Blog

This week's cornucopia of forensic goodness so thoroughly defies summary that I nearly gave up writing an introduction. But a few things do merit particular emphasis. First, the second DFIROnline meetup takes place tonightat 20:00 EST. Luminaries Harlan Carvey and Eric Huber will be presenting. Before then, however, you may want to take some time to read up on how Microsoft and Guidance Software will soon be changing our lives. Microsoft has published some information on its new ReFS file system, while Guidance Software has released details for its new EnCase Evidence File Format v2 (Ex01). Both of these will inevitably require some adjustment in the months and years ahead.

If you have an item you'd like to contribute to Digital Forensics CaseLeads, please send it to caseleads@sans.org.

Announcements:

• The next DFIROnline meetup will be held Jan 19, at 20:00 EST. Harlan Carvey will present "Malware detection within an acquired image", and Eric Huber will present "The Advanced Persistent Threat or: How I Learned to Stop Worrying and Love DF/IR." Recordings of previous meetups are also available.
• Nominations for the 2012 Forensic 4cast awards are now open. Please take the time to nominate your favorites and help to recognize the people who contribute so much to the DFIR community.

• Our own Dave Hull has released several interesting Python scripts recently that apply statistical analysis to Sleuth Kit flsoutput, in a unique attempt to identify malware within a file system. These scripts were all mentioned separately in some of Dave's recent posts, but I thought it worthwhile to pull them all together here to draw more attention. You will also want to read the related posts, if you haven't already: Atemporal Time Line Analysis in Digital Forensics, Outlier Analysis in Digital Forensics,Digital Forensics: UID and GID Distributions, andMetadata Distributions in Computer Forensics.
• Michael Ahrendt recently released an interesting looking "Automated Triage Utility," written in the AutoIT scripting language. It is a GUI-driven data collection utility designed for live system response. In this regard, it reminds me a lot of Monty McDougal's Windows Forensic Toolchest. They differ in UI and programming language, but aim at the same objective.
• Many of us use a virtualized instance of Windows XP for various analysis purposes. However, as Lenny Zeltser recently pointed out, licensed copies of Windows XP are becoming increasingly rare. In his post Using Free Windows XP Mode as a VMWare Virtual Machine, Lenny explains how to obtain a free virtualized instance of Windows XP from Microsoft (assuming you already have Windows 7 Professional, Enterprise, or Ultimate on your base system) and convert it from Virtual PC to VMWare if desired.
• During a recent browser history examination, a user's search history became particularly relevant. In trying to make sense of some of the URL parameters, I happened acrossGoogle Search URL Parameters — Query String Anatomyby Ann Smarty over at BlueGlass Interactive. While the table she provides is not complete, it did prove most helpful in dissecting the Google Search URL string. If anyone else has useful references on this matter, I would appreciate hearing about them in the Comments section.

• University of Illinois recently released a detailed investigation report^(PDF) regarding anonymous emails allegedly sent by its Chief of Staff to the University's Senates Conferece. The report is an interesting read, and also serves as a potentially useful model for those looking for report samples and templates.
• Earlier this week, on the Building Windows 8 blog, Microsoft provided some of the first details regarding their new ReFS (Resilient File System) -Building the next generation file system for Windows: ReFS. While the post doesn't provide nearly the level of detail forensicators will eventually need, it is a good and relatively deep introduction to Microsoft's newest file system. According to the post, ReFS will first be implemented as a storage file system for Windows Server, then for clients, before ultimately becoming a bootable file system for both server and client.
• Erika Noerenberg recently posted a brief head-to-head review of four Network Forensic Analysis Tools that is worth a read. She shares her impressions and experiences while testing NetWitness Investigator (freeware version), Xplico, Solera DeepSee, and NetworkMiner. Specifically, her comparison of features will prove helpful if you're looking for the right tool for your particular job.

• Last week, Guidance Software released the technical details for their new Encase Evidence File Format v2(Ex01). Registration is required to download the whitepaper, or it can be downloaded from their Support portal if you already have a support account.
• AccessData has announced dates for their FTK 4 World Tour, and registration for some dates is now open. If you're looking for a preview of the new version, here's your chance.

• InfraGard Arizona "Social Engineering" Event: AGENT SADDAM, An Inside Look at FBI Special Agent George Piro's Interrogation of Saddam Hussein - Phoenix Arizona -January 23rd at 6-9PM
• North American SCADA 2012- Lake Buena Vista, FL -January 21 - 29, 2012
• DoD Cyber Crime Conference 2012- Atlanta, Ga -January 20th - 27th, 2012
• SANS Monterey 2012-Monterey, California - January 30th - February 4th, 2012
• SANS Phoenix 2012-Phoenix, Arizona -February 13 - 18, 2012
• RSA Conference 2012-San Francisco, CA -February 26 - 27, 2012
• SANS Secure Singapore 2012-Singapore, Singapore -March 05 - 17, 2012
• Mobile Device Security Summit- Nashville, TN -March 12 - 15, 2012
• 12th Annual CanSecWest Conference-Vancouver, British Columbia, Canada - March 9 - 11, 2012
• SANS 2012-Orlando, Florida -March 23 - 30, 2012
• Euro Forensic 2012-Istanbul, Turkey - March 29 - 31, 2012
• SANS Northern Virginia 2012, Reston, VA - April 15 - 20, 2012 -
• 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '12) - San Jose, CA - April 24th, 2012
• SANS AppSec 2012: Summit & Training-Las Vegas, NV - April 24 - May 2, 2012

• 2012 Conference on Digital Forensics, Security and Law- Due Date - Jan 31, 2012
• 14th Information Hiding Conference- Due Date - Feb 05, 2012
• 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats(LEET '12)- Due Date - Feb 13, 2012
• ARES Conference- Due Date - Mar 01, 2012
• Symposium On Usable Privacy and Security- Due Date - Mar 09, 2012
• European Symposium on Research in Computer Security (ESORICS) 2012- Due Date - Mar 31, 2012

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to caseleads@sans.org.

Digital Forensics Case Leads for 20120119 was compiled by Gregory Pendergast,forensicator, incident handler, and jack-of-all-security at Virginia Commonwealth University. Gregory also contributes book and product reviews toDigital Forensics MagazineandInfoSecReviews.com.