Archive for Windows Incident Response

Into The Boxes: Issue 0x1

Posted in Releases with tags , , , , , , , , , , , , on April 5, 2010 by cutaway

It is time for the second edition of Into The Boxes – Digital Forensics and Incident Response Magazine.

Into The Boxes: Issue 0x1

This time we have contributions from Scott Burkhart and Chris Pogue.  This is another diverse issue covering a wide range of digital forensic and incident response topics.  More specifically:

MAC Box: Introduction to Plist Files by Scott Burkhart

Want to know how OSX maintains its configurations?  Scott Burkhart breaks down the .plist configuration files and how they can be used during data analysis.

Squawk Box: The Simple Truth – Chris Pogue

Chris Pogue provides us some insights into the world of PCI breach incident response.

Software Box: Poorcase: Split Image Reconstruction – Don C. Weber

Richard Harman has released a new tool for combining split images for data analysis with tools that cannot inherently handle split images.

Windows Box: Registry Analysis and Geolocation – Harlan Carvey

Harlan Carvey explains how Windows Registry analysis can be leveraged to perform geolocation and establish information about the different physical locations a system has been used.

Hardware Box: Super DriveLock Review – Don C. Weber

Don C. Weber reviews Intelligent Computer Solutions’ Super DriveLock, a multi-interface write blocker which can be used in a digital forensic tower or taken on the road.

As always, please let us know how you feel and provide us with recommendations and article submittals for future ITB efforts.  We look forward to your comments and blog posts about these subjects.

Go forth and do good things,

Don C. Weber

Advertisements

ITB DF/IR Tip Contest

Posted in Information with tags , , , , , on February 5, 2010 by cutaway

This has been a long time coming.  The winner of the first Into The Boxes DF/IR Tip Contest is John McCash with the one and only entry for this contest:

Windows ‘Default User’ Browser History may be left by anything that uses the WinInet APIs & runs as System, including wget.exe.

To clarify John points us to a post on Harlan’s blog: The Case of the “Default User” and Robert Hensing’s Blog post “Ever found malware hiding in the “Default User” profile on Windows? Ever wonder how it got there or why it was there?”

John wins a signed first edition of ITB.  If we had more staff this would have already been taken care of earlier last month.  However, we have leaned on John’s patience a little and we will be getting this out to him as soon as possible.

Now, stay tuned for more information about future ITB events.  We will be putting out the call for new articles very shortly and we hope that many of you will help us follow up with a second edition that matches the first.

Go forth and do good things,

Don C. Weber

Into The Boxes: Issue 0x0

Posted in Releases with tags , , , , , , , on January 1, 2010 by cutaway

It is official.  Harlan and I are proud to announce the first edition of Into The Boxes – Digital Forensics and Incident Response Magazine.

Into The Boxes: Issue 0x0

Of course this release would not have been possible if it were not for the contributions of Didier Stevens and Jamie Levy.  These two produced, in our opinion, two very good articles that will benefit your analysis efforts and overall education.  We all owe these two a big thank you for helping us get this effort moving forward.  There were several others who also provided us various forms of encouragement and article submittals but, for various reasons, were not able to provide contend for this publications.  Harlan and I would also like to thank these people as well and let them know we are looking forward to their submittals for Issue 0x1 in addition to their continued verbal support.

This issue contains four specific articles that cover a variety of digital forensic and incident response issues.  More specifically:

Windows Box: Windows 7 UserAssist Registry Keys by Didier Stevens.

This is an analysis of the new UserAssist registry keys binary data format used in Windows 7 and Windows 2008 R2.

*nix Box: Red Hat Crash Memory Forensics – Jamie Levy

This article covers the installation and use of Redhat Crash Utility for Linux memory forensics.

Software Box: Beware The Preview Pane – Don C. Weber

A quick dip into the preview pane functionality provided by AccessData’s FTK Imager and FTK Imager Lite.

Squawk Box: PCI Interview with Harlan Carvey

An interview about digital forensics and incident response as it pertains to Payment Card Industry-related investigations.

As always, please let us know how you feel and provide us with recommendations and article submittals for future ITB efforts.  We look forward to your comments and blog posts about these subjects.

Go forth and do good things,

Don C. Weber

Welcome to “Into The Box”

Posted in Information with tags , , , , , on October 28, 2009 by keydet89

Don and I have discussed for some time starting a magazine or e-mag, of sorts, for the DF/IR communities.

I thought it would be a good idea to start off with a “why are we doing this” post, and to answer that question, I’ve included the mission statement that Don and I came up with here:

The mission of Into The Boxes – Digital Forensics and Incident Response Magazine is to provide a reliable resource regarding digital forensics and incident response topics, and issues facing the information security and computer forensic communities. The goal of Into The Boxes is to provide quarterly insight into technical and managerial issues in the community through content provided by professionals actively engaged in these activities. Open communications and sharing are critical components to education and advancement, and the contributors associated with Into The Boxes hope to provide consistent and insightful resources that will lead to open discussions and advancements within the digital forensics and incident response communities.

So, this blog will act as an initial resource for communications until Into The Boxes hits the streets, and once that happens, will act as a supporting resource (notification of release, providing responses and table of content information between issues, etc.).

Now, this e-mag is NOT meant to replace anything; in fact, it’s an attempt to augment what’s already out there, by providing additional resources in an easy-to-read and easy-to-manage format.

That being said, the best way to turn this into a valuable resource is to get insight and input from the community…that means you. Feel free to comment here or email us to provide your thoughts, comments, questions, insights, and requests. One word about requests…being just two guys doing this all on our own, please consider this…any request that you have that requires resources (i.e., commercial tools or software, equipment, significant time, etc.)

Harlan Carvey