In the DFIR (Digital Forensic and Incident Response) space there are always interesting things happening. Change is constant and sometimes exhausting. I’m taking a quick break from working on my presentation for CEIC 2015 on improving external forensic analysis and finishing up my chapter for the new version of Hacking Exposed Computer Forensic’s book to share some links.
Here are a few links to things I’m reading right now.
David Cowen never disappoints with his blog. His series called DFIR Wizard (Automating DFIR) is excellent and gives me no small amount of joy and anxiety as he teaches everyone how to roll their own forensic tools. Just make sure to test your stuff against other forensic tools before relying on the results. If you aren’t reading his series you should, now. Stop reading this and go read his series. He’s up to part 11 of a 40,000 part series. I kid, I kid, it’s 11 of 40 part series… oh, and you don’t have to pay anything for it.
Latest DFIR Wizard: http://www.hecfblog.com/2015/03/automating-dfir-how-to-series-on_22.html
GitHub repo: https://github.com/dlcowen/dfirwizard
Mari DeGrazia has a post on dealing with compressed vmdks. Before you conclude a vmdk is corrupted give this a read and make sure you aren’t about to exclude something important.
Sanderson Forensics has an updated post on recovering deleted entries from a SQLite database. With mobile devices becoming many average users go to device rather than a PC or Mac understanding the value of SQLite is critical to a successful investigation.
A new version of HashCat has been released. Updated logic for cracking 7zip protected archives.
Eric Zimmerman continues to put out updates to his excellent forensic tools. RegViewer and ShellBagExplorer. He just put out a new version 0.6 of ShellBagExplor.
ShellBag Explorer update announcement: http://t.co/giBZnbY2BN
The HexaCorn blog has a cool post on visualizing activity in IR investigations. Cool stuff.
I’m sure I’ve missed a bunch of posts. Back to writing!