Still got chores on the list so I’m afraid I’ll have to drop these into the blog-o-sphere a-la “pooh-sticks” and just let them drift on their own.
Let’s open the race up with the usual bundle of sticks from the Windows Incident Response Blog. The ones listed here are those that I found particularly thoughtful, helpful, and/or engaging.
- More Thoughts on Timeline Analysis - Windows Incident Response Blog. Context is everything.
- Forensic Analysis Process/Procedures - Windows Incident Response Blog. Great basic step-through of the process. Mirrors my own approach quite closely.
- Timeline Analysis...do we need a standard? - Windows Incident Response Blog. Creating an meaningful (and digestible) timeline for an incident report is a big challenge. All the data is great for the investigator but time after time I’ve seen management and and legal’s eyes glaze over a bit. Once you yourself have an accurate handle on the event timeline, you can then distill it down much simpler for the masses.
- MFT Analysis - Windows Incident Response Blog. Brief highlight.
- Links Plus - Windows Incident Response Blog. Lots of great tips, tools, and leads here!
- More Links, and a Thanks - Windows Incident Response Blog. Keydet89 is starting to do linkfests better than even me! The intro (A Good Example) is a embarrassingly good illustration why even sysadmins and techs need to be trained in the basics of incident response…as well as having a strong in-house incident-response policy in place. (shudders).
- Researching Artifacts - Windows Incident Response Blog. No, not the Indiana Jones kind either….
- Forensic Incident Response: Triage of Agent.BTZ – Hogfly has a great walkthrough on a memory image analysis. A good refresher.
- Volume Shadow Copy Forensics.. cannot see the wood for the trees?. And from the friend across the Pond Forensics from the sausage factory, a discussion on Volume Shadow Copies.
- The Digital Standard: Analyzing RAM Dumps. – Lite but tasty tips on RAM dumps.
- (IN)SECURE Magazine issue 24 released. – Yeah, not specifically forensics related but too good to pass up.
- E-Evidence Information Center - What;s New – new whitepapers and material for security and forensics folks. This one Virtual Machines in Forensics (PDF) by Jay Varda was interesting…
- FireFoxForensics : woanware. An outstanding tool (among many standing) to extract info on Firefox usage. Now updated to version 1.0.4.
- ChromeForensics : woanware. This one is now at version 1.0.3
- PrefetchForensics v1.0.1 : woanware. Great tool for investigating and exporting data regarding Windows Prefetch stores.
- Prefetch Parser v1.4 released. SANS Forensics blog recently posted a review of this one in action.
- WinPrefetchView v1.05. Then there is this Nirsoft tool. Geared more for sysadmins than the forensics crew, it still also nicely is able to output results quite nicely.
- Tableau Imager: First Look. SANS Forensic blog has a hands on review of new (free) software from Tableau that might take advantage of multi-core systems during the imaging process. Pretty cool stuff. Only gotcha is that you have to have a Tableau imaging product first. I’m still trying to get my approved via purchasing. Failing that looks like I will be investing in one (Tableau T35es eSATA Forensic Bridge) for my personal collection of hardware tools…
- TimeLord Time Utility for Forensic Analysts. – Neat little tool to help deal with system time, formats, and encoding.
- Windows Shortcut Files in Forensic Examinations – PDF paper from Harry Parsonage updated in Nov 09 that goes into great detail on Windows shortcut files. Great material.