My “For-Sec” to-be-blogged pile is bustin out at the seams.
Unfortunately, I still haven’t been able to find the time to toss the meat on grill in a way that gives it justice…so as of now, that material is still slow-smoking.
In the meantime maybe you will find something noteworthy in the following links-of-note prepared for quick consumption.
NetWitness - Investigator Freeware - Version 220.127.116.11 released 03/16/12. I’ve used this NFAT tool successfully in the past, but had stopped looking for updated versions. So the other day when my one-year’s registration period had expired and I had to “re-enlist” I was advised an update was available. There are a number of free NFAT tools, and each provides its own slant. NetWitness Investigator Freeware version is a must-have tool for your assessment collection. Get the update!
MIR-ROR - This incident response toolset has now been updated to version 2.0: HolisticInfoSec: MIR-ROR 2.0 released. Sure you have to dump a few of the ingredients in the provided bowl before you bake, but it’s, well, a piece of cake. The result is a collection of tools that can speed up your assessment and information collection on a suspect system.
65 Open Source Replacements for Security Software - Datamation’s Cynthia Harvey has composed a knock-out list of great Open Source tools. I’m confident that anybody who regularly reads this blog will find something new or interesting in this list.
NAFT Release - Didier Stevens has released his Network Appliance Forensic Toolkit than can handle network appliances but also supports memory dumps of OS’s like Windows. Basically (for now) it extracts network packets from memory dumps or other devices via pattern recognition.
The Latest Version of Redline Finds Indicators of Compromise and More - Mandiant’s Redline tool has now been updated.
Brett Shavers has a number of new posts about progress in the WinFE building and toolsets.
- Colin’s Write Protect Application- Windows Forensic Environment Blog
- WinFE Script Updated - Windows Forensic Environment Blog
The Girl, Unallocated forensic blog has been a great source of how-to’s and advice on approaching investigations. This latest series is quite interesting.
- Case Experience #2 - IP Theft Investigation Thought Process
- Case Experience #2.1 - More About IP Theft Thought Process
- Case Experience #2.2 - Let the Digging Begin
- Case Experience #2.3 - Digging Into the Registry
Prefetch analysis posts are quite plentiful.
- Prefetch Analysis, Revisited...Again... - Windows Incident Response blog
- Second Look at Prefetch Files - Journey Into Incident Response blog
Corey Harrell also has a great in-depth timeline study based on Volume Shadow Copy data. Sharpen your Saw on this one!
- Volume Shadow Copy Timeline- Journey Into Incident Response blog
We are all learning more and more as Chrome gains in popularity. SANS Computer Forensics and Incident Response blog’s “johnmmccash” has a great roundup of material in his Forensically mining new nuggets of Google Chrome post.
Finally, Security Ripcord blog’s Don C. Weber has a technical post on Hard Drive Acquisition Information Using faidds and makes some interesting observations in the process.