Blog

Daily Blog #140: Sunday Funday 11/10/13

Hello Reader,         We’ve been talking about timestamp changes and other methods of hiding activity this week, I thought I would add in a challenge that covers a bit more basic anti forensic technique. I hope you like this weeks scenario challenge and prepare yourself for another full image challenge next week. The Prize: A 4TB External USB3 Seagate Backup Plus […]

Daily Blog #139: Saturday Reading 11/9/13

Hello Reader,        It’s Saturday! Time for another collection of links to make you think. I will most likely be going to go see Thor today but after that I will be back to my forensicy ways. Here is this weeks set of good reads. 1. The Forensic lunch, always free of trans fats, happened again this Friday. This week Sheryl […]

Daily Blog #138: Forensic Lunch 11/8/13

Hello Reader,         We had a great forensic lunch today! Shery Falk of Winston & Strawn joined us to talk about dealing with the legal side of breaches, Jonathan Rajewski of Champlain College talked to us about their undergraduate and graduate programs and Matthew showed us a demo of the up and coming ANJP v3 and all the cool stuff that […]

Daily Blog #137: Finding new artifacts – Re-creation Testing Part 1

Hello Reader,          One of the things that in my opinion makes an examiner better at digital forensics is the ability to re-create events, create test scenarios and possibly find new artifacts. The best way to do that is through recreation testing and its something we do in the lab quite often. The premise is simple and there is some things […]

Daily Blog #136: Using Win 2008 server task scheduler logs to identify interactive logins

Hello Reader,            In a prior Sunday Fundays we’ve talked about tracking logins to a Windows Server 2008 system and in each case I saw the normal security event log entries referenced. Today I wanted to expand on that knowledge with something I found in a case a couple years ago and mentioned in a Sunday Funday answer post, tracking logins […]

Daily Blog #135: Converting MHT to PDF

Hello Reader,             I’ve spent most of day today trying to get data into a format that someone else can review. I’m using a tool called X1 Social Discovery which allows you to download, index and manage social media information from a variety of sources (Twitter, Facebook, Linkedin, etc…) but its ability to export the data in a form my client […]

Daily Blog #134: Sunday Funday 11/3/13 Winner!

Hello Reader,           Another Sunday Funday has come and gone with a range of good responses to choose from. Choosing this weeks winner was hard as I had some good submissions that went into depths on different parts of their investigative process. I choose this weeks winning answer over the other submissions due to its good details, I’m a sucker for […]

Daily Blog #133: Sunday Funday 11/3/13

Hello Reader,           Another fun week, I got to speak at Bsides DFW yesterday and reach out to our infosec brethren and spread the good DFIR word. I gave a write blocker and a book as a door prize and someone mentioned that a writeblocker would be a very tempting Sunday Funday prize so here we go! This week’s challenge focuses […]

Bsides DFW 2013 Slides

Hello Reader,        If you attended my talk today here are the slides I used: https://drive.google.com/file/d/0B_mjsPB8uKOAQV9lYS1aYVN3MGM/edit?usp=sharing If you wanted to sign up for the free beta of the NTFS or HFS+ Parsers the links are below:NTFS:https://docs.google.com/forms/d/1GzOMe-QHtB12ZnI4ZTjLA06DJP6ZScXngO42ZDGIpR0/viewform HFS+https://docs.google.com/forms/d/1_Zrf7LfmnklJfJ7CteecdAiAWGdRkNp2ltqqHuYFncQ/viewform

Daily Blog #132: Saturday Reading 11/2/13

Hello Reader,               It’s Saturday and I’m at BSIDES DFW getting ready to speak at 11am CST. I’ll be uploading my slides when I’m done as usual so welcome BSIDES attendees. It’s time for another set of links that make you think on this saturday reading. 1. What was yesterday Friday? It was, that means we had a Forensic Lunch! You […]

Daily Blog #131: Forensic Lunch 11/1/13

Hello Reader,              We had another great forensic lunch today! Today David Dym, Rebecca Henderson, Kevin Stokes and Lee Whitefield joined me to talk DFIR. We discussed our setmace research detailed in yesterdays blog and its impact on analysis, automated metadata scraping using windows shell and com, lab certification, manual mobile phone forensics and the DFIR internship process. I think it […]

Daily Blog #130: Detecting Fraud Sunday Funday 10/27/13 Part 3 – SetMace

Hello Reader,            Yesterday we reviewed the timestomp tool and showed how simple MFT analysis can defeat it. Today we are going to go into the newest version of setmace v1006 which not only can modify the STDINFO timestamps but the FILENAME timestamps as well. I’m not sure how widely known setmace is but I will tell you that its very […]

Daily Blog #129: Detecting Fraud Sunday Funday 10/27/13 Part 2 – Timestamp changes

Hello Reader,              Yesterday we went through detecting system clock changes on Windows 7, today we are going to talk about timestamp changing using two different utilities, timestomp and setmace.  Why two timestamp changing tools? They have two different approaches, timestomp and its variants use a Win32 API call to change timestamps that allow them […]

Daily Blog #128: Detecting Fraud Sunday Funday 10/27/13 Part 1 – Time Changes

Hello Reader,           Let’s talk about system clock changes which is one of the areas not covered by this weeks Sunday Funday winning answer. Often times when creating fraudulent documents a suspect will change the date of the system in order to make the document appear to be generated at an earlier time. If you’ve done these cases on Windows XP […]

Daily Blog #127: Sunday Funday 10/27/13 Winner!

Hello Reader,                       Another Sunday Funday behind us and a another challenger who came with a great writeup full of testing and description. This weeks winner Andy Dove is now a two time Sunday Funday winner and brought some good testing this week. I plan to spend this week delving into the host based artifacts outside of Office that Andy didn’t […]

Daily Blog #126: Sunday Funday 10/27/13

Hello Reader,          It’s Sunday Funday time again!Let’s switch up these contests to something a little more internal investigation focused, these fraud cases are more common than you may think! The Prize: A signed copy of the new book The Rules: You must post your answer before Monday 10/28/13 2AM CST (GMT -5) The most complete answer wins You are allowed […]

Daily Blog #125: Saturday Reading 10/26/13

Hello Reader,       It’s Saturday! Time to rock out with your dongle out as we get down to some forensic goodness. 1. We had the third and final IR roundtable on the forensic lunch yesterday, watch it here http://www.youtube.com/watch?v=7UZnJ5m5aLc and make sure to tune in live next week 11/1/2013 at noon central.This week we covered the end of the IR lifecycle […]

Daily Blog #124: Forensic Lunch 10/25/13

Hello Reader,              We had another great forensic lunch today, this time we finished out the IR roundtable series with James Lohman and Kyle Maxwell joining us to discuss the end of the IR lifecycle. From dealing with aggravated attackers, working with worried clients to best practices in remediation we got some great facts and opinions out there for you to […]

Daily Blog #123: Svchost Persistance Question Answered

Hello Reader,            After getting our stock XP VM license up and activated I did some testing today with the svchost key found here: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost The purpose of my testing was to determine what would be required to enable persistence using the Service Host facility. This came about after this weeks Sunday Funday answer and Harlan Carvey’s follow on question. […]

Daily Blog #122: Question regarding Persistence via Svchost

Hello Reader,              Harlan Carvey had a question from this weeks answer: “I have a question about the description of the SvcHost key, particularly when compared to what’s listed here:http://support.microsoft.com/kb/314056 I’m not sure that the SvcHost is, in itself, a persistence mechanism, as without the service existing beneath the Services key, the entry is just a place holder.” The description in […]

G-C Partners