Blog

In this week's edition of Case Leads we have a how-to for Bulk_extractor's find feature, first impressions on the new database options in FTK, an extension for log2timeline for parsing the cache in Firefox, the Verizon data breach report, and statements by current and former US government officials about Stuxnet and China.

If you have an item you'd like to contribute to Digital Forensics CaseLeads, please send it to caseleads@sans.org.

Tools:

• Bulk_extractor is a tool that is periodically mentioned on the blog. Simson Garfinkel posted a brief how-to that demonstrates the use of bulk_extractor in finding keywords in a disk image. The post explains why bulk_extractor is better (in some cases) than strings and grep (part of the reason is bulk_extractor parses compressed files.)
• FTK 4.0 by AccessData has received some attention as it now provides the option of using PostgreSQL over Oracle. This article captures some of the first impressions of that switch.

• Verizon released its annual Data Breach Investigations Report covering 2011. (There is also an archive of previous year's reports.) The information in these reports can be useful in honing and measuring your organization's approach to security. As an example the reports typically measure or estimate how long it took to penetrate an organization and how much time elapsed before the organization detected the attack. That type of information can be used to gauge a SOC or to establish log retention policy.
• This could also be filed under "Tools" but it's certainly a good read if your investigation involves Firefox and malware. The article addresses an extension to Kristinn Gudjonsson's log2timeline application that enables it better parse the Firefox cache.

• The director of the NSA tells Congress that China is the prime suspect in the RSA incident in March 2011.
• Richard Clarke, former US counterterrorism czar, speculates that the US created Stuxnet and that China has compromised most major organizations in the US.

• Social media share button humor.
• Insane statements as a function of proximity to certain pets.

• 13th Annual CERIAS Information Security Research Symposium - Purdue University, West Lafayette, IN - April 03 - 04, 2012
• SANS Northern Virginia 2012, Reston, VA - April 15 - 20, 2012 -
• 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '12) - San Jose, CA - April 24th, 2012
• SANS Cyber Guardian 2012 - Baltimore, MD - April 30 - May 7, 2012
• SANS AppSec 2012: Summit & Training-Las Vegas, NV - April 24 - May 2, 2012
• 7th ACM Symposium on Information, Computer and Communications Security - Seoul, South Korea - May 1 - 3, 2012
• SANS Secure Europe 2012 Amsterdam - Amsterdam, Netherlands - May 5 - 19, 2012
• AccessData User's Conference - Las Vegas, NV - May 08 - 10, 2012
• SANS Security West 2012 - San Diego, CA - May 10 - 18, 2012
• 14th Information Hiding Conference - Berleley, CA - May 15 - 18, 2012
• IEEE Symposium on Security & Privacy - San Francisco, CA - May 20 - 23, 2012
• Computer Enterprise and Investigation Conference - Summerlin, NV - May 21 - 24, 2012
• SANS Brisbane 2012 - Brisbane, Australia - May 21 - 26, 2012
• 2012 ADFSL Conference on Digital Forensics, Security and Law - Richmond, VA - May 30 - 31, 2012
• Techno Security 2012 Myrtle Beach, SC - June 03 - 06, 2012
• Mobile Forensics Conference - Myrtle Beach, SC - June 03 - 06, 2012
• 27th IFIP International Information Security and Privacy Conference - Heraklion, Crete, Greece - June 04 - 06, 2012
• Audio Engineering Society Audio Forensics - Denver, CO - June 14 - 16, 2012
• 24th Annual FIRST Conference - Malta - June 17 - 22, 2012
• Sans Forensics and Incident Response Summit - Austin, TX - June 20 - 27, 2012
• SANS Canberra 2012 - Canberra, Australia - July 2 - 10, 2012
• SANSFIRE 2012 - Washington, DC - July 6 - 15, 2012
• Symposium On Usable Privacy and Security (SOUPS 2012) - Washington, DC - July 11 - 13, 2012

• Shakacon IV - Honolulu Hawaii- Due Date - Mar 31, 2012
• European Symposium on Research in Computer Security (ESORICS) 2012- Due Date - Mar 31, 2012
• 15th Research in Attacks, Intrusions and Defenses - Due April 06, 2012
• 2012 Sleuth Kit and Open Source Digital Forensics Conference- Due Date April 16, 2012
• 7th USENIX Workshop on Hot Topics in Security (HotSec '12) - Due May 07, 2012
• 7th IEEE LCN Workshop on Security In Communication Networks - Due May 12, 2012
• Grrcon - Due June 01, 2012
• Applied Computer Security Applications Conference - Due Jun 01, 2012
• 4th International Conference on Digital Forensics & Cyber Crime - Due Jun 01, 2012
• IEEE International Workshop on Information Security and Forensics - Due Jun 24, 2012
• 2012 secau Security Congress - Due Sep 30, 2012

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to caseleads@sans.org.

Digital Forensics Case Leads for 20120330 was compiled by Ray Strubinger. Ray regularly leads digital forensics and incident response efforts and when the incidents permit, he is involved in aspects of information security ranging from Data Loss Prevention to Risk Analysis.