Archive for Harlan Carvey

Registry Analysis and Geolocation Scripts Released

Posted in Information with tags , , , , on April 7, 2010 by cutaway

Harlan has released the scripts he used in the “Registry Analysis and Geolocation” article.  These scripts are available to members of the Win4n6 forum and can be downloaded from the “Files” directory.  Just look for the file named itb0x1.zip.  This zip file contains the following perl scripts which are to used with RegRipper:

  • ssid.pl,
  • networklist.pl, and
  • maclookup.pl.

Be sure to read the “readme.first” file as there are some requirements associated with the maclookup plugin.

Enjoy,

Don C. Weber

Into The Boxes: Issue 0×1

Posted in Releases with tags , , , , , , , , , , , , on April 5, 2010 by cutaway

It is time for the second edition of Into The Boxes – Digital Forensics and Incident Response Magazine.

Into The Boxes: Issue 0×1

This time we have contributions from Scott Burkhart and Chris Pogue.  This is another diverse issue covering a wide range of digital forensic and incident response topics.  More specifically:

MAC Box: Introduction to Plist Files by Scott Burkhart

Want to know how OSX maintains its configurations?  Scott Burkhart breaks down the .plist configuration files and how they can be used during data analysis.

Squawk Box: The Simple Truth – Chris Pogue

Chris Pogue provides us some insights into the world of PCI breach incident response.

Software Box: Poorcase: Split Image Reconstruction – Don C. Weber

Richard Harman has released a new tool for combining split images for data analysis with tools that cannot inherently handle split images.

Windows Box: Registry Analysis and Geolocation – Harlan Carvey

Harlan Carvey explains how Windows Registry analysis can be leveraged to perform geolocation and establish information about the different physical locations a system has been used.

Hardware Box: Super DriveLock Review – Don C. Weber

Don C. Weber reviews Intelligent Computer Solutions’ Super DriveLock, a multi-interface write blocker which can be used in a digital forensic tower or taken on the road.

As always, please let us know how you feel and provide us with recommendations and article submittals for future ITB efforts.  We look forward to your comments and blog posts about these subjects.

Go forth and do good things,

Don C. Weber

ITB DF/IR Tip Contest

Posted in Information with tags , , , , , on February 5, 2010 by cutaway

This has been a long time coming.  The winner of the first Into The Boxes DF/IR Tip Contest is John McCash with the one and only entry for this contest:

Windows ‘Default User’ Browser History may be left by anything that uses the WinInet APIs & runs as System, including wget.exe.

To clarify John points us to a post on Harlan’s blog: The Case of the “Default User” and Robert Hensing’s Blog post “Ever found malware hiding in the “Default User” profile on Windows? Ever wonder how it got there or why it was there?”

John wins a signed first edition of ITB.  If we had more staff this would have already been taken care of earlier last month.  However, we have leaned on John’s patience a little and we will be getting this out to him as soon as possible.

Now, stay tuned for more information about future ITB events.  We will be putting out the call for new articles very shortly and we hope that many of you will help us follow up with a second edition that matches the first.

Go forth and do good things,

Don C. Weber

Into The Boxes: Issue 0×0

Posted in Releases with tags , , , , , , , on January 1, 2010 by cutaway

It is official.  Harlan and I are proud to announce the first edition of Into The Boxes – Digital Forensics and Incident Response Magazine.

Into The Boxes: Issue 0×0

Of course this release would not have been possible if it were not for the contributions of Didier Stevens and Jamie Levy.  These two produced, in our opinion, two very good articles that will benefit your analysis efforts and overall education.  We all owe these two a big thank you for helping us get this effort moving forward.  There were several others who also provided us various forms of encouragement and article submittals but, for various reasons, were not able to provide contend for this publications.  Harlan and I would also like to thank these people as well and let them know we are looking forward to their submittals for Issue 0×1 in addition to their continued verbal support.

This issue contains four specific articles that cover a variety of digital forensic and incident response issues.  More specifically:

Windows Box: Windows 7 UserAssist Registry Keys by Didier Stevens.

This is an analysis of the new UserAssist registry keys binary data format used in Windows 7 and Windows 2008 R2.

*nix Box: Red Hat Crash Memory Forensics – Jamie Levy

This article covers the installation and use of Redhat Crash Utility for Linux memory forensics.

Software Box: Beware The Preview Pane – Don C. Weber

A quick dip into the preview pane functionality provided by AccessData’s FTK Imager and FTK Imager Lite.

Squawk Box: PCI Interview with Harlan Carvey

An interview about digital forensics and incident response as it pertains to Payment Card Industry-related investigations.

As always, please let us know how you feel and provide us with recommendations and article submittals for future ITB efforts.  We look forward to your comments and blog posts about these subjects.

Go forth and do good things,

Don C. Weber

Follow

Get every new post delivered to your Inbox.