Sunday, November 01, 2009

Fast Forensics Touch-and-Go


“C-17 Touch and Go” flickr cc image by vortran69

That last post, Sexy USB Boots (Win PE style) and the DST “fall-back” have taken a toll on me.

I had hoped to spend more time crafting this post, but I need to turn in now to be functional for when I report for duty tomorrow morning.

So here is a quick flyby of forensics related posts I have collected over the past two weeks.


  • Windows 7 and the Future of Forensic Analysis – Windows Incident Response blog – nice touch-n-go on forensics in the new dawn of Windows 7. Fortunately, Windows 7 adopts many of the habits of Vista which has already been in the wild for a while so it isn’t like everyone is starting from scratch.  That said, the continued proliferation and relatively slow adoption rate of Vista means that XP has been a much more comfortable realm for many incident responders to work in.  Windows 7 will probably see a faster upgrade and saturation level so it’s time we all get prepared for what it brings to the table.

  • Timeline Creation Tools – Windows Incident Response blog – Harlan build on the challenges and techniques of timeline building in incident response.  I’m still going back and rereading all his posts on this subject and others such as this Registry Analysis post from SANS Computer Forensics, Investigation, and Response blog.

  • Windows 7 Computer Forensics – SANS Computer Forensics, Investigation, and Response blog.  Returning to Harlan’s first post above, this must be bookmarked as it contains some excellent material for reference, not just for forensic guys and gals but also for sysadmins of Windows 7 systems.  Great stuff!

  • Free Tools – Windows Incident Response blog – I’m so jealous of Harlan for getting this one up!  He has thrown down the gauntlet and provides a great intro listing of wonderful free (and many portable) utilities of interest for forensic examiners.  I’ve got many of these tools in my toolbox, plus a whole stable of many more as well.  Now I’m feeling guilty for not have the time at the moment to get them all cataloged and back-linked to share as a resource for the forensics community.  Harlan has shamed me into dealing with this so my goal is to get it up before the year is out.  I’m probably going to have to take a few days off work to get it done.

  • Tableau Forensic Products - TIM. – Tableau is teasing us with their own imaging solution that promises to be fast and easy and rock-solid.  I’m intrigued and hope they offer a beta-download to play with soon.  I also hope it is USB portable for use under Win PE booting.

  • 8 bits: View the contents of a DD image while it’s being made. I’m not sure how regularly applicable this information is, but for someone who occasionally does make dd-format images, it is cool anyway to know.

  • CAINE Live CD. – Version 1.0 released! – new release in both a boot disk ISO and a USB bootable device image doesn’t seem to bring any radical changes or features, mostly just bug fixes.  Still, if you are using CAINE (and you should be familiar with it) as a forensic LiveCD to offline boot/image/inspect a system, you will definitely want to update to this version.

  • DEFT v4.2.1 release DEFT Linux - Computer Forensics live cd.  Likewise, this also excellent forensic LiveCD distro also got a minor bug-fix update.  So update to this DEFT version as well.  This isn’t related to the promised DEFT Linux v5 road map and features which promises to bring some more bells-n-whistles to this fine forensics LiveCD distro.  No word when beta releases will be available but I suspect the critical bug fixes to v4 DEFT led to some delays in getting work on v5 completed.

  • JADsoftware - EDD home page. Jad has been hard at work updating his Encrypted Disk Detector freeware utility to version 1.1.0 which includes the following new features/release details: “…Now EDD also checks mounted logical volumes and attempts to determine if they are encrypted TrueCrypt or PGP volumes. A 100% determination can not be made but an alert is provided to the user who can then further investigate. EDD is now included as part of Microsoft COFEE!”  Spotted via this post: Encrypted Disk Detector 1.1.0 released.  Related, Jad’s Internet Evidence Finder utility was also recently updated to version 2.0.6 to bring in lots of great feature improvements as well.

Back into the skies for now!

--Claus V.

No comments: