Written by Phill Moore

Week 50 – 2016

Much busier week this week. I think this is my longest post so far. Looks like everyone’s gearing up for the holidays so they’re posting everything now. I’ll be posting slightly earlier for the next couple weeks because the holidays fall on days I don’t want to spend working.
Enjoy!

SOFTWARE UPDATES

  • Didier Stevens updated two of his scripts during the week
  • Nuix has released updated versions of their Nuix Web Review & Analytics, Nuix Sensitive Data Finder, and Nuix Management Console, along with Version 7.2 of their processing engine. The update adds “streamlined optical character recognition, more granular document imaging control, powerful time and location analytics, and direct access to more cloud and mobile data sources”.
    Nuix Released Version 7.2 Of Its Patented Processing Engine

  • X-Ways Forensics 19.0 SR-9 was released, fixing various bugs.
    X-Ways Forensics 19.0 SR-9

  • X-Ways Forensics 19.1 Preview 6 was released, adding new options in the Case Data context menu including marking important evidence objects with lightbulbs, and backing up volume snapshots, as well as “recognition of new file system level compression style in NTFS under Windows 10” and other minor bug fixes and improvements.
    X-Ways Forensics 19.1 Preview 6

  • GetData updated Mount Image Pro to version 6.1.3.1678 to fix some issues with the dongle activation.
    12 Dec 2016 – 6.1.3.1678

  • Cellebrite updated their UFED PA/LA/Reader tools to version 5.4.5. This version “enables the extraction and decoding of encrypted iOS 10.2 beta backups via the Advanced logical extraction process (Method 1)” and fixed a number of bugs.
    UFED Physical Analyzer, UFED Logical Analyzer and UFED Reader Version 5.4.5

  • Oxygen Forensic updated their Detective product to version 9.1 adding iCloud token extraction/use, support for 2FA for Google-based cloud services, acquisition of iCloud Photo Stream and VKontakte data, and decryption of “Samsung physical dumps made via custom forensic recovery method”, LG Android TOT images, and encrypted iOS 10.2 backups.
    Oxygen Forensic® Detective finds iCloud token on computer and extracts Photo Stream

  • MOBILedit Forensic Express 3.6.2 was released with a variety of improvements and bug fixes, as well as new and updated application analysers.
    Forensic Express 3.6.2 released

  • Guidance Software have updated EnCase Forensic and the Tableau Password Recovery (TPR) hardware. EnCase Forensic v8.03 now support custom pathways, installation on Windows 10 anniversary update, and an online help file. The new TPR 1.2 features a refreshed UI and additional file types accelerated by TACC2, including MS Office 2013 and 2016, Apple FileVault 2, Android Image, and RAR 5.x 5.”
    Guidance Software Releases Enhanced Solutions For Law Enforcement

  • DVR Examiner was updated to version 1.28.0, adding and improving support for various file systems.
    DVR Examiner 1.28.0

  • Brian Carrier announced a new release of Cyber Triage, now at version 1.7. The new release allows examiners to “automatically see what registry keys reference a file with malware, what processes are using the file, and remote hosts with active connections to those processes.”
    Exposing More Data to Save Time

  • Brian Moran has updated his Live Response Collection to version Bambiraptor, fixing some various issues. Brian also made some changes to the OS X side of the script adding automated disk imaging through the onboard DD command.
    Live Response Collection – Bambiraptor

  • Blackbag Technologies released Blacklight 2016 R3. The update adds parsing and analysis tools for Win8/10 hiberfil/raw memory, Event Logs and Apple System Logs, and iOS/OSX Recent Databases. The update also adds support for iOS 10 Encrypted Backup as well as new Data Structure Templates and other features.
    Blacklight 2016 R3 Is Now Available!

  • Passware has released Passware Kit 2017 v1. The new version “decrypts FileVault2 volumes instantly using data extracted from iOS backups, supports QuickBooks 2016 and 2017, 1Password for Mac, [and] adds dictionaries for Danish and Swedish languages”.
    New In Passware Kit 2017 v1

  • Devon Ackerman released a couple of Python scripts that examiners may find useful. The first base64Decoder “supports a couple of methods for decoding base64 obfuscated/encoded strings as found during routine intrusion responses events”. The second, fileExaminer.py, is “useful for identifying quickly key information about a particular file to include hashes, footer, header, and file size information.”
    Bending-Python-for-4n6s

  • Eric Zimmerman quietly pushed a few updates to his TimelineExplorer (version 0.2.0.0), ShellbagExplorer (version 0.7.0.0) and AppCompatCacheParser (Version 0.9.4.0). You can download these tools here.

  • Magnet Forensics updated Internet Evidence Finder to version 6.8.5 however I wasn’t able to locate the release notes out in the wild.

SOFTWARE/PRODUCT RELEASES

  • Vitaliy Mokosiy at Atola Technologies has released a tool called Seghash, which “calculates segmented hashes of image [and] verifies calculated segmented hashes”. Segmented hashing is the process of hashing all the LBA ranges ) chunks of an image, where the “sum of the LBA ranges represents the entire image”.”By validating all hashes in a set, you can still prove that the entire image was not modified”.
    Seghash – Open-source tool for segmented hashing

  • Shusei Tomonaga at JP Cert/CC introduces a tool “impfuzzy for Volatility”, “which JPCERT/CC has created for extracting known malware from memory images and utilises for analysis operations”. The tool is available on GitHub.
    A New Tool to Detect Known Malware from Memory Images – impfuzzy for Volatility

  • Ty Labs have released a tool called quicksand_lite, which “is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables.”
    QuickSand.io

PRESENTATIONS/PODCASTS

  • Presentations are available for BSides Zurich 2016.
    Abstracts

  • Joshua James at Cybercrime Technologies shared three videos this week

  • Didier Stevens posted a video on the Nvisio Belgium YouTube Channel on how to extract the executable from the JScript file examined previously.

    Extracting EXE from JScript with BASE64

  • Didier Stevens published a YouTube video analysing a maldoc with oledump. The maldoc contains a VBScript that sleeps for 5 minutes before executing to avoid examination with an automated sandbox environment. Here is the associated Handler Diary.
    Sleeping VBS Really Wants To Sleep

  • Digital Forensics Corp shared a two-part series by ‘Malware Analysis For Hedgehogs’ analysing a packed Fleercivet sample. The first video covers “basic static analysis, detection name interpretation and unpacking”. The second video shows how to use IDA to change the binary to defeat VM detection and perform dynamic analysis.
    Malware Analysis: Full Analysis Of Fleercivet

  • Carrie Roberts at Black Hills Information Security has demonstrated her Domain Password Audit Tool (DPAT) Python script in a YouTube video.
    WEBCAST: Demo of Domain Password Audit Tool

  • Paula at Cquire has posted a tutorial on finding various passwords stored in Windows using the CQ Tools.
    Where we can find different kinds of passwords in the operating system?

  • Blackbag Technologies uploaded a webinar by Don Brister showcasing the new features found within Blacklight 2016 R3.
    BlackLight 2016 R3 New Features Webinar

  • They also uploaded a shorter video showing the new feature for parsing Win8/10 Raw memory dumps and hiberfil.sys
    Sneak Peek: BlackLight 2016 R3 – Windows 8 & 10 Memory

  • “This presentation was recorded during 2016 PCI SSC North America Community Meeting Vendor Showcase in Las Vegas. Brad Dispensa (Senior Solutions Architect WWPS, Amazon Cloud Services, Amazon Corporation) and Tom Arnold (Head of Digital Forensics, Payment Software Company PSC) examine the unique nature of Amazon EC2 and highlight services supporting PCI compliance and general security of sites operating in the Cloud”.
    PCICM Las Vegas 2016 – Incident Response in the Amazon EC2 Cloud by Brad Dispensa and Tom Arnold

  • Cindy Murphy and Chris Crowley hosted a webinar on analysing Android applications/malware which is now available online. Cindy and Chris “will show tools and techniques you can use to inspect Android applications to determine if they exhibit malicious behavior, using the Hummingbad family of malware as example specimens”
    Hummingbad: Tools & Techniques To Use When Inspecting Android Applications

  • Lee Reiber’s first Mobile Forensics Minute, introducing the weekly vlog
    Mobile Forensic Minute #001

  • This week’s episode of the Digital Forensics Survival podcast provides a few tips for imaging Mac computers. Michael suggests that your kit should include a physical Mac keyboard (to avoid connectivity issues), as well as a USB-C-to-USB adapter to deal with the newer Macbook/Pros. Upon starting, examiners should hold the option key and power on the device to identify the bootable volumes on the system, as well as determine if there’s a firmware password. Regarding FileVault2, Michael suggests that if you’re able to you can get the owner to turn it off prior to imaging. If the computer is live and you’re at an unfriendly situation (ie can’t obtain the FV2 password) then Michael advises copying the data to a non-HFS volume. I would disagree with this advice as you would lose the metadata associated with the files. Michael explains the reason for doing this is that it avoids the issue with the files remaining encrypted however I haven’t seen this in my dealings with FV2 encrypted macs. Michael goes on to explain that Paladin is a freely available distro that can be used to boot-into and image Macs, and when dealing with Fusion drives you can image all components and then use the inbuilt OS X Terminal command diskutil to recombine the drives into a logical volume. My preference is to utilise a tool called Macquisition because it removes the double-handling when dealing with imaging drives. It’s not as cheap (read: free) as Paladin however it allows you to enter the password for encrypted Macs (which is now a majority of them due to FV2 being turned on by default), or mount CoreStorage/Fusion drives, and image them straight away rather than image on the exhibit Mac and then decrypt back at base.
    DFSP # 043 – Imaging a Mac: Survival Tips

  • On this week’s Cybersecurity Interviews podcast, Douglas interviewed Nicholas Percoco, Chief Information Security Officer at Uptake. The interview covered Nicholas’ career history, his personal interest in beer, public speaking, as well as his involvement with Chicago’s THOTCON. I found Nicholas’ comments on the talent shortage interesting; He says that there’s not necessarily a talent shortage, just that people might need to go out and find the right people for the job. Those people may not have the skills straight away, but as long as they have the drive then you can invest in them. For those getting into the industry, Nicholas recommends that you learn about the building blocks of the Internet and networks, learn a programming language, and get out to the cons and speak to people (because that’s where he’s doing his hiring). The part that really hits home is how he said that he might not be hiring the best person in the world for the job, but it’s the best person that he knows.
    #004 – Nicholas Percoco: Don’t Second Guess Yourself

FORENSIC ANALYSIS

  • Joff Thyer at Black Hills Info Sec explains the benefits of updating Windows Management Framework (WMF) to version 5.0 across an organisation. Windows 7, which is prevalent in organisations, comes with PowerShell v2 which “provides no real event logging ability, thus leaving defenders largely blind with the exception of one PowerShell script signing policy”. Joff then lists the various logging features that can be enabled with the updated WMF and shows how to enable them.
    PowerShell Logging for the Blue Team

  • The guys at CyberForensicator shared a few posts this week
  • There were a couple of posts on Forensic Focus
    • Scar interviewed Yuri Gubanov, CEO of Belkasoft who provided some info about his background, and an overview of the happenings in the company as well as a few fun tidbits; Like how “Belka” means “Squirrel” in Russian.
      Interviews – 2016 Interview With Yuri Gubanov, CEO, Belkasoft
    • Oxygen Forensic have introduced an Enterprise License to their Detective product that “allows experts to borrow the dongle from the main license if they need to go into the field or do not have an internet connection”.
      (      As a side note, whilst we’re talking about dongles/licenses, can vendors please update their tools so that if the dongle is removed the tool doesn’t crash or drop into a different mode – pause processing and keep polling until the dongle gets put back in.)
      Oxygen Forensics Offers Enterprise License

  • Will Ascenzo at Gillware Digital Forensics describes a case of a weather-worn Samsung Galaxy S3 found in the woods. The team had two options – chip off, or clean the logic board and transplant it to a new phone. They were able to clean the logic board up and after some minor repairs it was successfully transplanted into another device for examination.
    Forensic Case Files: Reviving a Samsung Galaxy S3

  • Jasper at Packet Foo covers the basics of Test Access Port’s and “why you would want (or need) to use them in network capture”.
    The Network Capture Playbook Part 5 – Network TAP Basics

  • Matt Bromiley has started the Zeltser Challenge, giving me plenty of content for the next 365 days! I’m not sure if I should put them all together, or split them into the categories; if anyone has an opinion let me know, but otherwise I’ll just leave them all together.
    • The first day is Scripting Saturday and introduces an IP Geolocation python script that utilises the MaxMind databases.
      Zeltser Challenge Day 1
    • This post reviews “Practical Forensic Imaging” by Bruce Nikkel. Matt describes the various topics the book covers as well as his key takeaways.
      Sunday GrabBag: Book Review of Practical Forensic Imaging
    • This post discusses Fileless Malware; malwriters have found that they can hide “malicious code inside of repositories like the Windows Registry or run malware solely in memory”. Matt describes the Kovter malware and explains a method of detection.
      Malware Monday!
    • This weeks Torvalds Tuesday focuses on Linux logon history. Matt describes the three files of interest (btmp, utmp, and wtmp) and explains how to parse them during live and dead box examinations.
      Torvalds Tuesday: Logon History in the *tmp Files
    • Matt has detailed the AppCompatCache, also known as the Shim Cache in this post. This is a fairly comprehensive explanation of what the shim cache is, and what you can determine from examining it.
      Windows Wednesday: Application Compatibility Cache
    • Tooling Thursday covers Eric Zimmerman’s AppCompatCacheParser tool, as an alternate to the Mandiant ShimCache Parser that Matt recommended in his earlier post.
      Tooling Thursday: AppCompatCacheParser
    • Instead of a weekly podcast, Matt has changed Fridays to cover network forensics. This weeks post focuses on “analyzing the malware traffic sample put forward on October 15, 2016, over at malware-traffic-analysis.net (“MTA”)”
      Full Packet Fridays: 2016–10–15 Malware Traffic Analysis
    • And finally, Matt has released “version 0.1.0 of Ballast, a Digital Ocean droplet manager”, written in Python. “Ballast is simply an information gathering script” used to “quickly retrieve droplet information …, such as IP address, droplet name, and memory and disk sizes”.
      Scripting Saturday: Ballast

  • Samuel Alonso has started a series on “memory forensics and how to hunt your attacker once he has been identified inside your network”. This post explains the general process of memory analysis and uses vshot, developed by Devin Gergen, on Remnux to run a series of Volatility plugins across a RAM capture.
    Memory Forensics with Vshot and Remnux (1)

  • Oleg Afonin at Elcomsoft posted a few times this week on 2-factor authentication
    • He has started a series discussing “the differences between implementations of two-factor authentication … in Android, iOS and Windows 10 Mobile”. He also covers the “usability and security implications of each implementation”. This post covers Apple’s history of 2-step and 2-factor verification.
      Exploring Two-Factor Authentication
    • This post explains how to use Authentication Tokens to extract iCloud data.
      Bypassing Apple’s Two-Factor Authentication
    • This post shares some information about Google’s take on Two-Factor Authentication. Google has a large variety of 2FA services ranging from printable backup codes and time-based one-time passwords to Google Prompt, a secure Yes/No based prompt on your Android or iOS device.
      Google’s Take on Two-Factor Authentication

  • Digital Forensics Corp shared a number of links this week
  • Patrick J. Siewert has a post about analysis and the translation of information into evidence. He starts by explaining the benefits of performing a deep-dive forensic analysis of a system as opposed to relying on the low-hanging-fruit triage tools. A combination of triage and forensic analysis can definitely help hone in on the important devices. Patrick also identifies that “critical thinking and effective communication” are very important skills for examiners to have to turn the data they’ve gathered into useful information.
    Analysis vs. Translation

  • David Pany and Fred House at FireEye explain how to extract program execution artefacts (software metering history) from Microsoft’s System Center Configuration Managers (SCCM). These artefacts will “only be recorded if the system is connected to a domain with an SCCM server and if software metering is enabled” and therefore are more likely to be found on enterprise systems.
    Do You See What I CCM?

  • The students at Champlain College have performed a forensic analysis of a series of devices that have utilised a goTenna network. The team used a couple of Nexus devices connected via BlueTooth to the goTenna transmitters and intercepted data using the UberTooth One and HackRF. They also examined the file systems of the phones used but found the data to be obfuscated. They were able to identify where and when the app was installed, as well as “name of the user associated with the goTenna app, and a timestamp for the last time the goTenna was connected to the phones”.
    Forensics Analysis of goTenna

  • Ryan at Obsidian Forensics investigated Universal Analytics, Google’s update to their forensically-useful (and I guess it’s also used for Advertising) Google Analytics program. Unfortunately, the UA cookies don’t provide as much information as the now legacy GA cookies, only providing one timestamp for the previous visit. The ‘user explorer’ option on a site looks pretty interesting, especially if you’re able to use it to correlate internet activity on the device itself.
    Investigating Universal Analytics

  • The SANS Reading Room has posted David Brown’s whitepaper on using Splunk to find bad. The paper “will recommend common Linux and Windows tools to scan networks and systems, store results to local filesystems, analyze results, and pass any new data to Splunk”. “The following tools are used: diff, grep, Nmap, Splunk Enterprise, WMIC, and Nessus”.
    Finding Bad with Splunk

  • There’s a post on the “PenTesting | Hacking | Coding” blog regarding collecting volatile data using inbuilt and SysInternals tools. The post lists the various commands and then explains what they do.
    Forensics – Collecting Volatile Data

  • Russ McRee has a post on the SANS ISC Handler Diaries regarding Image Steganography and StegExpose. One uses steganography to hide a file, and the other is used to identify whether or not steganography is in play. Russ also included a contest, but that’s come and gone by the time of this posting.
    Steganography in Action: Image Steganography & StegExpose

  • Brian Maloney has started a new blog and introduces a plugin he’s developed for ProcDOT named PCAP_tools. The plugin allows you to extract files from a PCAP or specific TCP stream, and gives “ProcDOT the ability to follow TCP streams without having to use another tool like Wireshark”. The post then walks through how to use the plugin
    PCAP_tools. A plugin for ProcDOT to enhance your pcap viewing experiance.

MALWARE

  • There were a couple posts on Fortinet this week
    • Axelle Apvrille examines a Mirai variant named Linux/Mirai.B!worm. This variant unintentionally forced 900,000 customers off the Internet after “a coding error in the malware caused some modems to fail rather than run the exploit code”.
      Research: Disassembling Linux/Mirai.B!worm
    • Joie Salvio and Rommel Joven examine “a malicious document macro designed to bypass Microsoft Windows’ UAC security and execute Fareit, an information stealing malware, with high system privilege”.
      Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware

  • Proofpoint researchers have identified an improved version of the “DNSChanger Exploit Kit” and explain that it now uses “external DNS resolution for internal addresses”, steganography, a dozen new router exploits, the ability to expose routers to additional attackers, as well as now accepting Android devices into the malvertising chain.
    Home Routers Under Attack via Malvertising on Windows, Android Devices

  • Adam at Hexacorn has been busy this week
    • The first post lists a variety of techniques that could slip up your threat hunting/EDR techniques and solutions.
      A few ideas to mess around with threat hunting, and EDR software (anti-threat hunting/anti-edr)
    • This post shows how to use Wine on Linux to perform Windows Malware analysis.
      Malware analysis using Wine
    • This post updates the previous list of packer/protector/tools section names/keywords and popular section names. Silas Cutler then updated his pinfo.py script to add the new info.
      PE Section names – re-visited
    • In this post, Adam describes a “hidden flag that can help to trace what’s going on when malware runs”. By updating a registry key you can enable “a built in debugging/tracing mechanism [in the WinHttp library] that enables it to log a lot of interesting details and send it either to a file, or directly to a debugger (or both)”.
      Supporting dynamic Malware Analysis with WinHttp library debug logs (tracing)
    • The last post is a list of all the documented call back functions to give us “at least a theoretical knowledge of what is out there”. “A typical call back is just a function address that is passed to a legitimate, most often a well-documented and innocent API function and then the callback function is executed internally when the API encounters a specific event the callback is set up to intercept”.
      Shellcode. I’ll Call you back.

  • Richie Cyrus’s white paper was posted to SANS Reading Room which covers using the Bro Network Security Monitor (Bro) “for rapid detection [of malicious activity] through custom scripts and log data”.
    Detecting Malicious SMB Activity Using Bro

  • Anton Cherepanov at We Live Security analyses the malware used by the TeleBots attackers (who may be associated with the BlackEnergy group). The attackers used a maldoc, which downloaded a trojan, which downloaded the Python/TeleBot.AA backdoor. The remainder of the article analyses the Python component of the attack.
    The rise of TeleBots: Analyzing disruptive KillDisk attacks

  • Chad Loeven at VMRay has posted on how “VMRay Analyzer successfully detects the code injection and anti-analysis attempts” used by AtomBombing. It also shows the various functions and processes used by the attack.
    Atombombing Evasion And Detection

  • Malwarebytes Labs had couple of posts this week
  • Robert Falcone and Bryan Lee at Palo Alto Networks have analysed two variants of the DealersChoice EK in use by the Sofacy group, focusing on finding live C2 servers.
    Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue

  • Federico Maggi at Trend Micro discusses the “detection and mitigation techniques that security vendors can use to stop [mobile malware]”.
    Mobile Ransomware: How to Protect Against It

  • Digital Forensics Corp shared an article that combines this article and this one regarding extracting malware from the firmware of mobile devices, primarily running Android.
    How to extract Malware from Firmware of Mobile Devices

  • Marco Ramilli shares a shares a malware analysis “dataset with the scientific community (and everybody interested on it) in order to give to everyone a base point to start with Machine Learning for Malware Analysis”. Marco also requests that he is looking for malware contributions so if you get in touch with him he can include them in the dataset.
    Malware Training Sets: A machine learning dataset for everyone

  • Marion Marschalek at Cyber.wtf has finished off ‘The Kings In Your Castle’ blog series. This post describes how they “leveraged our gathered data for correlations, to unveil connections among targeted attacks, reported to CIRCL’s MISP instance”. The post also “looks ahead on what happened after the presentation of our proof of concept at this year’s Troopers conference in Heidelberg”.
    The Kings In Your Castle Part 5: APT correlation and do-it-yourself threat research

  • Greg Linares shared his slides for his Hushcon 2016 presentation on NextGen Office Malware.
    Check Out @Laughing_Mantis’s Tweet

  • There were a few posts on the SANS ISC Handler Diaries
    • Xavier Mertens decyphers a JScript dropper that he had been sent as a malware sample. This sample is different in which “after the classic execution of the PE files, it tries to bypass the Windows UAC using a “feature” present in eventvwr.exe”.
      UAC Bypass in JScript Dropper
    • Brad Duncan compares three waves of malspam to get a better idea of the actor behind them. The downloaders came in the form of a JS script and a Word document (from different days), both downloading Cerber. Brad was able to generate and share “infection traffic, associated emails, malware, and artifacts”.
      Domaincop malpsam
    • Brad also shares analysis and IOCs from the pseudoDarkleech and EITes campaigns that used Rig-v to distribute Cerber.
      One, if by email, and two, if by EK: The Cerbers are coming!

  • Aaron Shelmire compares a number of binary analysis tools including IDA, Binary.ninja, Hopper, and Radare2
    Binary Analysis tools Review

MISCELLANEOUS

  • Lesley Carhart answers various questions regarding how security professionals study threat actors, as well as the results of these investigations.
    How do security professionals study threat actors, & why do we do it?

  • Matt Swann posted version 0.3 of the “Maslow’s Hierarchy of Incident Response Capabilities” to Twitter.
    Check Out @MSwannMSFT’s Tweet

  • Igor Mikhaylov at Digital Forensics Corp would like you to send your articles to their site to share out with the community.
    Share Your Article With Digital Forensics Corp

  • Jason Roslewicz at Sumuri has a post promoting their Talino Workstations. I don’t usually like sharing specifically marketing posts, but the last line of the post makes it worth sharing. Jason shared his contact information and lets the community know that he’s happy to “talk forensic workstations, whether we built them or not” with people that get in touch.
    The Talino Advantage

  • John Hubbard at 909research has extensively covered the use of Sysmon in action. He has described what the tool is and how to set it up, and then proceeds to show what one would see when executing the Osiris Ransomware and Mimikatz.
    Sysmon – The Best Free Windows Monitoring Tool You Aren’t Using

  • Lee Reiber at The Mobile Device Examiner has started a “new weekly video series called the Mobile Forensic Minute”, hosted on the ‘The Mobile Forensic Investigation Facebook page. The videos aim to be completed in roughly a minute and “express [Lee’s] ideas on mobile forensics, excerpts from [his] book, or other items that come to mind.”
    Mobile Forensic Minute

  • Jake Williams posted a few articles of interest
  • Daniel Miessler has shared a short description of the difference between stack and heap based memory.
    The Difference Between Stack and Heap Based Memory

  • Demisto published part 2 on what “Mr. Robot” can teach us about IR. Still haven’t watched season 2; really need to get onto that.
    Part 2: What ‘Mr. Robot’ Can Teach Us About Incident Response

  • The folks at Intaforensics have released a guide for those seeking ISO 17025 accreditation of their labs.
    A Guide to ISO 17025

  • Brett Shavers wants you to become the Picasso of forensics. That is, given the tools in front of you, paint a masterpiece. As many have said before him, your wetware (read: brain) is the most important part of a forensic investigation.
    The most important tool in DFIR that you must have…

  • Brett also answered some commonly asked questions about writing a DFIR book. There’s a lot of good advice in here for those thinking about publishing. I’m sure there are plenty of folks that have some ideas but need the motivation; If I can help in any way just get in touch, even if it’s just a sounding board or introduction.
    Brett’s opinion on writing a DFIR book

  • The Engima 2017 Conference agenda has been posted up and can be found here. Engima will take place Jan 30-Feb 1 2017 in Oakland, California.

And that’s all for Week 50! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s