I've always been a proponent of performing forensic examinations using Linux. It does offer a lot of advantages which have been discussed at length, but it really does boil down to personal preference. I'm a CLI guy. Even when I'm working from a Windows machine I'm at least using cygwin.

That said, I'm a practitioner, not an academic. There are many times when (for better or worse) EnCase ends up being the right tool for the job - primarily very Windows-heavy investigations involving many disparate on-disk data sources.

I know there are examiners out there running successful investigations sans EnCase. I'd like to hear from you. What's in your toolkit? What's your workflow? Are there any particular investigation tasks that break it? Any that your workflow seems particularly well suited to above and beyond EnCase?

I'm particularly interested in anyone successfully running a completely free/open-source forensics workflow. Imagine... a day without a dongle.

For those of you like me (all both of you), the wait for Resident Evil 5 has been almost unbearable, since playing Resident Evil 4 for the 7th time through on a single game got a little boring. Likely, the only things keeping you from becoming a mad scientist and creating your own zombie apocalypse to get your fix were the facts that getting your degree in Evil Microbiology requires that damned public speaking course, and that Dead Space was released last halloween. Dead Space quickly became one of my favorite games because it was the amalgam of Event Horizon, Alien(s), and Resident Evil 4, with a dash of BioShock thrown in for good measure (All among my favorites in their own rights).

There's been a lot of wheel spinning about the Heartland breach and what it will mean for PCI, consumer confidence, life, the universe and everything. I've been following it all with semi-detached interest as I've done some (albeit smaller) PCI-related breach response before, but I felt I had to comment on the article that popped up yesterday at StorefrontBacktalk.

"The sniffer malware that surreptitiously siphoned tons of payment card data from card processor Heartland Payment Systems hid in an unallocated portion of a server’s disk. The malware, which was ultimately detected courtesy of a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud alerts went off at both Visa and MasterCard, according to Heartland CFO Robert Baldwin."

Having worked on teams of forensic investigators, I can tell you it's not often hard to elude them (no slight to the capabilities of those involved). If you're working a large, vague breach using standard forensic methodologies, you may eventually find what you're looking for but it is equally likely that you'll find it by chance as by skill - this is the Infinite Monkeys, Infinite EnCase Dongles theorem.

"“A significant portion of the sophistication of the attack was in the cloaking,” Baldwin said.

Payment security experts pretty much agreed that hiding files in unallocated disk space is a fairly well-known tactic. But it requires such a high level of access—as well as the skill to manipulate the operating system—that is also indicates a very sophisticated attack...

Baldwin also added more details to the sketchy timeframes that have been revealed thus far about the attacks, specifying that Heartland was contacted by Visa and MasterCard “in very late October,” possibly October 28.

Baldwin said Justice Department and U.S. Secret Service officials have told him “the bad guys they think got us have successfully breached other financial institutions.”

Apparently, federal law enforcement was focusing on suspects in other breaches when the Heartland breach became known, which explains the relative speed of the Secret Service identifying a key suspect, apparently in Eastern Europe.".

Other articles are stating the breach may stretch as far back as May.

Let's recap. The facts we know are as follows:

Been traveling a lot lately - started as a Principal Consultant with MANDIANT about a month ago & I just hit Premier Executive on United this week.* Here's a special video for all my fellow frequent fliers:



* This doesn't include the ~40k miles I had to fly on other airlines for one reason (Frontier was like 11 bucks DEN->SEA) or another (customer in Abu Dhabi wanted us to fly business class on Etihad). Here's to 1K in 09!

I'm hoping this is the beginning of a trend.

An awesome trend.

Interesting work just published from CMU Cert:

This paper addresses the shortcomings of the traditional forensic response methodology with respect to disk encryption. It highlights the virtues of volatile memory analysis by demonstrating how key material and passphrases can be extracted from volatile memory to facilitate the analysis of encrypted media in a forensically sound manner. A proof of concept tool capable of decryting an encrypted disk image using a volatile memory dump is included to demonstrate the practicality of the outlined techniques.

Awesome new Fallout 3 stuff released today, including a quick clip of a firefight in and around the ruins of the capitol building in DC.

www.prepareforthefuture.com

Tag: fallout xbox 360 xbox360

The book I co-authored is available now.

The open beta for PTK started a few days ago.

You can fetch it up at DFLabs.

Description from the site:

"PTK is an alternative advanced interface for the suite TSK (The Sleuth Kit). PTK was developed from scratch and besides providing the functions already present in Autopsy Forensic Browser it implements numerous new features essential during forensic activity. PTK is not just a new graphic and highly professional interface based on Ajax technology but offers a great deal of features like analysis, search and management of complex cases of digital investigation."

This actually happened over a month ago, but I managed to not notice until now, thanks to a near absence of downtime.

Argus 3.0 release announcement

If you're not aware of Argus, it's an excellent tool to use during both proactive and reactive network monitoring. I use it primarily in a response capacity - to turn packet captures into useful information very quickly.

The description from the source: