Showing newest posts with label forensic tools. Show older posts
Showing newest posts with label forensic tools. Show older posts

Friday, December 12, 2008

Give Your Forensic Images the Boot, Part I

Here's a post I completed for the Sans Forensics Blog. Part II should be coming soon.

http://sansforensics.wordpress.com/2008/12/12/give-your-forensic-images-the-boot-part-i/
Posted by Matt C at 10:20 PM 0 comments Links to this post
Labels: ,

UK police: 'We need crime breathalysers for PCs'

Detective superintendent Charlie McMurdie, architect of the UK's Police Central E-crime Unit (PCeU), said frontline police ideally need a digital forensic tool as easy to use as the breathalyser, to help them deal with growing numbers of computers being seized during raids on suspects' homes.

McMurdie said such a tool could run on suspects' machines, identify illegal activity - such as credit card fraud or selling stolen goods online - and retrieve relevant evidence.

She told silicon.com: "Do we need to seize five computers in a suspect's house or could we use a simple tool to preview on site and identify there's that one email we are looking for and we can then use that and interview the person now, rather then waiting six to 12 months for the evidence to come back to us?

Read more from Silicon.com.

Posted by Matt C at 8:04 AM 0 comments Links to this post
Labels:

Tuesday, November 25, 2008

More Freeware Tools

There is a nice listing of some freeware security and forensic tools on Grand Stream Dreams including software for memory forensics, network forensics, and penetration testing. This is a great blog if you haven't checked it out yet.
Posted by Matt C at 10:21 AM 0 comments Links to this post
Labels: , ,

Wednesday, November 12, 2008

More Deleted Keys Goodness!

Something to watch for...
While we're on the subject of the Registry, a good friend of mine contacted me last week with an issue. Apparently, he was working on an examination in which a key factor of the case was determining if and when the user had uninstalled Firefox. According to him, "...install and uninstall dates of programs are of great interest. This will also show destruction of evidence and add additional charges to cases. It also increases sentences sometime by 2x." To help him out, I wrote a plugin that would parse the default browser information from the Registry, but then I compiled the (as-yet-unreleased, still-private, not-even-in-beta) ripxp code, which he used, said that it worked like a champ!
Read more from Windows Incident Response
Posted by Matt C at 7:36 PM 0 comments Links to this post
Labels: ,

Friday, November 7, 2008

I will be presenting at this month's NebraskaCERT Cyber Security Forum. If you want the low down on "Free Forensic Tools" hit the link below and sign up to attend. You can always download the presentation later in the month if you can't make it that day.

http://www.nebraskacert.org/CSF/
Posted by Matt C at 5:32 PM 0 comments Links to this post
Labels:

Saturday, November 1, 2008

Shellbags Registry Forensics

Apparently the Windows registry keeps track of the display size of a folder window across different sessions. This information is stored in the registry, and is not cleaned up when the associated folders are deleted.

Is anybody drooling yet?

Even better, it keeps these values for folders that reside on external storage! Ever want to know what the folder structure on a suspect’s USB stick that you didn’t get looked like? Read on!

The data is stored as binary blobs under the following registry keys:

  • HKCU\Software\Microsoft\Windows\Shell\BagMRU
  • HKCU\Software\Microsoft\Windows\Shell\Bags
  • HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU
  • HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags
Read More from SANS Forensic Blog
Posted by Matt C at 11:51 AM 0 comments Links to this post
Labels: ,
Subscribe to: Posts (Atom)