Blog

This month we're nearing the end of the flood of plugins for the Volatility memory analysis framework, we got a big update to the archive of RegRipper plugins and heard two tales of security companies with major security woes, one of which was self-inflicted.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.

Tools:

• RTFScan is now part of the OfficeMalScanner Toolkit. Pick it up at http://reconstructer.org. You can take a look at examples of its usage in an ISC Diary entry from earlier this month.
• 
  
  API Monitor provides a very convenient way for observing and controlling the API calls made by processes in your malware analysis lab.
• 
  
  Exeinfo PE identifies common packers, similarly to PEiD. In addition, it can identify some non-executable file formats (such as OLE), can carve files out of other files and can suggest unpacking tools.
• 
  
  FakeNet conveniently intercepts network traffic and simulates common services on a Windows host. (HT to @lennyzeltser for those three tool tips above).
• The Month of Volatility Plugins is coming to a close (October 5th). Be sure and review all the plugins released so far month at the Volatility Blog. There have been plugins released to analyze clipboard data, internet history, caches and much more.
• This week the RegRipper plugins archive was also updated to add 30 new plugins and update six more.

• Case Leads contributor Ira Victorinterviewed SANS Instructor and digital forensics lawyer Benjamin Wright about a new approach to collecting and examining digital forensics data from cloud services. You can listen to the interview starting at the 15 min mark inEpisode 274 (this week's) of
  
  http://www.CyberJungleRadio.com. In that same episode is a story about a new program by law enforcement to "tag" mobile devices, and how that might impact future criminal and civil cases.
• Did the Bahraini government steal commercial malware to spy on dissidents?
• VirusTotal has added "Webutation" (web reputation) to its reports.

• The folks who maintain phpMyAdmin have announced that their SourceForge downloads had a backdoor slipped into them.
• Sophos joined its competitors and issued an update that blocked components of its own software and other updaters as malicious. (Sophos has promised a public post-mortem and root cause analysis).
• Adobe plans to revoke some code signing certificates on October 4, 2012 following a compromise of one of their build systems that has access to their code-signing infrastructure.

• Hazards of password reuse.
• Information security reactions - a visual guide. (Adult language and themes)

• 3rd Annual Sleuth Kit and Open Source Digital Forensics Conference - Chantilly, VA - Oct 2 - 3, 2012 (See you all there!!!)
• SANS Cybercon 2012 - Online Virtual Conference - Oct 8 - 13, 2012
• International Conference on Security in Computer Networks and Distributed Systems (SNDS'12) - Trivandrum, India - Oct 11 - 12, 2012
• SANS Seattle 2012 - Seattle, WA - Oct 14 - 19, 2012
• 4th International Conference on Digital Forensics & Cyber Crime - West Lafayette, IN - Oct 24 - 28, 2012
• SANS Chicago 2012 - Chicago, IL - Oct 27 - Nov 5, 2012
• Paraben Forensic Innovations Conference - Park City, UT - Nov 3- 7, 2012
• SANS San Diego 2012 - San Diego, CA - Nov 12 - 17, 2012
• SANS San Antonio 2012 - San Antonio, TX - Nov 27 - Dec 2, 2012
• Forensics@NIST 2012 - Rockville, MD - Nov 28 - 30, 2012
• IEEE International Workshop on Information Forensics and Security - Tenerife, Spain - Dec 2 - 5, 2012
• 2012 secau Security Congress - Perth, Western Australia - Dec 3 - 5, 2012
• SANS Cyber Defense Initiative 2012 - Washington, DC - Dec 7 - 16, 2012
• SANS Mobile Device Security Summit - Anaheim, CA - Jan 7 - 14, 2013
• SANS Virtualization & Cloud Computing Summit - Anaheim, CA - Jan 7 - 14, 2013

• 2012 secau Security Congress - Due Sep 30, 2012
• 10th Australian Digital Forensics Conference - Due Sep 30, 2012

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to caseleads@sans.org.

Digital Forensics Case Leads for 20120929 was compiled by Rob Dewhirst (@robdew) GCFA, GCIH, CISSP. Rob is a security analyst and CSIRT lead for a Tier I research University in the midwest and a private DFIR consultant.