Sunday, October 17, 2010

Books, Networks, Security, and Forensics

The little-brother endowment for big-brother improvement has allowed for the recent expansion of my technical library by three more volumes.

I have just ordered the following books after a long wait in my wish-list pile:

I had flirted with also picking up the Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide by Laura Chappell, Gerald Combs ( but decided instead to invest in a Canon Speedlite 270EX Flash ( for our Canon Rebel DSLR as all work and no play makes Claus a cranky boy.

The first two selections reflect an expansion and recognition that understanding and analyzing network traffic can not only complement Windows systems forensics and incident response, but in some cases be the canary in the mine that signals something much larger is going on worthy of focused investigation at the machine level.

A recent series of events have driven both these points home to me in a very powerful way.  So I really am excited waiting for their arrival.

As for Harlan’s book, it really is one of the cornerstone books of Windows forensics and I’ve really felt weaker for not having read it yet.  I’m truly honored and stoked to be adding it to my bookshelf.

The nature of my work demands that I approach things from an holistic approach and I really hope that the combination of these materials gives me a sharper edge in analysis as well as how all the parts can better fit together.

In the News:

(IN)SECURE Magazine issue 27 released - Great security and risk-management articles in portable PDF reading format.  I’m always waiting for the next edition!

Hiberfil Xpress and FTK Imager 3 posts - Forensics from the sausage factory.  DC1743 tears into the Hiberfil and touches on it’s compression as well as new support (script) for examination via EnCase.  The second post points out the awesome and free forensic image capture tool (and then some!) FTK Imager 3 is now out from AccessData.  This newest version does require a system-install, but they have also released a bumped version of their free/portable “Lite” version to 2.9.0. Go get’em!  AccessData Product Downloads

CAINE 2.0 Live CD - “NewLight” computer forensics digital forensics - LiveCD Distro - I was unexpectedly surprised to discover CAINE 2.0 “NewLight” was released in the past few weeks.  CAINE and DEFT both are my current favorites for Linux-based “LiveCD” distros and are jam-packed with complimentary toolsets.  CAINE 2.0 has a fresh look and updated features all the way around.  I’ll save post-space here by not posting a list of all the new and updated feature-sets, but suffice it to say, it really  is super-slick and just like mighty-mouse, lots of power in a small size!

Gift Card FAIL: What do sequential numbers and shopping sprees have in common? - PaulDotCom - Yeah…worrying.  Besides the obvious issues, what really stands out to me is that I’m not the only one who can’t seem to turn their brain off from security/incident response musings…even when off-the-clock.  Every situation and every place presents opportunities for mental security pushup work.

Asset Tags For Dummies - Liquidmatrix Security Digest.  Part II from the theme above.  Really, we also stick honking-big asset tag stickers prominently on our equipment that can be read from 10 yards or greater away, with enterprise name and everything.  Plus the brand of our whole-disk encryption provider on a separate sticker.  “So we can tell which systems are whole-disk-encrypted” easily by just looking at the case.  At least that was the justification provided.  Really?  Can we?

Memory forensics on Windows 7 (x86 and x64) and Windows 2008 x64 and Avoid the Knee Jerk Reaction -M-unition Blog.  Two great posts from the MANDIANT gang including the announcement of the release of Memoryze 1.4.2900 which has added support for Windows 7 64-bit, Windows 7 32-bit, and Windows 2008 64-bit along with the previously supported platforms.

Free Malicious PDF Analysis E-book - Didier Stevens.  Go grab it now!

FireMaster : The Firefox Master Password Recovery Tool - SecurityXploded.  Free tool to recover the master password from Firefox.

Symantec’s w32_stuxnet_dossier (PDF) is a perfect model of how a incident/threat analysis report should be written.  It seems to set a new gold-standard for informative analysis and technical writing for malware/threats.  Wow!

Tshark/Wireshark SSL Decryption - Lessons Learned - PaulDotCom - Mark Baggett has written a great tutorial on how to configure Wireshark to decrypt SSL packets.  Great stuff.

PrefetchForensics v1.0.3 : woanware - Mark Woan has made some improvements to this free Windows Prefetch file analysis tool.  Update your copy now!

Forensic analysis of "Frozen" hard drive using Deep Freeze - Computer Forensics, Malware Analysis & Digital Investigations.  Deep Freeze is one of several “steady-state” system solutions that “restore” a Windows system back to a predefined configuration when the user’s session is over.  In theory this should erase all tracks, but as all good forensicators know, there’s gold in in the streambed one you dig just under the surface a bit!

Xplico » Xplico 0.6.0 - Just released!  Xplico is a Linux-based tool that allows for reassembly of network traffic browsing sessions.  I’ve been having to use it quite a bit lately and find as I get to know its capabilities better, I am floored by the power and benefit having this tool in my arsenal brings me.  I’m planning a followup post on Xplico very soon here at GSD.  Stay tuned!

Happy Digging!

--Claus V.


Anonymous said...

When your post about Xplico?

Claus said...

@ Anonymous -- Thanks for the query. It's still planned. I've been jammed up at work still and trying to seriously enjoy the (too brief) holiday respite provided. I expect to have it up in the next week or so. Xplico is quite cool, though for Windows users, require a few hoops and "getting used to" things. That's not a criticism, but due to the development in a Linux environment. A Windows port would be really handy.

Cheers and happy new year!

--Claus V.