Into The Boxes: Issue 0x0

It is official. Harlan and I are proud to announce the first edition of Into The Boxes – Digital Forensics and Incident Response Magazine.

Of course this release would not have been possible if it were not for the contributions of Didier Stevens and Jamie Levy. These two produced, in our opinion, two very good articles that will benefit your analysis efforts and overall education. We all owe these two a big thank you for helping us get this effort moving forward. There were several others who also provided us various forms of encouragement and article submittals but, for various reasons, were not able to provide contend for this publications. Harlan and I would also like to thank these people as well and let them know we are looking forward to their submittals for Issue 0x1 in addition to their continued verbal support.

This issue contains four specific articles that cover a variety of digital forensic and incident response issues. More specifically:

Windows Box: Windows 7 UserAssist Registry Keys by Didier Stevens.

This is an analysis of the new UserAssist registry keys binary data format used in Windows 7 and Windows 2008 R2.

*nix Box: Red Hat Crash Memory Forensics – Jamie Levy

This article covers the installation and use of Redhat Crash Utility for Linux memory forensics.

Software Box: Beware The Preview Pane – Don C. Weber

A quick dip into the preview pane functionality provided by AccessData’s FTK Imager and FTK Imager Lite.

Squawk Box: PCI Interview with Harlan Carvey

An interview about digital forensics and incident response as it pertains to Payment Card Industry-related investigations.

As always, please let us know how you feel and provide us with recommendations and article submittals for future ITB efforts. We look forward to your comments and blog posts about these subjects.

Go forth and do good things,

Don C. Weber

This entry was posted on January 1, 2010 at 2:09 pm and is filed under Releases with tags Didier Stevens, Don C. Weber, Harlan Carvey, Into The Boxes, ITB, Jamie Levy, Security Ripcord, Windows Incident Response. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

9 Responses to “Into The Boxes: Issue 0x0”

Chris Hague Says:
January 1, 2010 at 6:06 pm

Very interesting and insightful article(s). I myself work for a QIRA firm and agree that the amount of data sharing seems to be one way or limited at best, with that said, I’ve reached out on a professional level to other QIRA’s to share vectors, malware, and other points which might be relevant to their cases. For those that do not know, the PCI Council plans on taking over the QIRA list, which might open the list up to more than the 7 or so authorized vendors. This could be a good thing.

Cheers,
Chris

Reply
- Colin Sheppard Says:
  January 4, 2010 at 6:54 pm
  
  Great first edition of Into the Boxes. My organization is also a Qualified Incident Response Assessor (QIRA). We frequently discuss the need for a more structured information sharing process within our industry. While I’ve seen great strides in recent years, as Harlan has stated, there is a need to reevaluate what constitutes valuable information and subsequently provide and correlate those data points.
  
  Harlan also touches on a subject that is not frequently discussed. In the majority of (our) cases, the intrusion took place weeks or months before we (QIRA) were engaged. Overwhelmingly, the investigation was initiated because a card brand(s) fingered the entity as the breach point (Common Point of Purchase) based on fraudulent transaction history. Unfortunately, the reliance on third party detection creates this protracted lapse in time where valuable actionable intelligence concerning the breach is most often lost.
  
  Reply
Twitted by wimremes Says:
January 1, 2010 at 10:10 pm

[…] This post was Twitted by wimremes […]

Reply
Ron Bailey Says:
January 1, 2010 at 10:56 pm

Congrats gents on your new emag!
I look forward to future editions.

Reply
Anonymous Coward Says:
January 4, 2010 at 2:12 am

Did you spell check this document? There are some obvious misspellings which make it hard to take this seriously.

Reply
- cutaway Says:
  January 4, 2010 at 4:37 am
  
  @anon,
  
  We appreciate your comment. We look forward to your spell-checked collaboration in the future. Please provide your submittal for our review by using the Collaboration Box.
  
  Thank you,
  Don C. Weber
  
  Reply
novunix Says:
January 4, 2010 at 1:10 pm

Nice work and I thank you for your efforts, although the first thing I noticed was the year being wrong on the pdf front page. As a previous occupation was proofreading, I’d be happy to contribute my services, FOC, for future editions.
Regards
Neo

Reply
- cutaway Says:
  January 4, 2010 at 1:53 pm
  
  @novunix,
  
  We appreciate you noticing and informing us. Our first mistake of the New Year. I am willing to bet it will not be our last. We will keep you in mind for the next issue and may contact you using the email you provided here.
  
  Thank you,
  Don
  
  Reply
New Format for UserAssist Registry Keys « Didier Stevens Says:
January 4, 2010 at 3:33 pm

[…] For more details, read my article in the new forensic magazine Into The Boxes. […]

Reply