The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis" (1st thru 4th editions), "Windows Registry Forensics", as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".
Thursday, September 12, 2013
Links
Artifacts
Jason Hale has a new post over on the Digital Forensics Stream blog, this one going into detail regarding the Search History artifacts associated with Windows 8.1. In this post, Jason points out a number of artifacts, so it's a good idea to read it closely. Apparently, with Windows 8.1, LNK files are used to maintain records of searches. Jason also brought us this blog post describing the artifacts of a user viewing images via the Photos tile in Windows 8 (which, by the way, also makes use of LNK streams...).
Claus is back with another interesting post, this one regarding Microsoft's Security Essentials download. One of the things I've always found useful about Claus's blog posts is that I can usually go to his blog and see links to some of the latest options with respect to anti-virus applications, including portable options.
Speaking of artifacts, David Cowen's Daily Blog #81 serves as the initiation of the Encyclopedia Forensica project. David's ultimate goal with this project is to document what we know, from a forensic analysis perspective, about major operating systems so that we can then determine what we don't know. I think that this is a very interesting project, and one well worth getting involved in, but my fear is that it will die off too soon, from nothing more than lack of involvement. There are a LOT of folks in the DFIR community, many of whom would never contribute to a project of this nature.
One of perhaps the biggest issues regarding knowledge and information sharing within the community, that I've heard, going back as far as WACCI 2010 and beyond, is that too many practitioners simply feel that they don't have any means for contributing to the community in a manner that allows them to do so. Some want to, but can't be publicly linked to what they share. Whatever the reason, there are always ways to contribute. For example, if you don't want to request login credentials on the ForensicsWiki and actually write something, how about suggesting content (or clarity or elaboration on content) or modifications via social media (Twitter, G+, whatever...even directly emailing someone who has edited pages)?
Challenges
Like working forensic challenges, or just trying to expand your skills? I caught this new DFIR challenge this morning via Twitter, complete with an ISO download. This one involves a web server, and comes with 25 questions to answer. I also have some links to other resources on the FOSS Tools page for this blog.
Speaking of challenges, David Cowen's been continuing his blog-a-day challenge, keeping with the Sunday Funday challenges that he posts. These are always interesting, and come with prizes for the best, most complete answers. These generally don't include images, and are mostly based on scenarios, but they can also be very informative. It can be very beneficial to read winning answers come Monday morning.
Academia
I ran across this extremely interesting paper authored by Dr. Joshua James and Pavel Gladyshev, titled Challenges with Automation in Digital Forensics Investigations. It's a bit long, with the Conclusions paragraph on pg. 14, but it is an interesting read. The paper starts off by discussing "push-button forensics" (PBF), then delves into the topics of training, education, licensing, knowledge retention, etc., all issues that are an integral part of the PBF topic.
I fully agree that there is a need for intelligent automation in what we do. Automation should NOT be used to make "non-experts useful"...any use of automation should be accompanied with an understanding of why the button is being pushed, as well as what the expected results should be so that anomalies can be recognized.
It's also clear that some of what's in the paper relates back to Corey's post about his journey into academia, where he points out the difference between training and education.
Video
I ran across a link to Mudge's comments at DefCon21. I don't know Mudge, and have never had the honor of meeting him...about all I can say is that a company I used to work for used the original L0phtCrack...a lot. Watching the video and listening to the stories he shared was very interesting, in part because one of the points he made was getting out and engaging with others, so that you can see their perspectives
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment