Week 29 – 2017







  • James Habben at 4n6ir discusses the general discomfort one feels when reading job listings – the reason being that they appear to list every skill under the sun as requirements which may dissuade people from submitting an application, or not getting passed HR when they are qualified, just don’t tick every box (which is just as bad). He also talks about ways that people are able to get around the HR process. And as always, if you start a blog, let me know 🙂
    Infosec Jobs

  • Jim Hoerricks at Amped Software describes how and why Amped Five’s reporting works the way that it does (specifically relating to standards and cases)
    Hands-off the keyboard!

  • Yulia Samoteykina at Atola Technology shows how to use the compare function to compare the source and the target and “help you identify and locate the modified sectors”
    Comparing Hashes of Source and Target to Find Modified Data

  • Mike Vizard at Barracuda comments on various surveys that have been conducted on SOC performance/workload. He advises that “in the absence of a well-defined incident response plan far too many organizations are incurring more costs responding to potential threats than they are from that actual malware infecting their systems”
    Turns Out Incident Response Is Way More than Half the IT Security Battle

  • The Grugq posted on the Comae Technologies blog regarding the recent investigation and subsequent shutdown of the darknet markets, AlphaBay and Hansa.
    Dark Net Trap

  • DFIR Guy at DFIR.Training wrote two posts this week
    • The first post talks about continuous learning/training/reading to assist in your investigations
      Clearing Old Cases
    • The second talks about the many ways to get into the field and then specifically about a DIY college degree. A number of job postings indicate that a degree is a requirement (to pass HR) but a DIY degree of in-person and online training and conference attending in conjunction with blog/book reading and self-driven research goes a lot further in the eyes of those in the field. Going the extra mile and doing your own research, sharing it, and becoming “known” in the field will most probably be looked favourably by hiring managers in the future.
      A DIY Cyber Security Degree

  • Scar de Courcier at Forensic Focus posted a roundup of some of the forum conversations
    Forensic Focus Forum Round-Up

  • Scar also shared an article from the BBC regarding the use of pacemaker data in a court case
    Judge Rules Pacemaker Data Admissible In Court

  • Bradley Schatz at Inside Out has shared the “the Advanced Forensic Format 4 Working Group (AFF4 WG) is calling for interested parties to join the second working group meeting, to be co-located at the DFRWS Conference 2017, in Austin, TX”.
    Call for participation – AFF4 Working Group meeting at DFRWS 2017 USA

  • Magnet Forensics shares a case study of “how Lt. Meadows’ team [at the Houston County Sheriff’s Office] uses AXIOM to help solve the problems”
    How Customers Sort Through the Noise Using Magnet AXIOM

  • Brian Maloney at Malware Maloney continues his series on ProcDOT plugin writing, expanding on the previous articles, by showing how to add a context menu and then how to add conditions around it.
    ProcDOT plugin writing. Part 4 – Context Menu and CanBeVerified

  • Christopher Woods at Nuix provides his thoughts on ways that backlogs can be cleared – this involves getting the person with intimate knowledge of the case in front of the evidence, rather than moving the data around to a forensic analyst and asking them to find the evidence. This is sound advice as the case agent knows what they’re looking for. The only caveat is the case agent may not understand the information being presented to them – a picture located in temporary cache does not have the same value as a picture on the desktop for example.
    Placing Case Agents at the Forefront of Criminal Investigations

  • Richard Wartell at Palo Alto Networks advised that “the LabyREnth Capture the Flag (CTF) challenge ends in less than a week!”
    LabyREnth CTF 2017 Final Week: Beat the Maze!

  • It appears that SalvationData are giving away licenses of their DVR Forensics software – although the accompanying blogpost doesn’t specify if this is a trial, LE only, full version for a defined period, etc
    Check out @SalvationDATA’s Tweet

  • Scott J Roberts answered the question “What books or papers should a new cyber threat intelligence analyst read first”
    CTI Reading List

  • David Cowen announced an unofficial CTF to be held at Defcon/bsides LV. Unfortunately, it’s already filled up, but if you’re around DEFCON then it’ll definitely be worth giving the guys a shout and going to see what they’re up to.
    Take a look at @HECFBlog’s Tweet

  • Jóseph Mlodzìanowskì‏ tweeted that there will be a number of hands on workshops at the Packet Hacking village at Defcon this week
    Take a look at @cedoxX’s Tweet

  • Martijn Grooten at Virus Bulletin explains the “the VB2017 programme features several talks on such APTs”
    Advanced and inept persistent threats to be discussed at VB2017


And that’s all for Week 29! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s