Friday, December 02, 2011

New Stuff

I recently returned from visiting with the great folks at the CT HTCIA.  They had invited me up to speak at their meeting a while back, and in order to keep costs down, I did an up-and-back trip.  I gave two presentations, each about an hour in length...the first was on using RegRipper, the second was on understanding malware (via the four characteristics I've talked about in this blog).  Overall, it was was a great opportunity for me to get out and meet some new folks and see some faces I hadn't seen in a while. 

As to other speaking engagements, I'll be taking part in the SANS360 DFIR Lightning Talks (my job title is incorrect on the page...) event on 13 Dec.  This should be very interesting.  I've enjoyed some of the changes to the conference format that I first began seeing in 2008 through the SANS Forensic Summit, particularly the panel format.  This is another new addition...10 speakers, each with 360 seconds to present on a topic. 

Finally (for now, anyway), I'll be presenting on timeline analysis at DC3 in January, and I recently saw that SANS now has the CfP for the SANS Forensics Summit posted.  This is a different approach from last year, but I'm going to submit, hope that I get accepted, and hope to see you in Austin, TX, next summer!

Speaking of get your very own copy of RegRipper, go here and get the file "".  To get the latest and greatest user-submitted plugins, go here.  I know Rob has updated the SANS SIFT Workstation to include the latest and greatest plugins in that distribution.

Oops, he did it (again)...
I caught this very interesting article by Mike Tanji (Kyrus CSO) recently...if you haven't read it, it's an excellent article, largely because he's so on point.  I particularly agree with his statement about critical thinking, particularly in light of this OverHack blog post that describes a phenomenal leap in "analysis" (sort of brings Mike's whole "hyperbole" statement into perspective), and it's inevitable results.

Another part of Mike's article that I agree with wholeheartedly is specificity of language.  Like Mike and others, I see a lot of this (or lack thereof) within our community.  I recently received an email asking for assistance with Registry analysis, and the question revolved around the "system key".  Not to be a "word n@zi", but it's a hive, not a key.  Registry keys are very specific objects and structures, and are different from Registry values.  To Mike's point, other professions have that specificity of language...all doctors know what "stat" means, all lawyers know what "tort" means.  Like other professions and organizations, DFIR folks are often embattled with marketing forces (what does the over-used term "APT" really mean?), but we still simply do not have enough attention paid within our community to agreed-upon terminology.

Here are some links I've pulled together since my last post...

Claus is back with some updates to MS Tools and some other software stuff...

Andreas updated his EvtxParser Perl library, to fix an issue with memory.

Dave posted on extending RegRipper...again.  I read the blog post twice, and it seems like the "they see me rollin', they hatin'" blog post of the month.  ;-)

Corey's got another great post of the things I like about it is that he is the first person (that I'm aware of) who's downloaded the malware detection checklist I posted who's actually provided feedback on it.  This is just another example of Corey's continuing contributions to the community.

Windows Security Descriptor Parser (Perl) - found here.

PDF Analysis - PDF Analysis using PDFStreamDumper

Check out Chris Taylor's his first post, he mentions selling out, but to be honest, he's got some really good stuff there.  I think like many (myself included), he's found the benefit of sharing findings, thoughts and ideas, not just as a way of keeping your own notes, but also getting input from others.

Finally, don't forget about next week's NoVA Forensics Meetup.  Time and location haven't changed...Sam Brothers will be presenting on mobile forensics.

No comments: