Wednesday, June 29, 2011

A few links

Corey Harrell has a review of Digital Forensics with Open Source Tools up on his Journey Into Incident Response blog. He recommends the book, just as I and quite a few others have done as well. If you don't normally read Corey's blog, you should start doing so. He's always got great content there.


Claus has a very interesting and helpful post up on the Grand Stream Dreams blog titled Anti-Malware Tools of Note. This is an excellent write-up about the tools and some of the methods he uses in combating malware infections. This is another excellent blog that is well worth taking the time to read regularly.

Over on the Windows Incident Response blog, Harlan Carvey has a new post titled Meetup, Tools and Other Stuff. In addition to several other topics, he talks about his research into Windows 7 Jump Lists, as well as information on the Master Boot Record. Jump Lists have become a topic of interest lately and deservedly so. Harlan has done a great job researching them and provides a nice write-up of what he's discovered thus far. Kudos to him for sharing this information and to everyone who does research and shares what they find.

Also, the talk about the MBR is quite interesting. Harlan mentions some tools and other resources for further study. I plan to try out the tools he links to and see for myself if they'll do the job I need done.

This topic is quite timely, given this post at the Microsoft Malware Protection Center blog on Technet about the 'bootkit' they call Trojan:Win32/Popureb.E. According the MS, the solution when your system is infected by this particular malware is to "simply" do an MBR repair followed by an operating system reinstall. I plan to do considerably more reading about this in the very near future, as the number of pc's being brought to me for malware cleanup has been increasing greatly as of late. If I learn anything useful, I'll post it here.


I still hope to learn how to reverse engineer malware and bought "Introduction to 80x86 Assembly Language and Computer Architecture" to help me learn that part of the reverse engineering process. I just started reading it, so I'm far from knowing much about the subject now, but hope to be able to put what I learn from it to good use soon.



I'm still catching up on all my favorite blogs, so I'm sure I've left out more than a few posts by others. I'm hoping to get caught up on all my reading in the next day or two and I'll post if I see something of interest.

2 comments:

  1. "I plan to try out the tools he links to and see for myself if they'll do the job I need done."

    Ken, did you ever try them out? What is the job that you need done?

    ReplyDelete
  2. Hi Harlan,

    I did try out Gary Kessler's MBRparser.pl and was quite impressed with it. At the time I wrote the original post, I was hoping to get a sample of the Popureb.E bootkit and was going to infect an old machine I keep around for such things (air gapped from the network, of course). I had wanted to use the MBR tools you mentioned upon doing that,but never wound up getting a sample at the time and just moved on.

    ReplyDelete