Blog

In this edition of SANS Case Leads we have petabytes of #DFIR tools, reads, news, and levity to stimulate your analytical juices and warm up your processors. Get your dongles out cause' AccessData has updates and we got more breaches to investigate! Dongleless? I got you covered with a brew of Python, Perl and EXE kung foo. If you ain't forensicating, let the bandwith flow on DFIRonline or vote for the next prez on Forensic4cast awards.

Tools:

• New AccessData product releases including Forensic Toolkit (FTK) and FTK Pro v4.0.1, FTK Imager v3.1.0, AD ECA v4.3.0 and AD Lab v4.0.1, AD eDiscovery v3.4.0, and ADEnterprisev4.0.1. Check out the release notes and key feature enhancements for all the details. Make sure to check out the new Cerberus and Visualization modules if you haven't already — they're pretty sweet!

• Mandiant discovered some cool cache data in the Windows Registry generated by the Windows Application Compatibility Database. Depending on the operating system version this data can include file names, size, last modified times, and last execution time. Mandiant released a proof-of-concept Python script, Shim Cache Parser that extracts this awesome forensic evidence from the Windows Registry. More information can be found in the white paper. Python is great!!

• While I was sleeping, Harlan Carvey was "working on his first cup of coffee" and Perl hacking a new Reg Ripper plugin (tested on 32-bit Windows XP only) that incorporated Mandiant' s findings above. This is a great example how powerful RegRipper can be and to encourage others to help grow the library of RegRipper plugins. Harlan has shared the plugin and it can be downloaded here.

• HMFT released a simple tool, HMFT, that extracts $MFT from a given drive or a disk image to a file in any location (including removable drive).

• Digital Forensics Solutions LLC dropped LiME Forensics. LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supportsacquiringmemory either to the file system of the device or over the network.

• Brent Skumlien released ParseRacWMI a cmd line utility to parse the data available from the Windows 7 Reliability Monitor. This artifact can contain goodies about software installations, blue screen bugchecks, device installs, and unexpected shutdowns. Kudos to Ted Scott for mentioning this treasure trove.

• Heads up (or maybe you plan on using lol) Retina-X Studios, LLC, announced release of what they're calling the "world's first spy software" for tablets.

• Also updates to Automated Triage utility (by Michael Ahrendt) and the Libewf library, check em out.

• If you were busy doing #DFIR and didn't have time watch DFIRonline, Kevin Ripa discussed data recovery and its role in computer forensics and Meila Kelley discussed case experience. Check the site out for recorded versions of these and other past presentations.

• Richard Bejtlich posted an article on M-unition blog sharing Mandiant's perspective on comments to the effect that "Every major company in the United States has already been penetrated by China," or "there are two kinds of Fortune 500 companies: those that know they've been hacked, and those that don't yet know". This reminds me the bumper sticker I have on my car from HBGary that says "MY KID HACKED YOUR HONOR SUTDENTS GRADES FOR LUNCH MONEY".

• Bank Info Security interviewed, Bob Carr, CEO of Heartland Payment Systems, on Breach Response. According to Carr, 'Anyone That Thinks They're Not Going to be Breached is Naive'.

• Harlan Carvey bloggin' about Metadata.

• The Federal Circuit denied Google's sixth attempt to claim attorney-client privilege (or confidential status) for a potentially devastating email that the company inadvertently produced during electronic data discovery in Oracle's $1 billion patent infringement suit over Google's Android platform. Read about more about it on Law Technology News.

• Lee Whitfield has decided to create Forensic 4cast Magazine, an online magazine for #DFIR nerds. He is currently aiming to publish the first article no later than June. He is welcoming Case Studies, Research, Reviews, interviews, interesting artifacts, hints and tips, etc.

• If you are unfamiliar with the DFIR Search it's a custom google search that only searches #DFIR blogs, websites, and online resources. Anyways it was updated this week. If you want to know what all it's exactly searching check out the index.

• Atlanta's Emory Healthcare recently admitted having lost 10 backup disks containing personal data on approximately 315,000 patients.

• Medicaid hack update: 500,000 records and 280,000 SSNs stolen. Check it out.. http://www.zdnet.com/blog/security/medicaid-hacked-over-181000-records-and-25000-ssns-stolen/11432

• US charges Russian over $1.45 million hacking scheme. A Russian national has been charged in the U.S. for allegedly hacking into brokerage accounts and executing fraudulent trades. Four brokerage firms claim caused combined $1 million in losses. http://www.zdnet.com/blog/security/us-charges-russian-over-145-million-hacking-scheme/11631

• Trying to get your Pr0n back from Megaupload? Read about the developments in the news.

• Unconfirmed: FBI seized a server providing anonymous remailer and many other services from colocation facility.

• First, he warned of the security flaw in Iran's banking system. Then he provided them with 1,000 bank account details. When they didn't listen, he hacked 3 million accounts across at least 22 banks. So that's what you need to do to get some f$%ing attention these days!? Read more about it. I don't know about you, but I would have just got naked at TSA like this guy did to make the point.

• Don't forget to vote (me/david nides) for Forensic 4cast Awards if you haven't already. Then again, maybe the Alternative Forensic Awards better suits your liking.

• I guess when people can't hack computers, they hack phones and it's a SCANDAL!

• 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '12) - San Jose, CA - April 24th, 2012
• SANS Cyber Guardian 2012 - Baltimore, MD - April 30 - May 7, 2012
• SANS AppSec 2012: Summit & Training-Las Vegas, NV - April 24 - May 2, 2012
• 7th ACM Symposium on Information, Computer and Communications Security - Seoul, South Korea - May 1 - 3, 2012
• SANS Secure Europe 2012 Amsterdam - Amsterdam, Netherlands - May 5 - 19, 2012
• AccessData User's Conference - Las Vegas, NV - May 08 - 10, 2012
• SANS Security West 2012 - San Diego, CA - May 10 - 18, 2012
• 14th Information Hiding Conference - Berleley, CA - May 15 - 18, 2012
• IEEE Symposium on Security & Privacy - San Francisco, CA - May 20 - 23, 2012
• Computer Enterprise and Investigation Conference - Summerlin, NV - May 21 - 24, 2012
• SANS Brisbane 2012 - Brisbane, Australia - May 21 - 26, 2012
• 2012 ADFSL Conference on Digital Forensics, Security and Law - Richmond, VA - May 30 - 31, 2012
• Techno Security 2012 Myrtle Beach, SC - June 03 - 06, 2012
• Mobile Forensics Conference - Myrtle Beach, SC - June 03 - 06, 2012
• 27th IFIP International Information Security and Privacy Conference - Heraklion, Crete, Greece - June 04 - 06, 2012
• Audio Engineering Society Audio Forensics - Denver, CO - June 14 - 16, 2012
• 24th Annual FIRST Conference - Malta - June 17 - 22, 2012
• Sans Forensics and Incident Response Summit - Austin, TX - June 20 - 27, 2012
• SANS Canberra 2012 - Canberra, Australia - July 2 - 10, 2012
• SANSFIRE 2012 - Washington, DC - July 6 - 15, 2012
• Symposium On Usable Privacy and Security (SOUPS 2012) - Washington, DC - July 11 - 13, 2012

• 7th USENIX Workshop on Hot Topics in Security (HotSec '12) - Due May 07, 2012
• 7th IEEE LCN Workshop on Security In Communication Networks - Due May 12, 2012
• Grrcon - Due June 01, 2012
• Applied Computer Security Applications Conference - Due Jun 01, 2012
• 4th International Conference on Digital Forensics & Cyber Crime - Due Jun 01, 2012
• IEEE International Workshop on Information Security and Forensics - Due Jun 24, 2012
• 2012 secau Security Congress - Due Sep 30, 2012

About author:

David Nides is a Senior Associate in KPMG's Forensic Technology Services practice in Chicago, IL. He currently plays a lead role developing and delivering KPMG's Incident Response services consulting clients globally in APT, data breach, and other cyber crime investigations. You can follow David on twitter @davnads or at his forensic blog.