Security and Forensics Roundup: Heavy Version #7

Oh my.  I may have bit off more than I can chew with this load of links.  I’m having a challenging time breaking them all down into meaningful chunks!

Incident Response

• The Tiger and the Ghost – Nice and reflective thoughts on the changing landscape of incident preparedness from Hogfly over at the Forensic Incident Response blog.

• Verizon Incident Metrics Framework Released – Verizon has published a framework for categorizing incidents and elements that comprise them.  One of many out there, nevertheless, it might provide some additional ideals for conceptualizing incident events and help guide you as you form narratives that analyze and summarize them for your audiences. Spotted via the TaoSecurity blog.

• DarkReading Evil Bytes bloggist John Sawyer has posted a trilogy of articles on incident response as well as drive-imaging thoughts and techniques in that response; Adding Forensic Imaging To Your Standard IR Process, Using Hard-Drive Imaging In Forensics, and Drive Imaging Using Software Write Blocking provide an updated refresher on these topics. Good for a quick review particularly for the unfamiliar.

• Responding to Incidents – Windows Incident Response blog.  Coming in at the anchor position is a great post by Harlan covering all the major points and issues on why establishment and execution of an organizational incident response plan for the IT shop is critical. If you don’t have one, it’s long past time to start building and implementing one.  Failure to do so comes with great peril.

Timeline Merry-go-Round

Having some time ago been faced with the challenge of preparing a digestible incident timeline of a Windows system, I am now paying even closer attention to timeline issues.  Like many, I had reams of data, much of it all valuable. However, the real challenge wasn’t so much the capture and spin-out of the information, it was presenting the findings in an objective manner that successfully and accurately told a story to management and non-IT consultants.  What was of value to me understanding the sequence of events was less valuable to those who wanted the big-picture and major-plot-points.  It end up being as much the art-of-communication as well as art-of-examination.

• Timeline Creation and Analysis and Even More Thoughts on Timelines – Windows Incident Response blog.  Start here to let Harlan give us our bearings on timeline issues.

• Timeline Analysis Part I : Creating a Timeline of a Live Windows System – The Digital Standard blog. cepogue starts us on a nice incident walkthrough from a timeline perspective

• Timeline Analysis Part 2 : The Registry – The Digital Standard blog.

• Timeline Analysis Part 3 : Log2timeline – The Digital Standard blog.

• Timeline Analysis Part 4 : Timescanner – The Digital Standard blog.

• Digital Forensic SIFTing: SUPER Timeline Analysis and Creation - SANS Computer Forensic Investigations and Incident Response Blog.  Very valuable guided tour on how to make a SUPER timeline using the SANS Investigative Forensice Toolkit (SIFT) Workstation 2.0.

• Shadow Timelines And Other ShadowVolumeCopy Digital Forensics Techniques with the Sleuthkit on Windows  - SANS Computer Forensic Investigations and Incident Response Blog. Because timelines are not just for the main Windows volumes…you’ve got clues in the Shadow Volumes as well.

• NFIlabs – Aftertime – Java tool to create timelines.  Pretty cool.

It’s all about Analysis

• Malware case: Day 1 and Malware Case : Concluded – Eye on Forensics blog.

• Memory Analysis on Windows 2003 64-bit and What’s Next – Mandiant M-unition blog.

• Analyzing RAM Dumps, RAM Analysis Part 2,and Memory Analysis Part 3 – The Digital Standard blog.

• Flock shepherds in a Life of Grime – Forensics from the Sausage Factory blog.  In which in this installment, we find DC1743 encountering the Flock browser, which is just a fancified version of Firefox geared to the social media experience.

Tools and Toys

• Streamarmor - RootkitAnalytics.com new freeware tool to discover ADS elements and remove them from a system.
• Internet History Examination Tools - you generally get what you pay for  – Forensics from the Sausage Factory blog.  In which DC1743 weighs the pros and cons of various utilities used to examine browser history.

• EnCase Portable device – Review - Computer Forensics, Malware Analysis & Digital Investigations blog.

• AVG Rescue CD: Free toolset for repair of infected machines – PSA announcement on HelpNet Security about a bootable LiveCD to review/clean an infected Windows system. Might be worth considering adding it to your stable.

• QCC Information Security - Free Forensic Tools – including CaseNotes, VideoTriage, and FragView.

• P2 eXplorer v2.0 – Free tool from Paraben Forensics to allow mounting of forensic images. Comes with support for reams of image formats.  Neat!

Miscellanea: Don’t count out the value of small things…

• Tidbits, Links, and even more Links – Windows Incident Response blog.  Think of these post links as Easter-eggs.  Each one nice and simple holding wonderful treats just under the shell!

• Digital Forensics Case Leads: Tools and Lists, Bugs, and Web 2.0 for Packet Ninjas - SANS Computer Forensic Investigations and Incident Response Blog.

• Digital Forensics Case Leads: New Gear, New PDFs Abuse, and Defeating TrueCrypt - SANS Computer Forensic Investigations and Incident Response Blog.

• The Chain of Custody for 2010-03-21 – Weekly Tweets - SANS Computer Forensic Investigations and Incident Response Blog.

• What is this field called anyway? – Forensic Focus Blog…a rose. By any other name, would smell as…well, you know.

Cheers.

--Claus V.