thanks for your comments.

...but I would think that fractions of the DC/NoVA forensics community would still want to meet.

I've tried querying the group when we meet as to where everyone hears about the meetups and keeps up on them, and when I do get answers, it's "Twitter" and "your blog". That being said, I have yet to receive a single comment from anyone who attends on a regular basis.

...I have heard the Regional Computer Forensics Group is going to start back up soon.

Interesting. I ran into Ken Haynes (sp?) at the SANS360 event and even mentioned speaking at those events, and he never said a word. Please let me know if this does happen...thanks.