— Chad Tilbury (@chadtilbury) October 16, 2013
The Forensics From the Sausage Factory blog details a different technique for EXIF data carving here.
SANS recently posted a webcast I recorded on memory forensics. While the presentation is from early 2012, the concepts are solid and this deck was eventually expanded to the full day of memory forensics training present in the updated Forensics 508 course.
The GUI control panel is a long-standing feature of Microsoft Windows, facilitating granular changes to a vast collection of system features. It can be disabled via Group Policy but is largely available to most user accounts (administrative permissions are required for some changes). From a forensic perspective, we can audit control panel usage to identify a wide range of user activity:
While identifying individual system modifications is difficult, at a minimum we can show that a user accessed a specific control panel applet at a specific time. Context provided by other artifacts may provide further information. As an example, imagine you were reviewing control panel usage on a system and came across Figure 1.
Context is critical, and, while access to the Windows Security Center might not normally be particularly interesting, the fact that it was accessed immediately following the execution of a known (router) password cracking tool might make all the difference.
With the major expansion of forensic curriculum at the SANS Institute, I frequently get questions about what class(es) to take. If you are trying to decide between FOR408 (Windows Forensics) and FOR508 (Advanced Forensics and Incident Response), this is the best comparison I have seen online.
I found the following quote particularly insightful: “508 is not a more advanced version of the 408, it’s a completely different course with completely different objectives.”
— Chad Tilbury (@chadtilbury) May 23, 2013
Last year I covered the free Encrypted Disk Detector (EDD) tool and challenged the community to help crowdsource its development [link]. Thank you to all that took part in the experiment. Magnet Forensics announced today that Encrypted Disk Detector version 2 is available [get it here].
In addition to encouraging additional development of EDD, a side benefit of the project was to get an idea of the most popular disk encryption products being deployed. Figure 1 provides the survey results, with Checkpoint Full Disk Encryption, Symantec Endpoint Encryption, and Sophos (formerly Utimaco) Safeguard rounding out the top three. I think many of us could have guessed that big players like Symantec and Sophos would be near the top, but I was surprised to see products like BestCrypt and SecureDoc pull ahead of Credant Technologies (now owned by Dell).
Like many great inventions, the idea behind F-Response is so simple and elegant it is hard not to punish yourself for not thinking of it. Using the iSCSI protocol to provide read-only mounting of remote devices opens up a wealth of options for those of us working in geographically dispersed environments. I have used it for everything from remote imaging to fast forensic triage to live memory analysis. F-Response is vendor-neutral and tool independent, essentially opening up a network pipe to remote devices and allowing the freedom of using nearly any tool in your kit. The product is so good, I really wouldn’t blame them for just sitting back and counting their money. Luckily, counting money gets boring fast, so instead the folks at F-Response have kept innovating and adding value. Their latest additions are new “Connector” tools: Database, Cloud, and Email.
Mastering Windows Network Forensics and Investigations fills an interesting niche not well addressed in the pantheon of digital forensics resources. The material is well suited for beginning and intermediate forensic examiners looking to better understand network artifacts and go beyond single-system forensics. I highly recommend it for system administrators looking for a different perspective on network security or those interested in designing networks to be forensics-friendly. That said, the topics covered do not fit within the classical definition of network forensics. A more apt title might be Mastering Incident Response Forensics and Investigations.
This is the first book I have read in the Sybex Mastering series, and I was impressed with the writing, research, and editing. The authors blended dense material with relevant examples and insightful and engaging text boxes. Some of my favorite “side” topics were:
The book begins with four chapters familiarizing the reader with Windows networking. While this may slow down those hungry for forensics topics, they are replete with information. Windows domains, hacking methodology, and Windows credentials are all described in these early chapters. Amazingly, this is the first forensics book I have read containing a discussion of the NTDS.DIT Active Directory database file, perhaps the most dangerous file in the enterprise. While there were probably too many pages spent on password sniffing and cracking, I recognize it is beneficial to understand the risks and I commend the authors for also mentioning pass the hash and token stealing attacks. It would have been valuable to see these same attacks identified later in the book via Windows registry and log artifacts. Continue Reading…