AZHTCIA

Newsfeeds

Security Ripcord Cutaway Joins InGuardian, Inc. When I left the United States Marine Corps and started college I knew two things.  1. I wanted my career to be in Computer Security and 2. I wanted to work for a group of professionals who operate at the same level of the Force Reconnaissance unit I had the pleasure of serving with for [...] SANS Security 508 I recently attended SANS Security 508 at SANS 2010-Orlando.  When I told Harlan Carvey that I was going to attend this training he was concerned that I would not be exposed to anything I had not already exposed myself to through work and personal effort.  When I arrived on-site I got the same feeling from [...] ITB Issue 0×1 – Call For Collaboration The success of Into The Boxes Issue 0×0 was only possible because of the collaboration provided by members of the Digital Forensics and Incident Response community.  In order for this publication to continue we need more people to step up and provide their input.  As you can see from the first issue we are looking [...] APT-style Manual Compromise Viewed Via Timeline Analysis Most of the time the initial infection vector associated with APT-style attacks incorporate the client-side exploitation of vulnerabilities in any number of software.  Actually, when dealing with APT-style events I prefer “initial compromise vector” (ICV) as APT backdoors should not be considered or even referred to as malware because it provides an incorrect understanding to [...] Hydraq Details Revealed Via Timeline Analysis The other day I was handed a system that was known to be compromised with Hydraq.  The goals were to determine when, how, and what happened after the compromise.  Locating the malicious process during memory analysis was easy with so many known system artifacts.  Not really very useful although it did determine that the rasmon.dll [...] PreFetch EnScript and SysComboTLN Update System Combo Timeline has been updated.  If you use syscombotln you will want to get this new version as there is an important bug fix.  I have also updated regtln.pl and evtparse.pl to handle double-byte and non-printable characters better.  This helps when analyzing log and registry files from Windows systems with various language packages.  Of [...] Using Logs To Reduce Response Gap One of the keys to incident response is to reduce the gap between compromise and when an organization starts taking action.  There are a number of tricks to identify compromised hosts.  Most organizations retain all types of logs for any number of reasons.  Unfortunately, auditing and never really using logs for anything except for records [...] Syscombotln and Tools Update System Combo Timeline: The syscombotln tool has been updated to fix several bugs and time/date issues.  I have also decided to stop being lazy and updated all of the internal modules and external scripts/tools associated with this tool to properly handle the TLN format as Harlan outlined. This includes the TLN.EnScript which is NOT included in [...] System Combo Timeline Released Tired of doing a lot of work by hand I have started a project to quickly generate a timeline file from system artifacts recovered from systems running a Windows operating system.  The goal is to quickly generate information that can be used to determine actionable intelligence during an incident response.  System Combo Timeline is a [...] Bodyfile and Timeline EnScripts Being able to utilize multiple tools is key for any digital forensic and incident response analyst.  However, moving back and forth between different operating systems or starting and stopping memory intensive tools can have an impact on quickly exporting critical information from a system.  The FLS utility provided in the Sleuth Kit tools produces an [...] | Date published: Tue, 01 Jun 2010 15:17:09 +0000 Back to newsfeed list