19 Sep 2012
Back by popular demand (and this time not from hospital) Dave took us through the various log files on Microsoft Windows systems (you did know there was more than just the event logs didn't you?) Among other things he looked at correlations between event log ids and other event logs, and how the Account Logon differs from the Logon/Logoff events and how they are intertwined across a network.
NTFS Triforce or anti anti forensics, David Cowen & Matt Seyer
It still amazes me that after all this time there is still more to learn about NTFS. Over the past year or so David has been working on a tool to exploit the $LOGFILE and $USNJRNL on NTFS. These can provide us with a significant amount of historical information on file system activity, including identifying file movements and changes. In this presentation David also demonstrated the triforce tool, the amount of information it recovers is quite astounding. This is something that will change they way you do forensics forever, whether you are doing malware, intrusion or LE investigations.
20 Mar 2013
Microsoft log parser & other tips & tricks for windows exams - Dave Kleiman
Dave has years of experience working with windows forensics and security, he is also the author of a plethora of books (more here: http://www.amazon.com/s/ref=nb_ss_gw/... ). For this meetup he took us through a wide range of utilities and techniques he uses for analysis. He also gave away a bunch of eBooks thanks to Syngress.
16 Feb 2013
DFIROnline- Memory Forensics with Michael Cohen
A recording of the January DFIROnline meetup with Michael Cohen of Google
17 Jan 2013
Android Forensics with volatility and LiME - Andrew Case
Android powered phones dominate the mobile phone market, and Android powered devices, such as tablets, E-readers, and netbooks, have substantial shares in their respective markets. The ability of the forensics community to perform deep forensic analysis of Android devices is essential and will become a desirable skill of all forensics investigators. In this presentation, Andrew Case walks through new research into memory forensics against Android devices and discuss its application to real investigations. These capabilities include:
14 Dec 2012
Digital forensic tool demos - GRR, L2T Review, libvshadow, libevtx & TAPEWORM
I was lucky enough to attend the Open Source Digital Forensic conference last month and had the chance to see a bunch of new tools being released. So I invited some of the authors to come and share them with us on DFIROnline.
17 Oct 2012
Windows Log File Analysis in depth, Dave Kleiman
Back by popular demand (and this time not from hospital) Dave took us through the various log files on Microsoft Windows systems (you did know there was more than just the event logs didn't you?) Among other things he looked at correlations between event log ids and other event logs, and how the Account Logon differs from the Logon/Logoff events and how they are intertwined across a network.
19 Sep 2012
Forensic Story: The Odyssey of Mitra - A Modern Geek Tragedy - Cindy Murphy
For those of you who do not know Detective Cindy Murphy of the Madison Police Department is bit of a legend in the DFIR field. In addition to working full time as a detective with the Madison Police Department, she is a founder of the CDFS (if you have not joined yet do so http://www.cdfs.org/) The winner of this years Forensic 4Cast award for Digital Forensic Examiner of the Year. For more details on some of her accomplishments go check out the nomination see http://www.forensic4cast.com/2012/04/...
15 Aug 2012
Frostwire analysis - Veronica Schmitt
Vee joined in from South Africa, where it was 2am in the morning and presented the results of her analysis of Frostwire, something she deals with regularly when conducting child protection investigations in South Africa.
18 Jul 2012
Incident Response Takeaways from the MMA Challenge - Alissa Torres & Nik Roby
The MMA challenge was run by Alissa and Nik at CEIC this year and was the best session I attended. The most interesting part was that they presented the same case to everyone in the room, with a range of tools available and we had the chance to see the different approaches taken to solve the problem. As you know there are many tools and techniques out there. It was great to see them applied to the same case.
18 Jul 2012
An introduction to file carving - Mike Wilkinson
This was a joint NY4sec & DFIROnline meetup, streamed live from John Jay College NY. There were a few microphone issues so the audio may fade in and out a bit. I must say that presenting to a physical and online audience simultaneously was more challenging than I thought it would be. The presentation covers current carving algorithms and the tools that implement them. It also looks at some of the research regarding their performance, if you need to do some serious carving this is probably worthwhile checking out.
18 Jun 2012
What is it really like to be a digital forensic analyst? - Jon Williams
This meetup was part of a joint effort between DFIROnline and NY4Sec Jon was displayed on the big screen to folks at the NY4Sec meetup. He gave a great overview of the realities of digital forensics, and what it entails in the real world. If you are thinking of getting into DFIR you must watch this.
18 Jun 2012
Forensic Storytelling - Jesse Kornblum
Jesse is a Computer Forensics Research Guru with Kyrus Technology. The best investigation is useless unless you can convey your results. There are several styles every investigator should be able to use. Report writing is certainly one of them, but it's not the only one. The recent calls for case studies in our community has gotten me thinking about storytelling. In this talk we will explore the different styles of conveying a message. We, as a species, have thousands of years of experience in telling stories. Let's apply that knowledge to our field!
16 May 2012
The challenges of storage devices using 4096 byte sectors - Mike Wilkinson
This all started with Adam from hexacorn (http://www.hexacorn.com/ ) asking some questions about a WD mybook on the win4n6 mailing list. It turns out that it and a handful of other devices are now using 4096 byte sectors rather than the standard 512. When drives using this sector size are formatted with NTFS the MFT uses 4096 byte file records, which appears to break many commercial software tools. Here I gave a quick overview of the problem, more details can also be found in my blog post on the topic...
16 May 2012
Getting to know your NTFS INDX Records - Willi Ballenthin
This was the first special request presentation, Willi originally presented this at NYC4SEC, it received lots of positive response and he kindly offered to come and give it again for a special DFIROnline session. Willi is a great presenter and this is a good reminder of how important it is to look beyond the MFT. The slides are also online: https://docs.google.com/presentation/...
2 May 2012
Case Experience: Data spoliation with CCleaner. - Girl Unallocated
Meila Kelley is the famous Girl Unallocated here she presents a case experience where a user tried to cover their tracks using CCleaner, which has to be one of the most common "anti forensic" tools out there. If you tuned in on the night you would have even had the chance to see her face!
18 Apr 2012
Data Recovery and Its Role in Computer Forensics - Kevin Ripa
This is my favourite presentation so far. Kevin runs a data recovery business and takes us inside his home lab to show how things are really done. Along with giving a review of the different recovery software, a look inside the best home office I have ever seen (I made my wife watch so she can get some ideas of what a real home office should look like) he also walks through the data recovery process. There is so much misinformation about this out there it is great to get the real facts.
18 Apr 2012
At the beginning of this month I was thinking that the schedule for DFIROnline was looking a
16 Apr 2012
Linux Forensics for non Linux users - Hal Pomeranz
This is a great presentation, from Hal of Deer Run Associates ( http://deer-run.com/ ), Hal is a long time Linux user (and SANS instructor). Although windows is by far the most common operating system we encounter Linux systems do exist. If you run across one Hal's presentation is a great starting point. The slides are in PDF on his website http://deer-run.com/%7Ehal/LinuxForensicsForNon-LinuxFolks.pdf
14 Mar 2012
Ripping Volume Shadow Copies - Tracking User Activity - Corey Harrell
Harlan introduced how to process VSC's in December now Corey looks at exactly how we can get the most value from this valuable resource. If you do not follow Correy's blog (Journey into Incident Response, http://journeyintoir.blogspot.com/ ) you should add it to your RSS feed. He writes some great guides and is a deep thinker when it comes to processes and methods.
14 Mar 2012
A gentle introduction to cryptography - Jon Rajewski
Jon is a fellow professor at Champlain College, here he gives an introduction to encryption, with lots of hands on practical exercises. You can still follow along with the practical side of this, all you really need is a pen and paper!
15 Feb 2012
Case studies in eDiscovery. - Peter Coons & John Clingerman
Peter and John work for D4 Discovery ( http://www.d4discovery.com/ ) and in this presentation review an data theft case they were involved in where staff stole client lists from a DoD contractor. It turns out they then took the stolen information and went to work for a Chinese owned competitor....
15 Feb 2012
Malware Detection with an acquired image, by Harlan Carvey
If you have any experience with digital forensics you will know that Harlan is a legend when it comes to windows analysis. In this session Harlan looks at how you can find malware on an acquired image, without creating a virtual machine and starting it up, and why just running a virus scanner is not enough.
18 Jan 2012
The Advanced Persistent Threat or: How I Learned to Stop Worrying and Love DFIR - Eric Huber
Eric Huber (author of the award winning A Fistful of Dongles blog) gives an overview of APT and why it is important for businesses to be aware of the problem. If you need to justify resources to management this is well worth a look. If you are not sure how serious the threat is you most definitely need to see this one.
18 Jan 2012
I think the DFIROnline meetup went well tonight. The turn-up tripled from the first event, we
18 Jan 2012
So after last night’s meetup I have a few thoughts on what went well and what did not.
15 Dec 2011
So after one week I have got around to checking out the survey results. 68% of respondents went
18 Nov 2011
At PFIC I was talking to Harlan Carvey about his NoVA meetups and how great they sounded.
11 Nov 2011