ForSec Linkpost

…and here is a hand-picked selection of particularly practical and informative ForSec links.

I’ve been very busy these last several months as we have worked almost non-stop at the office to migrate our platforms from Windows XP to Windows 7 so my energy level and free-time is only now catching back up in my personal life.  New books to read and review, stuff like that.

Whew!

Hopefully some more normal and original (as in “contributory” rather than re-linking) GSD blog-content posting will follow moving forward.

• Timestamp difference in Windows Explorer FTP folder view - Ask the Performance Team blog
• Introduction to Memory Analysis with Mandiant Redline - InfoSec Handlers Diary Blog (SANS)
• EnCase EnScript to parse & display recent RDP sessions from user's NTUSER.DAT - ForensicKB
• XORSearch: Finding Embedded Executables - Didier Stevens
• SANS SIFT 3.0 Virtual Machine Released - SANS Digital Forensics and Incident Response Blog
• (PDF link) Enhancing incident response through forensic, memory analysis and malware sandboxing techniques - enhancing-incident-response-forensic-memory-analysis-malware-sandboxing-techniques-34540 - SANS Institute InfoSec Reading Room paper by Wylie Shanks.
• A Series of Introductory Malware Analysis Webcasts - Lenny Zeltser’s blog
• TTPs - Windows Incident Response blog
• Follow up on TTPs post - Windows Incident Response blog
• Triaging with the RecentFileCache.bcf File - Journey Into Incident Response

And now for a change of pace…

• DEFT 8.1 and DART 2 2014 - DEFT Linux - new version releases of the LiveCD platform and accessories.
• Index of /files/dart - So DART 2 2014 is basically a collection of Windows applications bundled in a slick and well-organized launching platform that can help with some forsec activities if you aren’t using the Linux DEFT bootable OS. Use of these tools on a life system in most cases will not be forensically sound “out of the box” but the situation may call for their usage. Certainly they present a convenient and well-rounded way for knowledgeable sysadmins and responders to have a great collection of tools in one place.
• CAINE Live CD/DVD - Alternative project to DEFT but similar in the approach. I mention it because previous versions were bundled with a DART-like Windows package called…
• WinTaylor - (scroll down a bit to see/download the files), only WinTaylor has been superseded by the new…
• Win-UFO package now included in CAINE.  Which leads us to this…
• Win-UFO v4 Introduction (by Casey Mullis) over at LoveMyTool which provides a nice video introduction to this specialized Windows utility packaging.
• WinFE Success Story - WinFE blog
• Mini-WinFE Updated - WinFE blog. Brett Shavers highlights some exciting going-on’s in the WinFE world with the Mini-WinFE project.  Check out the comments on the post as Troy (Larson) makes mention on the benefits of “Windows to Go” as a  Win FE platform plus more as well as support in WinPE 5.1 for the “WimBoot” feature. And I had previously found this What is Windows Image Boot (WIMBoot)? post and shared in in my sysadmin-related post. Interesting options! Can’t wait to see where these new off-shoots might take us!

Cheers!

--Claus V.