Sony Playstation Network Hack Continue Reading…

CidoxKaspersky labs recently provided an interesting writeup of a scareware rootkit that infects both the Master Boot Record (MBR) and the NTFS Volume Boot Record (VBR).

http://www.securelist.com/en/blog/517/Cybercriminals_switch_from_MBR_to_NTFS

The interesting part is that the Initial Program Loader (IPL) within the NTFS VBR is overwritten.  It seems that the traditional method of looking for modifications to the MBR and any code following it is not enough.  A sanity check of the NTFS boot loader (NTLDR in XP and before, BOOTMGR in Vista and later) should also be accomplished.

A couple of great pages for detailed information on the MBR and NTFS VBR follow.

http://mirror.href.com/thestarman/asm/mbr/W7MBR.htm

http://mirror.href.com/thestarman/asm/mbr/VistaVBR.htm

 

Digitally signed malware on the rise http://bit.ly/pZZucD <-IR procedures need to adapt (via @) #DFIR
@chadtilbury
Chad Tilbury

Note: This post originally appeared on the SANS Forensics blog

As Windows Registry artifacts go, the “Shellbag” keys tend to be some of the more complicated artifacts we have to decipher.  But they are worth the effort, giving an excellent means to prove the existence of files and folders along with user knowledge.  Shellbags can be used to answer the difficult questions of data enumeration in intrusion cases, identify the contents of long gone removable devices, and show the contents of previously mounted encrypted volumes.   Information persists for deleted folders, providing an invaluable reference for items no longer part of the file system.

Continue Reading…

60 Seconds - Things That Happen On Internet Every Sixty SecondsInfographic by- Shanghai Web Designers

Hack Attack Infographic Continue Reading…

“You can help your organization if you consider computer forensics as a new basic element in what is known as a ‘defense-in-depth’ approach to network and computer security.”

– US-CERT Whitepaper

http://bit.ly/ivshHn

Computer forensics growing part of Fed cybersecurity strategy

With more forensic books hitting the shelves, I find myself prioritizing those by authors I know and trust. I have worked with Cory Altheide and he is an extremely talented forensic professional with a passion for open source tools. Not surprisingly, I would not categorize this as a beginner book. Open source tools require a higher level of interaction than their commercial counterparts, but are a great way to take your forensic skills to the next level. While teaching, I often see students frustrated that there is no one tool that can do it all. Such a tool does not exist, no matter how much you are able to pay for it. Free and open source tools fill large gaps in the capabilities of commercial forensic suites and will continue to do so in the foreseeable future.

Continue Reading…

How-to guide for VMWare VMFS forensic recovery http://bit.ly/jb8rCX (via @) <- Must read for all ESX users
@chadtilbury
Chad Tilbury