background preloader

Forensics

Facebook Twitter

Computer Forensic Investigations and Incident Response. Understanding how malicious software implements command and control (C2) is critical to incident response. Malware authors could use C2 to execute commands on the compromised system, obtain the status of the infection, commandeer numerous hosts to form a bot network, etc. This article explains how malware performs C2 functions and clarifies how this information can aid responders in detecting, analyzing, and remediating malware incidents. Adding to our ever growing number of Posters and Cheat Sheets for DFIR, we are proud to announce the availability of a brand new SANS DFIR Poster "Finding Evil" created by SANS Instructors Mike Pilkington and Rob Lee. This poster was released with the SANSFIRE 2014 Catalog you might already have one. If you did not receive a poster with the catalog or would like another copy here is a way to get one. Get the "Find Evil Poster" Here Now available for online ordering - the SANS DFIR Polo.

Having trouble downloading new SIFT 3.0? Dealing with Split Raw Images in Digital Forensics. Hal Pomeranz, Deer Run Associates Lately I've been working with images from a client whose policy is to create their dd type images as a series of 2GB chunks-- the so-called split raw format. While commercial forensic tools will typically handle this format easily, split raw images can present challenges for examiners using Open Source utilities and Linux command-line tools.

With image sizes constantly increasing, recombining the individual chunks of a split raw image into a single, monolithic image file is not really practical either in terms of analyst time or disk space. Happily, there are some Open Source utilities that can make dealing with split raw images considerably easier. The Sleuth Kit The Sleuth Kit utilities have actually supported split raw format since v2.

As an example, I've taken one of the small 2GB images that we use for exercises in the SANS Forensics curriculum and split it into 10 200MB chunks: # istat -i split -o 642663 test_img.0* 2inode: 2AllocatedGroup: 0[...] Software for Computer Forensics, Data Recovery, and IT Security. Recover Deleted Files. Wally’s blog » Blog Archive » Reconstructing heavily damaged hard drives. [EDIT: Hey guys, thanks for the feedback!

Someone over at virtuallyhyper.com has an awesome write up that deals with SD cards specifically (but is highly relevant to hard drives too), with a set of much improved and updated scripts. I'd strongly recommend taking a look ... Recover files from an SD card using Linux utilities] Recover data even when an NTFS (or other) won’t mount due to partial hard drive failure. This was born when someone brought me a near dead hard drive (a serious number of read errors, so bad that nothing could mount or fix the filesystem), asking if I could recover any data. Now obviously (as almost any geek would know), the answer of course is a very likely yes. This makes Matt mad.

So I booted up Helix, created a quick image of the drive to a 500GB external drive, and tried running Autopsy (the GUI of Sleuthkit). I say interesting, because Sleuthkit couldn’t read the filesystem. There are 3 tools which proved useful: ilsffindicat #! Computer Forensics Certification - CyberSecurity Forensic Analyst(CSFA) Test Overview All test candidates will need to submit a Certification Test Application and Agreement. The CSFA certification test is the only test currently available of its kind. It closely resembles a scenario that a forensic analyst will encounter in the real world, with a specific time frame to complete the analysis, and the ability to request additional information relevant to the case.

This is an advanced test, designed for professionals who already possess practical experience in the field of digital forensics. CSFA candidates will have three days to take the test. The written test will comprise 30% of the total score, with the practical comprising 70% of the total score. Candidates will be allowed to request additional information after reviewing their particular scenario, such as proxy, IDS, and router logs, acceptable use policies, interrogatories, etc. Motions Affidavits Subpoenas Taking The Test / What To Expect Your test will be proctored while in the testing center. 1. HTTrack Website Copier - Offline Browser. Domain information, whois & dns report | Domaincrawler.com. PowerDbg - Automated Debugging using WinDbg and PowerShell.

Removed: MSWD-cc27e340.job, cc27e340.exe « Malware « Malware Analysis and Removal. Network Forensics and Incident Response. Subscription Statistics « Arnie Almighty. I recently discovered the “Discover >>” link in Google Reader. I guess it has been there for a while now, but I found it only recently.

I have got lots of new subscriptions already. :-) I noticed that Google was displaying the subscription count for all the top feeds. The subscription count is the number of Google Reader users who have subscribed to the feed. Now, I click on a subscription (I usually don’t use Google Reader for viewing my Google subscriptions, I use Liferea. The next obvious question is: can you find the subscription count of any arbitrary feed?

Since I have enough experience over the summer with wiresharking Google Reader, the next step is obvious. So all you got to do is replace the region after the ...feed%2F with the URL encoded feed-url. Since URL encoding is hard to do manually, you can go a step further and make this a Firefox search-bookmark. A few notes: gstats (without the trailing “/”) does not work. Like this: