Blogs
SUBSCRIBE TO FREE
DFI News EMAIL NEWSLETTER
Stating the Obvious
January 14, 2013 7:00 pm | CommentsLast November I wrote about image quality and how it is one of the most critical elements for photo forensics. A large number of analysis algorithms focus on fine details. Low-quality images can remove or distort those details. Many times a picture may visually look good but analysis will identify a low quality image. In general, you cannot trust your eyes to tell whether an image is going to be at a high or low quality. Or can you ......
Exploring the Market for Stolen Passwords
January 13, 2013 7:00 pm | CommentsNot long ago, PCs compromised by malware were put to a limited number of fraudulent uses, including spam, click fraud and denial-of-service attacks. These days, computer crooks are extracting and selling a much broader array of data stolen from hacked systems, including passwords and associated email credentials tied to a variety of online retailers. ...
Among Top Cyber Targets, Don't Overlook Trust
January 13, 2013 7:00 pm | CommentsA European Union study of the evolving cyber threat landscape identified a handful of emerging areas that are likely to be high-profile targets in the immediate future, with mobile computing topping the list. Hardly a shocking conclusion, and the rest of the list also contains few surprises. There are social technology (usually referred to as social networking in this country), critical infrastructure, cloud computing and big data. But ...
Resurrecting the Dead
January 10, 2013 7:00 pm | CommentsUnlike zombies, deleted files will not miraculously return to life on their own, we need to either undelete them or carve them if there is no file system meta data to help us. So I want to blog about file carving, this will be over two posts, the first post will deal with theory, the second post will look at a couple of tools that I use. In theory, file carving is straight forward enough — just look for a file header and extract t...
Dude, Where's My Banana? Retrieving Data from an iPhone Voicemail Database
January 10, 2013 7:00 pm | CommentsThis is a complementary post to Mari DeGrazia's post about what to do when your tools don't quite cut the mustard. In today's post, I'll show how we can write a Perl script to retrieve the contents of an iPhone's voicemail database and then display those contents in a nice HTML table. The first thing I 'should' have done was Google it and see if anyone had written a similar script ... D'Oh! But due to my keen-ness, I dived right in and ...
Re-Introducing $UsnJrnl
January 9, 2013 7:00 pm | Commentsby Corey Harrell The NTFS change journal ($UsnJrnl) is not a new artifact and has been discussed before by others. The file's importance may have been overlooked since it wasn’t available in Windows XP by default. As more and more systems running newer Windows operating systems cross our desks it is crucial to know about the $UsnJrnl file. This is because starting with Windows Vista and continuing into Windows 7 the operating syst...
Carving Station - RAR Files
January 9, 2013 7:00 pm | CommentsBy Mary Singh This post will discuss the technique of carving files from unallocated disk space. “Carving” simply means extracting a specific section of bytes from an area of disk space; ideally those bytes make up a complete file. You can carve any kind of file, but in this post we will specifically address how to carve RAR archives from unallocated disk space. Why RAR files? In many of Mandiant’s investigations of ta...
DFIR Truisms
January 9, 2013 8:42 am | CommentsI collect quotes. Quoting something or someone is fun and entertaining; sometimes it is challenging — much like delivering a joke, timing is everything. During the holidays as I was performing my yearly household purge of both true junk and digital junk, I came across a handful of quotes that I had collected over the years and thought each of them were applicable to the world of DFIR so I thought I would share … I hope if y...
NTFS Triforce - A Deeper Look Inside the Artifacts
January 9, 2013 8:35 am | CommentsIn our last post we discussed at a high level the relationship between the $MFT, $LOGFILE and $USNJRNL. In this post we will go into detail of the structures we can recover from each of the three and how they link allowing us to determine the historical changes made to a file or directory. $MFT — The Master File Table is a pretty well understood artifact. MFT structures are fully documented and there are a variety of tools out th...
Crimeware Author Funds Exploit Buying Spree
January 7, 2013 7:00 pm | CommentsThe author of Blackhole, an exploit kit that booby-traps hacked websites to serve malware, has done so well for himself renting his creation to miscreants that the software has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb. Recently, however, the author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of i...
Mounted Images - Breaking the 2TB Barrier
January 7, 2013 7:00 pm | CommentsIn my last post, I described how to create a VM from a dd image file of a >2TB disk. VMware does not support >2TB disks, so we had to implement a workaround. You may recall that I stored my dd image as NTFS-compressed. However, we can achieve better compression with E01 imaging. The issue, however, is that we have to mount an E01 as a physical disk to create a VM from the E01 image. I explained how to do this in an earlier post. That ap...
And Now for Something Completely Different ... HoneyDrive
January 6, 2013 7:00 pm | CommentsFor quite a while now, I've wanted to set up a honeypot and see what I can learn from it. I was happy to find out that the Ion at BruteForce Labs has put together a great "all in one" virtual machine with preconfigured honeypots. The virtual machine is called HoneyDrive. Upon learning about it, I decided this was as good a time as any to try out running a honeypot....
Cellphone Surveillance
January 6, 2013 7:00 pm | CommentsHave you ever tried traversing the ground (metaphorically speaking) between two opposite and opposing opinions? It is never easy. Here is an informative and interesting short article on how far cellphone surveillance generates contentions. The Courts faced with balancing the needs of law and governance, (unelected) government — that of public servants using technology as a tool in the need for surveillance and detection of crime &...
New Metasploit Exploit: Crystal Reports Viewer CVE-2010-2590
December 20, 2012 7:00 pm | CommentsIn this blog post we would like to share some details about the exploit for CVE-2010-2590, which we released in the last Metasploit update. This module exploits a heap-based buffer overflow, discovered by Dmitriy Pletnev, in the CrystalReports12.CrystalPrintControl.1 ActiveX control included in PrintControl.dll. This control is shipped with the Crystal Reports Viewer, as installed by default with Crystal Reports 2008. While this is a vu...
APTish Attack via Metasploit - Part IV - File System Forensics
December 20, 2012 7:00 pm | CommentsWelcome back for the final part of my APTish Attack via Metasploit series. If you haven't read any of the other posts I suggest you read them so you can get an idea of where we are starting from. You can find them here: Part I, Part II and Part III. As forensic analysts, we are providing someone with our account of a real person's actions and events. We are telling people through our discoveries what someone did or didn't do on a partic...
