Friday, April 15, 2011

A few links

What's this??? Me with another blog post in the short span of 2 whole days? Yep, it's true. I'm really going to try to start posting more often, so we'll see how it goes. I don't have a lot planned for this one, but wanted to mention some other blog posts I thought were worthwhile.

Andre M. DiMino, on his SemperSecurus blog posted a nice write-up on using Volatility 1.4 to analyze a memory capture from a machine infected by the recently disclosed Adobe 0-day (CVE-2011-0611). Andre does a great job of detailing the work he did, complete with screenshots. I've only dabbled in memory analysis occasionally, but greatly enjoy reading posts like this that explain in detail how a goal was accomplished and providing the reader with the means of repeating the process in their own lab environment.

On his TaoSecurity blog, Richard Bejtlich recently posted his slides entitled "Cooking the Cuckoo's Egg" from his talk at the DOJ Cybersecurity conference back in February. I just recently bought the book "The Cuckoo's Egg" but haven't started reading it. From looking at the slides, I can tell I would have enjoyed the talk and would love to get the chance to hear Richard speak sometime.

My good friend Brad Garnett has re-titled his blog Digital Forensic Source. Brad is a smart guy and excellent forensics analyst as well. I say nice things about him, even though he calls me old ;-)

I wanted to thank Harlan Carvey for his blog post in which he referred to my review of Windows Registry Forensics. I looked my blogs stats over and found the overwhelming number of visits to this blog come directly from his.

Speaking of Harlan, the book he co-authored with Cory Altheide will be out soon. The book is called Digital Forensics with Open Source Tools. This is yet another of those books I plan to get as soon as it's released. I love working with open source tools in both Linux and Windows (especially Linux), so I'm really excited about getting this one soon. I've never met Cory, but I follow him on Twitter and he seems like someone I'd enjoy meeting one day. Very funny guy.  Now, if I could just convince Chris Pogue to write a second edition of Unix and Linux Forensic Analysis, all would be well. Unfortunately, last I heard, such a project is not in his plans

Ira Victor posted a new Case Leads over on the SANS Computer Forensics blog. I really like those Case Leads posts. Everyone who does them really does a fine job of bringing a lot of good info into each post.

Also on the SANS blog, Lenny Zeltser posted an interesting new article entitled Context-Specific Signatures for Computer Security Incident Response. I've thought about creating my own signatures for use with ClamAV before, but so far haven't taken the time to try it. Lenny makes a good case for doing that during an incident to help identify the scope of the incident.

Finally, Corey Harrell created something cool...a digital forensics specific search tool. This was a really cool idea and it works great. It's nice to have that option when needing info on some forensic artifacts, saving you the time of wading through all the irrelevant hits just to find that one little nugget of information you need. Well done Corey and thanks for sharing it!

That's about it for now. Hope to be posting again in the near future.


  1. Ken,

    Why not write the Linux forensics book yourself?

  2. That's definitely an idea I would entertain at some point. Just not sure if I'm up to that challenge yet. I'll admit I'd love to do it if I was sure I could do it well.