Archive for ITB

Into The Boxes: Call for Collaboration 0×02

Posted in Information with tags , , , on July 25, 2010 by cutaway

In case you were wondering, Into The Boxes is still an active project.  Work load and professional changes have caused us to skip a quarter.  This will not deter our efforts and we are shooting for issue 0×02 to be published in September 2010.  Of course this will depend on the community.  Your input is necessary to our success.

Therefore this is another call for collaboration.  Please use the Call Box to provide us with details about issues and topics within digital forensics and incident response that interest you and your colleagues.  We look forward to your submissions and recommendations.  Anybody who has already contacted us we will be getting back to you within the next week or two about moving forward with your ideas.

For those of you attending Def Con, be sure to find me and talk to me about this or any other topics.  I will be busy working on the Mystery Challenge again, but there will be plenty of extra time to converse and have a beer or three.  See you there.

Go forth and do good things,

Don C. Weber

Registry Analysis and Geolocation Scripts Released

Posted in Information with tags , , , , on April 7, 2010 by cutaway

Harlan has released the scripts he used in the “Registry Analysis and Geolocation” article.  These scripts are available to members of the Win4n6 forum and can be downloaded from the “Files” directory.  Just look for the file named itb0x1.zip.  This zip file contains the following perl scripts which are to used with RegRipper:

  • ssid.pl,
  • networklist.pl, and
  • maclookup.pl.

Be sure to read the “readme.first” file as there are some requirements associated with the maclookup plugin.

Enjoy,

Don C. Weber

Into The Boxes: Issue 0×1

Posted in Releases with tags , , , , , , , , , , , , on April 5, 2010 by cutaway

It is time for the second edition of Into The Boxes – Digital Forensics and Incident Response Magazine.

Into The Boxes: Issue 0×1

This time we have contributions from Scott Burkhart and Chris Pogue.  This is another diverse issue covering a wide range of digital forensic and incident response topics.  More specifically:

MAC Box: Introduction to Plist Files by Scott Burkhart

Want to know how OSX maintains its configurations?  Scott Burkhart breaks down the .plist configuration files and how they can be used during data analysis.

Squawk Box: The Simple Truth – Chris Pogue

Chris Pogue provides us some insights into the world of PCI breach incident response.

Software Box: Poorcase: Split Image Reconstruction – Don C. Weber

Richard Harman has released a new tool for combining split images for data analysis with tools that cannot inherently handle split images.

Windows Box: Registry Analysis and Geolocation – Harlan Carvey

Harlan Carvey explains how Windows Registry analysis can be leveraged to perform geolocation and establish information about the different physical locations a system has been used.

Hardware Box: Super DriveLock Review – Don C. Weber

Don C. Weber reviews Intelligent Computer Solutions’ Super DriveLock, a multi-interface write blocker which can be used in a digital forensic tower or taken on the road.

As always, please let us know how you feel and provide us with recommendations and article submittals for future ITB efforts.  We look forward to your comments and blog posts about these subjects.

Go forth and do good things,

Don C. Weber

ITB Issue 0×1 – Call For Collaboration

Posted in Information with tags , , , on February 7, 2010 by cutaway

The success of Into The Boxes Issue 0×0 was only possible because of the collaboration provided by members of the Digital Forensics and Incident Response community.  In order for this publication to continue we need more people to step up and provide their input.  As you can see from the first issue we are looking for input that can be implemented by people in the DF/IR fields.  This input can be in the form of detailed articles or quick tips.  All input will be given serious consideration.  The ITB editors will provide authors with recommendations to strengthen their write-ups to ensure the best value to the community and help the authors develop as DF/IR professionals and writers.

Please help ITB by providing your submissions or letting us know about your intent to submit via the ITB Call Box.  We are also looking for article recommendations which we will place in the ITB Research Box so that others have good ideas as to what will help the DF/IR Community.  Obviously, if you would like to contribute but do not know what to write about, check out the ITB Research Box for recommendations.

Go forth and do good things,

Don C. Weber

ITB DF/IR Tip Contest

Posted in Information with tags , , , , , on February 5, 2010 by cutaway

This has been a long time coming.  The winner of the first Into The Boxes DF/IR Tip Contest is John McCash with the one and only entry for this contest:

Windows ‘Default User’ Browser History may be left by anything that uses the WinInet APIs & runs as System, including wget.exe.

To clarify John points us to a post on Harlan’s blog: The Case of the “Default User” and Robert Hensing’s Blog post “Ever found malware hiding in the “Default User” profile on Windows? Ever wonder how it got there or why it was there?”

John wins a signed first edition of ITB.  If we had more staff this would have already been taken care of earlier last month.  However, we have leaned on John’s patience a little and we will be getting this out to him as soon as possible.

Now, stay tuned for more information about future ITB events.  We will be putting out the call for new articles very shortly and we hope that many of you will help us follow up with a second edition that matches the first.

Go forth and do good things,

Don C. Weber

Into The Boxes: Issue 0×0

Posted in Releases with tags , , , , , , , on January 1, 2010 by cutaway

It is official.  Harlan and I are proud to announce the first edition of Into The Boxes – Digital Forensics and Incident Response Magazine.

Into The Boxes: Issue 0×0

Of course this release would not have been possible if it were not for the contributions of Didier Stevens and Jamie Levy.  These two produced, in our opinion, two very good articles that will benefit your analysis efforts and overall education.  We all owe these two a big thank you for helping us get this effort moving forward.  There were several others who also provided us various forms of encouragement and article submittals but, for various reasons, were not able to provide contend for this publications.  Harlan and I would also like to thank these people as well and let them know we are looking forward to their submittals for Issue 0×1 in addition to their continued verbal support.

This issue contains four specific articles that cover a variety of digital forensic and incident response issues.  More specifically:

Windows Box: Windows 7 UserAssist Registry Keys by Didier Stevens.

This is an analysis of the new UserAssist registry keys binary data format used in Windows 7 and Windows 2008 R2.

*nix Box: Red Hat Crash Memory Forensics – Jamie Levy

This article covers the installation and use of Redhat Crash Utility for Linux memory forensics.

Software Box: Beware The Preview Pane – Don C. Weber

A quick dip into the preview pane functionality provided by AccessData’s FTK Imager and FTK Imager Lite.

Squawk Box: PCI Interview with Harlan Carvey

An interview about digital forensics and incident response as it pertains to Payment Card Industry-related investigations.

As always, please let us know how you feel and provide us with recommendations and article submittals for future ITB efforts.  We look forward to your comments and blog posts about these subjects.

Go forth and do good things,

Don C. Weber

ITB DF/IR Tip Contest

Posted in Information with tags , , , , , on November 5, 2009 by cutaway

To help raise awareness about  Into The Boxes (ITB), digital forensics, and incident response, ITB will be holding a competition via Twitter.  This contest will also help  show the community how easy it is to collaborate and contribute to the ITB effort.  The basis of this competition are Digital Forensic and Incident Response (DF/IR) tips that can be placed in the space allowed by the Twitter “What are you doing?” textbox.  To help ITB Staff identify entries each tip entry will need to start with “#ITBTIP: “.   This leaves each contestant 131 characters to work with when creating a DF/IR tip.  Links are allowed but they will only be taken in context of the DF/IR tip and not followed.  Here is an example:

#ITBTIP: Wipe drive with known pattern – # sudo dcfldd textpattern=IntoTheBoxes of=/dev/<drive>

Size doesn’t matter as long as the tip is less than or equal to 140 characters including the header.  Tips do not have to be technical.  DF/IR managerial statements are sometimes just as important as the data acquisition and analysis and are good for elevator/water cooler comments and are the basis for more in-depth recommendations that can be used in Lessons Learned and Final Reports stemming from an incident response effort.  Here is another example.

#ITBTIP: Centralized logging provides us valuable IT security information while reducing the cost required to review and alert on incidents.

All entries will be judged by the ITB staff.  The results will be posted here and the top five will be included in the January 2010 release of  ITB.   Tips will also be reused, periodically, by ITB to promote DF/IR awareness.  If you do not have a Twitter account but would still like to participate in the contest just drop us your tip, which must still follow the contest guidelines, using the ITB Call Box.

This contest will end on November 22nd, 2009.  So you have a little time to think about what you want to do.  To be fair only five submissions per person are permitted and only one of those will be allowed into the top five category.  The first prize winner of this contest will receive a hard copy version of the ITB inaugural edition signed by the ITB Staff.  Not much, but it is all we have right now.  There will only be three hard copies made of this first edition, so this will be a limited edition.

While you are at it, you can follow ITB events by following us on Twitter or subscribing to our feed.

So, here is a list of those rules again.  These may change a little if somebody points out something glaringly obvious, so check back and watch our Tweets.

  • All tips can only be 140 characters and must use the header “#ITBTIP: ” (so you only get 131 characters).
  • Links are allowed but they will only be taken in context of the DF/IR tip and not followed.
  • Contest ends at 00:00:00 CST on November 22nd, 2009 the winner will be announced on November 29th, 2009.
  • Five entries per person and only one can be in the top five.
  • All entries will be judged by ITB Staff.
  • Tips can be submitted via Twitter or the ITB Call Box.
  • All participants agree that their tips can be reused on the Into The Boxes website and in future Into The Boxes publications.  All copyrights, outside of these limited publishing rights for Into The Boxes, will remain with the author of the ITB Tip.

Go forth and do good things,

Don C. Weber

inaugural
Follow

Get every new post delivered to your Inbox.