In this issue of Case Leads we go around the globe to cover telematics app development from Ford at CES Las Vegas; to Russia for new tools that allow investigators to access files users try to keep encrypted; an anti-forensic tool that tries to hide details from memory forensic tools; the insider fraud threat; and a number of landmark court rulings in the US that impact digital investigators.If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.Tools: Have an investigation where the target puts a crypto-protected PC in hibernate? Now the team at ElcomSoft has a $300 app can get to the data well And, the
↧
"Digital Forensics Case Leads: News from CES Las Vegas Might Open Doors for Automotive Forensics, Landmark Legal Rulings Impact DFIR Investigators, and Tackling Insider Fraud"
↧
"Digital Forensics Case Leads: Sleeper Malware targets diplomatic entities in Europe & Asia, banking trojan travelling through Skype, DropBox decryption, PE file analysis, and retrieving iPhone VoiceMail"
In this issue of Case Leads, Magnet Forensics updates its IEF with new neat features, Analysing PE file with python, retrieving iPhone voicemail with Perl, sleeper APT target diplomats, banking trojans travelling through Skype... Continue reading this week of Case Leads.If you have an item you'd like to contribute toDigital Forensics Case Leads, please send it to caseleads@sans.org.Tools: Magnet Forensics (Formerly JAD Software) has unveiled v5.8 of its industry-leading forensic software, INTERNET EVIDENCE FINDER' (IEF) — including several exciting forensic firsts!! Like DropBox Decryption, Web Video Recovery, Google Maps Tiles & Geo-Location Visualization, Support for NewsGroup Messages and other new artifacts added.
↧
↧
"Course Review: Course Review: SANS FOR408 Computer Forensic Investigations \u0096 Windows In-Depth\t"
There is a brand new course review posted over at The Ethical Hacker Network discussing FOR408Windows Forensics In-Depth authored by Ovie Carroll, Rob Lee, and Chad Tilbury. The reviewer, Jason Andress, discusses the course section by section. Jason took the course in the popular vLive format that SANS offers. Take a look.
↧
"Special - SANS Online Digital Forensics and Incident Response Courses "
FOR408: Computer Forensic Investigations - Windows In-DepthMar 18, 2013 - Apr 24, 2013 w/Ovie Carrollhttp://www.sans.org/vlive/details/for408-mar-2013-ovie-carrollFOR508: Advanced Computer Forensic Analysis and Incident ResponseMar 19, 2013 - Apr 25, 2013 w/ Chad Tilbury & Alissa Torres
↧
"Case Leads: Backtrack Soon to be Back as Kali, Why Logs Should Really be Reviewed, the Impact of DDoS Against US Banks, Hard Drives with Bad Sectors and Data Recovery"
This week's edition of CaseLeads features a teaser from the Backtrack developers, a case study from Verizon which demonstrates the need for regular log review, a report on the impact of the recent DDoS attacks against US banks and an article about challenges in recovering data from hard drives.If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it tocaseleads@sans.org.Tools: Backtrack will be reborn as Kali. The developers of Backtrack are planning to take the distribution to another level but in order to do that, they realized they needed to build something new. The Backtrack website has a teaser video about the project but for now, the developers quiet on the details
↧
↧
"Digital Forensics Case Leads: When the news is the news"
This week's case leads has several new tool updates and some interesting articles about reverse engineering, database forensics and a new forensics challenge. However, the big stories this week were about the recent break ins at the New York Times and the Wall Street Journal.If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it tocaseleads@sans.org.Tools:AccessData has updated FTK to version 4.2, and added support for MS SQL server databases, new parsers and other updates. The complete release notes are available (PDF).Brian Baskin has ...
↧
"Jake Williams' Tips on Malware Analysis and Reverse-Engineering"
In this interview, Jake Williams discusses his perspectives on getting into digital forensics, crafting a strong malware analysis reports and making use of the analyst's findings. Jake is an incident responder extraordinaire, who teaches SANS' FOR610: Reverse-Engineering Malware course.
↧
"Anti-virus is not enough to defeat APT groups"
In last week's story about the New York Times breach, you read that thebest-selling anti-virus system failed entirely. Every organization thathas gone through a targeted attack learns that same lesson and - toolate - develops an in-house forensics and threat analysis capability. (The commercial incident handling companies charge as much as $1,000 an hour after you get breached). The principal hands-on course that teaches how is SANS FOR508: Advanced Forensics and Incident Response.SANS did a similar test earlier this year when creating the core incident exercise for FOR508 and had the exact same results with McAfee EPO installed on our network.
↧
"Announcing: The 2013 SANS Digital Forensics and Incident Response Summit Agenda"
http://www.sans.org/event/dfir-summit-2013PDF DOWNLOADTuesday, July 9, 2013TimeRoom 1Room ...
↧
↧
"Digital Forensics Case Leads: Got Malware?"
This week on Case Leads, it's mostly about the malware. A new tool called Maltrieve will help retrieve it for analysis, articles on Java *.idx files and NTFS artifacts can help us find it post-mortem, and security software companies get pwned by it. Joking aside though, if you're scoffing at Bit9 this week, you should better spend that energy getting your own house in order.If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it tocaseleads@sans.org.Tools:Maltrieve- Kyle Maxwell has released Maltrieve, a Python script that reaches out to known malware sites, based on a small but growing list of meta-sources, and downloads all of the malware it can obtain. The project began life as a ...
↧
"SANS Cyber Threat Intelligence Summit - 22 Mar 2013"
Join SANS for this innovative 1-day event as we focus on enabling organizations to build effective cyber threat intelligence capabilities.AGENDAConventional network defense tools such as intrusion detection systems and anti-virus focus on the vulnerability component of risk, and traditional incident response methodology presupposes a successful intrusion. An evolution in the goals and sophistication of computer network intrusions has rendered these approaches insufficient for the threats facing many modern networked organizations. A new class of adversaries, ...
↧
"Jake Williams' Tips on Malware Analysis and Reverse-Engineering - Part 2"
In this interview, Jake Williams shares advice on acting upon the findings produced by the malware analyst. He also clarifies the role of indicators of compromise (IOCs) in the incident response effort. Jake is an incident responder extraordinaire, who teaches SANS' FOR610: Reverse-Engineering Malware course.
↧
"Jake Williams' Tips on Malware Analysis and Reverse-Engineering - Part 3"
In this interview, Jake Williams discusses his perspective on the various approaches to reverse-engineering malware, including behavioral, dynamic and static analysis as well as memory forensics. Jake is an incident responder extraordinaire, who teaches SANS' FOR610: Reverse-Engineering Malware course.
↧
↧
"Jake Williams' Tips on Malware Analysis and Reverse-Engineering"
I had the pleasure of speaking with Jake Williams, an incident responder extraordinaire, who teaches SANS' FOR610: Reverse-Engineering Malware course. In this interview, Jake discussed his perspectives on getting into digital forensics, crafting a strong malware analysis reports and making use of the analyst's findings.Could you describe your professional background a bit? How did you get into reverse-engineering?Well, I started out my professional career in the US Army, I've worked as a DoD civilian, and as a contractor/consultant. Over my career I've done a lot of programming. I've also done a fair amount of penetration testing of some pretty hardened networks (those are always more fun than the easy ones). I've found that I really enjoy incident response and digital forensics work as well. As a byproduct of performing incident response, I found that I ...
↧
"Announcing: The 2013 SANS Digital Forensics and Incident Response Summit Agenda"
http://www.sans.org/event/dfir-summit-2013AGENDA PDF DOWNLOADTuesday, July 9, 2013TimeRoom 1
↧
"Java IDX Sample Files from Java Spearphishing Attack from SANS FOR508"
Earlier this year, SANS created the most in-depth incident response training scenario that spans multiple systems in FOR508: Advanced Forensic Analysis and Incident Response. We discussed the entire scenario in a blog titled: "Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results"One of the biggest complaints that many have in the DFIR community is the lack of realistic data to learn from. Starting a year ago, I planned to change that through creating a realistic scenario based on experiences from the entire cadre of instructors at SANS and additional experts who reviewed and advised the attack "script". We created an incredibly rich and ...
↧
"CaseLeads: China Cyber Espionage Exposed, Account Issues with Twitter and Plenty of Great How-To's"
This week on Case Leads, we learn the truth of China's cyber espionage unit, Twitter verified accounts were hacked and there have been some updates to some of your favorite tools.If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it tocaseleads@sans.org.Tools:HMFTwas given a small update.Autopsywas recently updated as well.Passware can now extract passwords for certain popular websites from memory.Good Reads:A very interesting article about finding and reverse ...
↧
↧
"Report Writing for Digital Forensics: Part II"
This blog post is a second edition and follow-up toIntro to Report Writing for Digital Forensics., which you've taken the time to review, digest, and dissect. How the digital forensic practitioner presents digital evidence to his/her intended audience (Regardless, of why we are preparing a digital forensic report), establishes proficiency of the digital forensic examination. Let's take it even a step further, how will you present your findings? Effectively reporting what you found during your forensic examination will aid you in presenting your report and the digital evidence to whomever your intended audience will be, which ultimately may be a jury in a criminal or civil proceeding. In this blog post, we are going to tackle some more report writing issues. Remember, YMMV depending on what hat you wear in digital forensics ...
↧
"Cyber Threat Intelligence Full Agenda - Government Pricing Announced"
SANS is offering a one-time discount for the Cyber Threat Intelligence Summit to government employees (e.g., federal, state, local, DoD). This offer reduces the registration fee from $895 to $395 and will be available for a limited time only, on a first come, first served basis. Please select -Register Nowon the right side of the page and use the code CTIGOV.Join SANS for this innovative 1-day event as we focus on enabling organizations to build effective cyber threat intelligence capabilities.
↧
"Digital Forensics Case Leads: Email Scammers, Android Malware, DoS Against Banks, Tool Updates And A Few Good Reads."
In this issue of Case Leads with have Android Malware increase, DoS Attacks on Czech Banks, some updates to Oxygen Forensics Suite and a New tool from Magnet Forensics and a little levity.If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.Tools:Oxygen Forensics Suite have released version 5.1.1. Some of the new features include aupport for Windows 8. Added support for Opera Mini and Opera Mobile for Android. Many other enhancements and improvements as well.Passware is now integrated in Oxygen Forensic Suite to provide a joint solution to mobile device investigations.Magnet Forensics has release a new tool called
↧