SANSFIRE is in downtown Washington D.C. this year and I am excited to be teaching Forensics 508: Advanced Forensics and Incident Response. The 508 class has recently undergone a major revision and continues to live up to its name. F-Response Tactical is now free with the course and we have a couple of exercises to put it through the paces. My favorite is using F-Response to mount live memory (on a remote system) and perform on-the-fly analysis using Volatility memory analysis tools. If you will be there, let me know!
A Fistful of Dongles (AFoD) is an eclectic mix of all things digital forensic. Eric Huber is the primary author and is a talented analyst and knowledgeable resource. Eric’s law enforcement and corporate background provide excellent insight into current events within the forensic community. He clearly has a passion for the field and it shows in the entertaining posts. AFoD has quickly become a staple on my reading list.
Link: A Fistful of Dongles
UPDATE: A Fistful of Dongles was awarded the Forensic 4Cast Best Digital Forensics Blog for 2011. Congratulations Eric!
I am a big fan of Mandiant Memoryze for memory forensic analysis. With support for Windows systems from 2000 SP4 to 2008 R2 and ever increasing features to flag potential evil, it is hands down the best free tool available for the job. Its only downside up to this point has been the steep learning curve required by the user interface. Enter Redline. Redline replaces AuditViewer as the front-end to Memoryze and truly brings memory analysis capability to the masses. What excites me most about this tool is that it dramatically lowers the bar for individuals trying to get started with memory forensics. Chalk one up for the good guys.
Note: This post originally appeared on the SANS Forensics blog
As any incident responder will agree, you can never have too many logs. That is, of course, until you have to analyze them! I was recently on an engagement where our team had to review hundreds of gigabytes of logs looking for evidence of hacking activity. I was quickly reminded of how much I love Microsoft Log Parser.
Log Parser is often misunderstood and underestimated. It could possibly be the best forensic analysis tool ever devised. Imagine having the ability to take almost any chunk of data and quickly search it using SQL-based grammar. That’s Log Parser in a nutshell. It is a lightweight SQL-based search engine that operates on a staggering number of different input types (see Figure 1). Yes, I know that tools like Splunk and Sawmill are built around this same idea, but keep in mind that Log Parser was written in the year 2000. I am constantly amazed at the power it affords the forensic analyst, and you can’t beat the price (free). Save perhaps memory analysis, there isn’t much it can’t accomplish for an incident responder.
In my mind, two things have limited the use of Log Parser in the forensics community: the command-line requirement and the fear of SQL queries. Neither is much of an obstacle, and since this is a how-to, let’s debunk both.