Blog

This week's edition of Case Leads covers an interview about the Onity Hotel lock oopsie, an oopsie involving overlooked artifacts in the Casey Anthony trial, the oopsie of dumping lots of confidential confetti at a parade, and the findings of the investigation into the Palmetto state oopsie. Many great tool updates (OllyDbg, bulk_extractor) and some new releases as well.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.

Tools:

• OllyDbg 2.01H has been released. One of the biggest changes is a major update to the plugin interface. Read more about it on the OllyDbg version history page.
• Late last month Tableau quietly released an update to their free TIM software imager. It includes many bug fixes and some enhancements like the ability to save an image to a UNC path.
• Patrick Olsen has released a (non) framework for Python designed to aid in browser forensics. It's called BARFF.
• Harlan Carvey has moved the location of Forensics Scanner to GitHub
• For the past few weeks Philippe Lagadec has been working on python-oletools, a package of tools to analyze Microsoft OLE2 files. There are tools to browse OLE files, check for suspicious characteristics, analyze embedded Flash objects and more.
• Didier Stevens has updated his relatively new AnalyzePESig tool that is used to analyze the signature of Windows PE files.
• Maria DeGrazia has released GA Cookie Cruncher, a tool for parsing Google Analytics Cookies. These cookies can contain a lot of information about where someone has visited recently. It works on IE, Chrome, Safari (Mac) and Firefox browser stores. It's currently Windows-only, 64bit.
• Bulk_extractor has been updated to version 1.3.1. It has no new features but does fix some important bugs like performance issues with large stop lists and KML carving.

• Ken Pryor wrote up a good walkthrough on how to guess at the sector offset for the start of a volume when the partition table can't be read. Be sure to check the comments for at least one other method.
• 
  
  Attorney and lock security expert Marc Weber Tobias talks about the probable litigation surrounding the Onity Hotel lock breach. Mr. Tobias has spoken on lock security and litigation for nearly ten years at DefCon. He is interviewed by Ira Victor, fellow Case Leads Contributor and Co-Host of CyberJungle Radio. The segment begins at about the 19:30 mark on this week's CyberJungle Radio program, episode 283: http://www.CyberJungleRadio.
• M-Labs has a writeup on using precalculated hashes to aid in reverse engineering shellcode.
• Enisa has published the final part of their report: Proactive Detection of Security Incidents: Honeypots. PDF 144 Pages.
• Over at ForensicArtifacts.com, Matt Nelson has written up a list of artifacts left by the AxCrypt encryption app.
• Use the same techniques as rootkits to hide your malware analysis tools from malware.

• Mandiant released a public report (PDF) about the "mega breach" at the South Carolina Department of Revenue. Spoilers: Spearphishing and lack of encryption.
• Dubbed "Confettigate", investigations are underway as to how the confetti in the Macy's Thanksgiving Day parade contained confidential information about Mitt Romney's motorcade, SSNs of police officers and their friends, and police incident reports.
• Investigators overlooked a Google Search for "fool-proof suffcation" in the Casey Anthony trial.
• Koobface's author is back in business.

• IEEE International Workshop on Information Forensics and Security - Tenerife, Spain - Dec 2 - 5, 2012
• 2012 secau Security Congress - Perth, Western Australia - Dec 3 - 5, 2012
• SANS Cyber Defense Initiative 2012 - Washington, DC - Dec 7 - 16, 2012
• SANS Mobile Device Security Summit - Anaheim, CA - Jan 7 - 14, 2013
• SANS Virtualization & Cloud Computing Summit - Anaheim, CA - Jan 7 - 14, 2013
• SANS Security East 2013 - New Orleans, LA - Jan 16 - 23, 2013
• Ninth Annual IFIP WG 11.9 International Conference on Digital Forensics - Orlando, FL - Jan 28 - 30, 2013
• SANS Delhi 2013 - New Delhi, India - Feb 11 - 22, 2013
• SANS Secure Singapore 2013 - Singapore, Singapore - Feb 25 - Mar 2, 2013
• RSA Conference 2013 - San Francisco, CA - Feb 28 - Mar 01, 2013
• The Second International Conference on Cyber Security, Cyber Warfare and Digital Forensic - Kuala Lumpur, Malaysia - Mar 4 - 6, 2013
• SANS 2013 - Orlando, FL - Mar 8 - 15, 2013
• IMF 2013 - 7th International Conference on IT Security Incident Management & IT Forensics - Mar 12 - 14, 2013
• CTIN 2013 Digital Forensics Conference - Seattle, WA - Mar 13 - 15, 2013
• SANS Secure Canberra 2013 - Canberra, Australia - Mar 18 - 23, 2013
• SANS Monterey 2013 - Monterey, CA - Mar 22 - 27, 2013
• SANS Northern Virginia 2013 - Reston, VA - Apr 8 - 13, 2013
• SANS Cyber Guardian 2013 - Baltimore, MD - Apr 15 - 20, 2013
• SANS Secure Europr 2013 - Amsterdam, Netherlands - Apr 15 - 27, 2013
• SANS CDK Seoul 2013 - Seoul, Korea, Republic of - Apr 22 - 27, 2013
• SANS Security West 2013 - San Diego, CA - May 9 - 14, 2013
• SANS Austin 2013 - Austin, TX - May 19 - 24, 2013
• International Workshop on Cyber Crime - San Francisco, CA - May 24, 2013
• Techno Security and Forensics Investigation Conference - Myrtle Beach, SC - Jun 2 - 5, 2013
• Mobile Forensics World - Myrtle Beach, SC - Jun 2 - 5, 2013
• SANS Malaysia @ MCMC 2013 - Jun 3 - 8, 2013
• ADFSL 2013 Conference on Digital Forensics, Security and Law - Richmond, VA - Jun 10 - 12, 2013
• FIRST Conference - Bangkok, Thailand - Jun 16 - 21, 2013
• The 1st ACM Workshop on Information Hiding and Multimedia Security - Jun 17 - 19, 2013
• Shakacon V - Honolulu, Hawaii - Jun 25 - 28, 2013
• SANS Digital Forensics and Incident Response Summit 2013 - Austin, TX - Jul 9 - 10, 2013
• 28th IFIP TC-11 SEC 2013 International Information Security and Privacy Conference Auckland, New Zealand - Jul 8 - 10, 2013
• Symposium On Usable Privacy and Security Newcastle, United Kingdom - Jul 24 - 26, 2013

• FIRST Conference - Due Dec, 2012
• The Second International Conference on Cyber Security, Cyber Warfare and Digital Forensic - Due Jan 3, 2013
• ICDCS Workshop on Network Forensics, Security and Privacy - Due Jan 15, 2013
• The 1st ACM Workshop on Information Hiding and Multimedia Security - Due Jan 25, 2013
• International Workshop on Cyber Crime - Due Feb 15, 2013
• ADFSL 2013 Conference on Digital Forensics, Security and Law - Due Feb 19, 2013

Digital Forensics Case Leads for 20121130 was compiled by Rob Dewhirst (@robdew) GCFA, GCIH, GREM, CISSP. Rob is a security analyst and CSIRT lead for a Tier I research University in the midwest and a private DFIR consultant.