You’ve just finished receiving digital forensics training or acquired a new tool (FTK, Encase, Sleuth). Now what? You’re waiting for some real cases to crack. In the meantime, over on the SANS Forensics blog, Ken Pryor has posted an excellent article which lists most of the freely available forensic exercises, challenges, and practice images: http://blogs.sans.org/computer-forensics/2010/07/27/im-here-now-what/
Remember, I’ve previously posted a list of:
Lenny Zeltser, SANS Instructor, has released a customized distribution targeted at malware reverse engineers. From the REMnux page:
REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that’s listening on the appropriate ports.
A high level overview to perform live memory captures and analysis:
- capture memory via moonsol’s win32dd
- parse memory snapshot with mandiant’s memoryze
- analyze results via audit viewer
- or analyze using the volatility framework — neatly packaged in SAN’S Sift Workstation
Now, if the authors would add geolocation to the maps we could quickly see if a site is pulling from a server in Russia or China would could be an obvious sign of infection….
I recently stumbled upon to great blog posts regarding Kindle forensics. Eric Huber’s ‘A Fistful of Dongles’ blog has some interesting initial analysis on imaging the Kindle and key artifacts to zone in on.
Part 1: A Cursory Look at Kindle Forensics
Part 2: Additional Thoughts on Kindle Forensics
Some interesting data Eric discovered:
- last book read w/ timestamp
- position in the book
- books loaded on device
- strings user has searched for
- *Remember with Kindle’s 3G ability you may want to use a Faraday bag
So you want to get your feet wet?
- Grab Didier Stevens tools here: http://blog.didierstevens.com/programs/pdf-tools/
- Grab malicious PDF samples here: http://www.malwaredomainlist.com/mdl.php?search=pdf+exploit&colsearch=All&quantity=50 *Be careful, these are live samples!
- Video Tutorial: Didier on analyzing a PDF Document: http://www.youtube.com/v/tHVi2wKCkTc
- Other deobfuscation tools: Malzilla, SpiderMonkey (need to handle document.write), debug via Rhino, Firefox add-on (haven’t tried this one)
I previously wrote about online GPS Forensic references and wanted to put them to use. I had a suspicion that my girlfriend has been seeing another man. When she was at work I grabbed her GPS (Garmin Nuvi 205) and connected it via USB (don’t forget a write blocker). For Garmin models, the file you want to look for is “Current.gpx”
Once I copied Current.gpx, I installed Google Earth. Earth actually imports several different GPS data/location files. Earth parsed all the recent destinations entered into the GPS and loads them as waypoints. It makes it very convenient to find out where someone has been, where they might live (home location), etc. Think about all the applications i.e. rental car GPS units.
***If you don’t want to use Earth you can open the gpx file in a text editor (simple XML). You’ll be looking at lat/longitude coordinates that you can plot yourself.