Blog

In this weeks CaseLeads, there's a bunch of new useful tools that might come in handy in certain situations while handling incidents... PDF Analysis, Malware Analysis, Honeypots and MAC forensics! A sequel of a multi-part series on protecting our credentials whilehandling incidents. When some weird registry keys appear in log2timeline results, you discover an attack vector on manipulating execution chain? More and more on Prefetch Analysis... Challenging forensicators, The Honeynet Project publishs a cool challenge for fun and profit. More on that weird DUQU source code... guess what it is? When a digital lock refuses to unlock for the FEDS, guess what they do? STEGO techniques comes to light again using foreign languages!? And finally raids are not only in games! in our real life @ The Pirates bay?

If you have an item you'd like to contribute toDigital Forensics CaseLeads, please send it to caseleads@sans.org.

Tools:

• Low-interaction honeyclient Thug released!!! A new type of honeypots that fits into your browser and can act as different profiles (IE Browsers currently)
• MANDIANT Redline v1.5 has arrived! for those who don't know about it... it's a free utility that accelerates the process of triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis
• BlackLight 2012 R1 released!! - BlackBag Technologies has released BlackLight 2012 R1 with significant new features. The new release has added Metadata File Filtering, L01 image support, Enhanced Evidentiary Data Export, Custom Hash Set Creation and Multiple Hash Set Data Processing, as well as Positive and Negative Hash Value File Filtering.
• Didier Stevens update his PDFid And pdf-parser and The major change is that these 2 tools support Python 3 too now. And then there are a couple of bugfixes and new features given by some of his readers... His tools are good-to-have in an investigator & incident responder arsenal when dealing with malicious PDF files.

• For investigators & incident responders who want to protect their privileged accounts credentials when interacting with comprised hosts, this is the 4th in a multi-part series on the topic of "Protecting Privileged Domain Accounts"
• Realization of manipulate 'execution chain' concept.
• Prefetch Analysis, Revisited...Again...and Again...

• "Dive Into Exploit", a new cool challengefrom the Honeynet Project! These guys have made many informative challenges for the forensics community for fun and profit.

• It seems that there's new infoabout the mystery of DUQU's source code as more researchers looked into it and identified it is an old C++ language
• When digital locks refuse to unlock...
• Steganographycomes to light again with foreign languages this time.
• RaidingThe Pirates Bay, but not at the beach...

• SANS 2012-Orlando, Florida -March 23 - 30, 2012
• Euro Forensic 2012-Istanbul, Turkey - March 29 - 31, 2012
• 13th Annual CERIAS Information Security Research Symposium - Purdue University, West Lafayette, IN - April 03 - 04, 2012
• SANS Northern Virginia 2012, Reston, VA - April 15 - 20, 2012 -
• 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '12) - San Jose, CA - April 24th, 2012
• SANS Cyber Guardian 2012 - Baltimore, MD - April 30 - May 7, 2012
• SANS AppSec 2012: Summit & Training-Las Vegas, NV - April 24 - May 2, 2012
• 7th ACM Symposium on Information, Computer and Communications Security - Seoul, South Korea - May 1 - 3, 2012
• SANS Secure Europe 2012 Amsterdam - Amsterdam, Netherlands - May 5 - 19, 2012
• AccessData User's Conference - Las Vegas, NV - May 08 - 10, 2012
• SANS Security West 2012 - San Diego, CA - May 10 - 18, 2012
• 14th Information Hiding Conference - Berleley, CA - May 15 - 18, 2012
• IEEE Symposium on Security & Privacy - San Francisco, CA - May 20 - 23, 2012
• Computer Enterprise and Investigation Conference - Summerlin, NV - May 21 - 24, 2012
• SANS Brisbane 2012 - Brisbane, Australia - May 21 - 26, 2012
• 2012 ADFSL Conference on Digital Forensics, Security and Law - Richmond, VA - May 30 - 31, 2012
• Techno Security 2012 Myrtle Beach, SC - June 03 - 06, 2012
• Mobile Forensics Conference - Myrtle Beach, SC - June 03 - 06, 2012
• 27th IFIP International Information Security and Privacy Conference - Heraklion, Crete, Greece - June 04 - 06, 2012
• Audio Engineering Society Audio Forensics - Denver, CO - June 14 - 16, 2012
• 24th Annual FIRST Conference - Malta - June 17 - 22, 2012
• Sans Forensics and Incident Response Summit - Austin, TX - June 20 - 27, 2012
• SANS Canberra 2012 - Canberra, Australia - July 2 - 10, 2012
• SANSFIRE 2012 - Washington, DC - July 6 - 15, 2012
• Symposium On Usable Privacy and Security (SOUPS 2012) - Washington, DC - July 11 - 13, 2012

• High Tech Crime Investigation Association (HTCIA) International Conference and Training Expo Due Date - Sep 16, 2012
• EuroForensics 3rd International Forensic Sciences Conference & Exhibition- Due Date - Mar 29, 2012
• European Symposium on Research in Computer Security (ESORICS) 2012- Due Date - Mar 31, 2012
• 15th Research in Attacks, Intrusions and Defenses - Due April 06, 2012
• 2012 Sleuth Kit and Open Source Digital Forensics Conference- Due Date April 16, 2012
• 7th USENIX Workshop on Hot Topics in Security (HotSec '12) - Due May 07, 2012
• 7th IEEE LCN Workshop on Security In Communication Networks - Due May 12, 2012
• Grrcon - Due June 01, 2012
• Applied Computer Security Applications Conference - Due Jun 01, 2012
• 4th International Conference on Digital Forensics & Cyber Crime - Due Jun 01, 2012
• IEEE International Workshop on Information Security and Forensics - Due Jun 24, 2012
• 2012 secau Security Congress - Due Sep 30, 2012

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to caseleads@sans.org.

Digital Forensics Case Leads for 20120323 was compiled by Maher Yamout GCFA