e-Evidence updates
I've been reading through some of the presentations and papers that are part of the updates from the e-Evidence web site, and as always, I've found some good stuff linked there.
Matt Churchill has an excellent presentation that addresses examiners fighting back against anti-forensics techniques, in part through live response (slide 14) and learning new things (slide 20). Matt also suggests reaching out to others and having peer reviews, but honestly, I don't see this happening any time soon; however, I do believe that is immensely important, because none of us is as smart as all of us. Matt's presentation also reminds me of an analysts need to evolve.
Diane Barrett has another excellent presentation on Virtual Traces, addressing the use of virtualization and its impact on forensic analysis. I've read Ms. Barrett's presentations before and been impressed with her findings with respect to virtualized desktop environments such as Moka5 and MojoPac. While I have not personally run into the use of any of these environments, it something that I definitely keep in mind when looking at data exfiltration issues; some of the artifacts identified by Ms. Barrett are picked up by RegRipper.
Over on the ForensicFocus site, Dennis Browning compares the Apple property list to the Windows Registry...definitely an excellent read, particularly for anyone who deals with both.
From AccessData, Dustin Hulburt has an excellent paper on fuzzy hashing, and he references Jesse Kornblum's work, as well. More and more, in my own professional experience, traditional MD5 hash comparisons are becoming less and less effective, and in many cases, are significantly less effective than AV scans. In a recent examination, malware that was known (ie, by AV vendors and regulatory bodies) was modified, so that it was NOT detected by AV nor by hash comparisons, but the names of the malware files remained the same. Heck, even VirusTotal has been providing fuzzy hashes of submitted files. I ran into a similar instance over a year ago, where files of the same name and same apparent usage were found in examinations 8 months apart; although MD5 and SHA-1 hashes were different (completely obviating the use of EnCase or Gargoyle for detection), Jesse Kornblum's ssdeep indicated that the files were 97% similar.
These aren't all that's listed at the sight, just a taste. This is definitely a site you should have bookmarked, and check on a regular basis (monthly?), as well as submit links to.
I also want to thank Christine for her diligence in continuing to pull this stuff together and post it. This is one of the ways that examiners and responders can evolve, by being exposed to other approaches and ideas. Thanks!
Matt Churchill has an excellent presentation that addresses examiners fighting back against anti-forensics techniques, in part through live response (slide 14) and learning new things (slide 20). Matt also suggests reaching out to others and having peer reviews, but honestly, I don't see this happening any time soon; however, I do believe that is immensely important, because none of us is as smart as all of us. Matt's presentation also reminds me of an analysts need to evolve.
Diane Barrett has another excellent presentation on Virtual Traces, addressing the use of virtualization and its impact on forensic analysis. I've read Ms. Barrett's presentations before and been impressed with her findings with respect to virtualized desktop environments such as Moka5 and MojoPac. While I have not personally run into the use of any of these environments, it something that I definitely keep in mind when looking at data exfiltration issues; some of the artifacts identified by Ms. Barrett are picked up by RegRipper.
Over on the ForensicFocus site, Dennis Browning compares the Apple property list to the Windows Registry...definitely an excellent read, particularly for anyone who deals with both.
From AccessData, Dustin Hulburt has an excellent paper on fuzzy hashing, and he references Jesse Kornblum's work, as well. More and more, in my own professional experience, traditional MD5 hash comparisons are becoming less and less effective, and in many cases, are significantly less effective than AV scans. In a recent examination, malware that was known (ie, by AV vendors and regulatory bodies) was modified, so that it was NOT detected by AV nor by hash comparisons, but the names of the malware files remained the same. Heck, even VirusTotal has been providing fuzzy hashes of submitted files. I ran into a similar instance over a year ago, where files of the same name and same apparent usage were found in examinations 8 months apart; although MD5 and SHA-1 hashes were different (completely obviating the use of EnCase or Gargoyle for detection), Jesse Kornblum's ssdeep indicated that the files were 97% similar.
These aren't all that's listed at the sight, just a taste. This is definitely a site you should have bookmarked, and check on a regular basis (monthly?), as well as submit links to.
I also want to thank Christine for her diligence in continuing to pull this stuff together and post it. This is one of the ways that examiners and responders can evolve, by being exposed to other approaches and ideas. Thanks!