One of the biggest complaints that many have in the DFIR community is the lack of realistic data to learn from. Starting a year ago, I planned to change that through creating a realistic scenario based on experiences from the entire cadre of instructors at SANS and additional experts who reviewed and advised the attack "script". We created an incredibly rich and realistic attack scenario across multiple windows-based systems in enterprise environment. The attack scenario was created for the new FOR508: Advanced Forensics and Incident Response course. Our main goal was to place the student in the middle of a real attack that they have to response to.
The purpose is to give attendees of the new FOR508 real filesystem and memory
In this week's edition of Case Leads we have a how-to for Bulk_extractor's find feature, first impressions on the new database options in FTK, an extension for log2timeline for parsing the cache in Firefox, the Verizon data breach report, and statements by current and former US government officials about Stuxnet and China.
If you have an item you'd like to contribute to Digital Forensics CaseLeads, please send it to firstname.lastname@example.org.
- Bulk_extractor is a tool that is periodically mentioned on the blog. Simson Garfinkel posted a brief how-to that demonstrates the use of bulk_extractor in finding keywords in a disk image. The post explains why bulk_extractor is better (in some cases) than strings and grep (part of the reason is bulk_extractor parses compressed files.)
Hopefully at one point in time everyone has experienced the enjoyment of a teacher that allowed them to use a "cheat sheet" on a test. For the unfamiliar, the concept is simple; take an 8.5 x 11" piece of paper, cram as much information as you can on both sides, and use it as an open reference for a test. The key was not only to put as much information as you could fit on the two-sided document, but for that information to be neatly organized and readily accessible so you could quickly reference information and articulate answers before the test clock ran out.
Without hesitation, it can be challenging to memorize commands and too consuming at other times to search through #DFIR resources (online resources, books, notes, contacts, and etc) to answer questions like "Is there an alternative to mounting split .e01 image in SIFT workstation if mount_ewf.py fails?" or "How do I create a GREP
This is a series of blog articles that utilize the SIFT Workstation. The free SIFT workstation, can match any modern forensic tool suite, is also directly featured and taught in SANS' Advanced Computer Forensic Analysis and Incident Response course (FOR 508). SIFT demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.
The SIFT Workstation is a VMware appliance, pre-configured with the necessary tools to perform detailed digital forensic examination in a variety of settings. It is compatible with
Over the years of teaching, I have found that there is no shortage of talent in our DFIR community. There are so many individuals that are incredibly sharp, truly skilled, and solving critical cases for their organizations.
Sometimes we find that we become so focused on solving cases that we forget that we could figure out a way to share some of our talents back to the community. I commend the many peers that I have that have started blogs and author tools that truly make a difference. In some cases, an individual has a lot of skill, but sometimes needs an idea. Many in the community can probably list of multiple research projects that we would love to tackle if given enough time. But simply we don't have that extra time so we share these ideas with others who might have a spare CPU cycle or two.
The main point? I truly encourage you to reach out to individuals in the community and ask "What would be a great project for me to work on?" or "What still needs to