Into The Boxes

Into The Boxes: Call for Collaboration 0×02 – Second Try

cutaway — Mon, 16 Apr 2012 14:26:58 +0000

Okay, the first Call for Collaboration for edition 0×02 did not work out as well as I would have hoped. I did not get any input and I just got busy with work and home. But, there has been recent interest and we (Harlan Carvey and myself) have never given up hope. We are shooting for issue 0×02 to be published in May or June of 2012. Of course this will depend on the community. Your input is necessary to our success.

Go forth and do good things,

Filed under: Information

Into The Boxes: Call for Collaboration 0×02

cutaway — Sun, 25 Jul 2010 19:17:02 +0000

In case you were wondering, Into The Boxes is still an active project. Work load and professional changes have caused us to skip a quarter. This will not deter our efforts and we are shooting for issue 0×02 to be published in September 2010. Of course this will depend on the community. Your input is necessary to our success.

Therefore this is another call for collaboration. Please use the Call Box to provide us with details about issues and topics within digital forensics and incident response that interest you and your colleagues. We look forward to your submissions and recommendations. Anybody who has already contacted us we will be getting back to you within the next week or two about moving forward with your ideas.

For those of you attending Def Con, be sure to find me and talk to me about this or any other topics. I will be busy working on the Mystery Challenge again, but there will be plenty of extra time to converse and have a beer or three. See you there.

Go forth and do good things,

Don C. Weber

Filed under: Information Tagged: Digital Forensics, Incident Response, Into The Boxes, ITB

Registry Analysis and Geolocation Scripts Released

cutaway — Wed, 07 Apr 2010 06:22:26 +0000

Harlan has released the scripts he used in the “Registry Analysis and Geolocation” article. These scripts are available to members of the Win4n6 forum and can be downloaded from the “Files” directory. Just look for the file named itb0x1.zip. This zip file contains the following perl scripts which are to used with RegRipper:

ssid.pl,
networklist.pl, and
maclookup.pl.

Be sure to read the “readme.first” file as there are some requirements associated with the maclookup plugin.

Enjoy,

Don C. Weber

Filed under: Information Tagged: Harlan Carvey, Into The Boxes, ITB, RegRipper, Win4n6

Into The Boxes: Issue 0×1

cutaway — Mon, 05 Apr 2010 12:01:33 +0000

It is time for the second edition of Into The Boxes – Digital Forensics and Incident Response Magazine.

Into The Boxes: Issue 0×1

This time we have contributions from Scott Burkhart and Chris Pogue. This is another diverse issue covering a wide range of digital forensic and incident response topics. More specifically:

MAC Box: Introduction to Plist Files by Scott Burkhart

Want to know how OSX maintains its configurations? Scott Burkhart breaks down the .plist configuration files and how they can be used during data analysis.

Squawk Box: The Simple Truth – Chris Pogue

Chris Pogue provides us some insights into the world of PCI breach incident response.

Software Box: Poorcase: Split Image Reconstruction – Don C. Weber

Richard Harman has released a new tool for combining split images for data analysis with tools that cannot inherently handle split images.

Windows Box: Registry Analysis and Geolocation – Harlan Carvey

Harlan Carvey explains how Windows Registry analysis can be leveraged to perform geolocation and establish information about the different physical locations a system has been used.

Hardware Box: Super DriveLock Review – Don C. Weber

Don C. Weber reviews Intelligent Computer Solutions’ Super DriveLock, a multi-interface write blocker which can be used in a digital forensic tower or taken on the road.

As always, please let us know how you feel and provide us with recommendations and article submittals for future ITB efforts. We look forward to your comments and blog posts about these subjects.

Go forth and do good things,

Don C. Weber

Filed under: Releases Tagged: Chris Pogue, Don C. Weber, Harlan Carvey, Into The Boxes, ITB, OSX, plist, Scott Burkhart, Security Ripcord, Super DriveLock, The Digital Standard, Windows, Windows Incident Response

ITB Issue 0×1 – Call For Collaboration

cutaway — Sun, 07 Feb 2010 16:51:32 +0000

The success of Into The Boxes Issue 0×0 was only possible because of the collaboration provided by members of the Digital Forensics and Incident Response community. In order for this publication to continue we need more people to step up and provide their input. As you can see from the first issue we are looking for input that can be implemented by people in the DF/IR fields. This input can be in the form of detailed articles or quick tips. All input will be given serious consideration. The ITB editors will provide authors with recommendations to strengthen their write-ups to ensure the best value to the community and help the authors develop as DF/IR professionals and writers.

Please help ITB by providing your submissions or letting us know about your intent to submit via the ITB Call Box. We are also looking for article recommendations which we will place in the ITB Research Box so that others have good ideas as to what will help the DF/IR Community. Obviously, if you would like to contribute but do not know what to write about, check out the ITB Research Box for recommendations.

Go forth and do good things,

Don C. Weber

Filed under: Information Tagged: Digital Forensics, Incident Response, Into The Boxes, ITB

ITB DF/IR Tip Contest

cutaway — Fri, 05 Feb 2010 04:20:18 +0000

This has been a long time coming. The winner of the first Into The Boxes DF/IR Tip Contest is John McCash with the one and only entry for this contest:

Windows ‘Default User’ Browser History may be left by anything that uses the WinInet APIs & runs as System, including wget.exe.

To clarify John points us to a post on Harlan’s blog: The Case of the “Default User” and Robert Hensing’s Blog post “Ever found malware hiding in the “Default User” profile on Windows? Ever wonder how it got there or why it was there?”

John wins a signed first edition of ITB. If we had more staff this would have already been taken care of earlier last month. However, we have leaned on John’s patience a little and we will be getting this out to him as soon as possible.

Now, stay tuned for more information about future ITB events. We will be putting out the call for new articles very shortly and we hope that many of you will help us follow up with a second edition that matches the first.

Go forth and do good things,

Don C. Weber

Filed under: Information Tagged: Harlan Carvey, Into The Boxes, ITB, John McCash, Security Ripcord, Windows Incident Response

Into The Boxes: Issue 0×0

cutaway — Fri, 01 Jan 2010 14:09:16 +0000

It is official. Harlan and I are proud to announce the first edition of Into The Boxes – Digital Forensics and Incident Response Magazine.

Into The Boxes: Issue 0×0

Of course this release would not have been possible if it were not for the contributions of Didier Stevens and Jamie Levy. These two produced, in our opinion, two very good articles that will benefit your analysis efforts and overall education. We all owe these two a big thank you for helping us get this effort moving forward. There were several others who also provided us various forms of encouragement and article submittals but, for various reasons, were not able to provide contend for this publications. Harlan and I would also like to thank these people as well and let them know we are looking forward to their submittals for Issue 0×1 in addition to their continued verbal support.

This issue contains four specific articles that cover a variety of digital forensic and incident response issues. More specifically:

Windows Box: Windows 7 UserAssist Registry Keys by Didier Stevens.

This is an analysis of the new UserAssist registry keys binary data format used in Windows 7 and Windows 2008 R2.

*nix Box: Red Hat Crash Memory Forensics – Jamie Levy

This article covers the installation and use of Redhat Crash Utility for Linux memory forensics.

Software Box: Beware The Preview Pane – Don C. Weber

A quick dip into the preview pane functionality provided by AccessData’s FTK Imager and FTK Imager Lite.

Squawk Box: PCI Interview with Harlan Carvey

An interview about digital forensics and incident response as it pertains to Payment Card Industry-related investigations.

As always, please let us know how you feel and provide us with recommendations and article submittals for future ITB efforts. We look forward to your comments and blog posts about these subjects.

Go forth and do good things,

Don C. Weber

Posted in Releases Tagged: Didier Stevens, Don C. Weber, Harlan Carvey, Into The Boxes, ITB, Jamie Levy, Security Ripcord, Windows Incident Response

ITB DF/IR Tip Contest – Update

cutaway — Sat, 05 Dec 2009 13:23:17 +0000

Okay, the ITB DF/IR Tip Contest went off without a hitch. Well, actually there was one hitch. I have only found one entry. Harlan and I have been very busy generating content, getting ITB ready for the January release, and working our day jobs, but I did have time to search for entries using Twitter Search. I never found any hits with #ITBTIP tag. But, before I jump to any conclusions I am going to give you a week (till December 12, 2009) to point me to your DF/IR awareness tip. This tip must have been submitted during the contest timeframe. So, if you did submit a DF/IR awareness tip for the contest, please use the ITB Call Box and point us to your submittal. I will be glad to review your twitter history but please be sure to at least include a date and time to help narrow down the search.

Barring that I guess the one submittal will be the best submitted (it is pretty good anyway). As to the one person who submitted the lone, he did so via the ITB Call Box, so you will just have to await to see his entry. I would, however, like to thank him for participating.

Have a great holiday season,

Don C. Weber

Posted in Uncategorized

ITB DF/IR Tip Contest

cutaway — Thu, 05 Nov 2009 14:46:06 +0000

To help raise awareness about Into The Boxes (ITB), digital forensics, and incident response, ITB will be holding a competition via Twitter. This contest will also help show the community how easy it is to collaborate and contribute to the ITB effort. The basis of this competition are Digital Forensic and Incident Response (DF/IR) tips that can be placed in the space allowed by the Twitter “What are you doing?” textbox. To help ITB Staff identify entries each tip entry will need to start with “#ITBTIP: “. This leaves each contestant 131 characters to work with when creating a DF/IR tip. Links are allowed but they will only be taken in context of the DF/IR tip and not followed. Here is an example:

#ITBTIP: Wipe drive with known pattern – # sudo dcfldd textpattern=IntoTheBoxes of=/dev/

Size doesn’t matter as long as the tip is less than or equal to 140 characters including the header. Tips do not have to be technical. DF/IR managerial statements are sometimes just as important as the data acquisition and analysis and are good for elevator/water cooler comments and are the basis for more in-depth recommendations that can be used in Lessons Learned and Final Reports stemming from an incident response effort. Here is another example.

#ITBTIP: Centralized logging provides us valuable IT security information while reducing the cost required to review and alert on incidents.

All entries will be judged by the ITB staff. The results will be posted here and the top five will be included in the January 2010 release of ITB. Tips will also be reused, periodically, by ITB to promote DF/IR awareness. If you do not have a Twitter account but would still like to participate in the contest just drop us your tip, which must still follow the contest guidelines, using the ITB Call Box.

This contest will end on November 22nd, 2009. So you have a little time to think about what you want to do. To be fair only five submissions per person are permitted and only one of those will be allowed into the top five category. The first prize winner of this contest will receive a hard copy version of the ITB inaugural edition signed by the ITB Staff. Not much, but it is all we have right now. There will only be three hard copies made of this first edition, so this will be a limited edition.

While you are at it, you can follow ITB events by following us on Twitter or subscribing to our feed.

So, here is a list of those rules again. These may change a little if somebody points out something glaringly obvious, so check back and watch our Tweets.

All tips can only be 140 characters and must use the header “#ITBTIP: ” (so you only get 131 characters).
Links are allowed but they will only be taken in context of the DF/IR tip and not followed.
Contest ends at 00:00:00 CST on November 22nd, 2009 the winner will be announced on November 29th, 2009.
Five entries per person and only one can be in the top five.
All entries will be judged by ITB Staff.
Tips can be submitted via Twitter or the ITB Call Box.
All participants agree that their tips can be reused on the Into The Boxes website and in future Into The Boxes publications. All copyrights, outside of these limited publishing rights for Into The Boxes, will remain with the author of the ITB Tip.

Go forth and do good things,

Don C. Weber

inaugural

Posted in Information Tagged: Contest, Digital Forensics, Incident Response, Into The Boxes, ITB, Twitter

Contributing to Into The Boxes

cutaway — Tue, 03 Nov 2009 13:31:33 +0000

The staff of Into The Boxes have tried to make contributing to this resource as easy as possible. You can find most of the information you need right here. Just look to the right sidebar and you will find links to all of the following information.

Into The Boxes – Main page that will change very little but does contain useful information about the next release.
Blog Box - You are here. Enjoy and come back often.
Collaboration Box – Guidelines to help people understand how to collaborate and get articles published in this e-magazine.
Research Box - A list of topics to help authors who are looking for inspiration. We are accepting requests for articles and these requests will be posted here for us and others to consider as topics for future articles. Use the Call Box to get us you request or let us know you are working an a particular topic.
Mission Box – the mission statement which guides Into The Boxes.
Call Box – when you need to contact the staff of Into The Boxes use this web form. This will notify the proper personnel and we will get to your request as quickly as possible.

Obviously as we move forward we will have more pages with more information. Starting in the first week of January 2010, with the release of Into The Boxes‘ first issue, we will have pages for curent and previous issues of the e-magazine. For now, however, simple is better.

Do not forget to subscribe to the Into The Boxes feed so that you are up-to-date with new information about Into The Boxes. You can also get information about the e-magazine on Twitter by following IntoTheBoxes.

Please let us know if something is missing or needs clarification. The staff of Into The Boxes will get to your input as quickly as possible.

Go forth and do good things,

Don C. Weber

Posted in Information Tagged: Digital Forensics, Incident Response, Into The Boxes