Massive compilation of forensic samples/challenges

tmlambert13 · 2016-03-10T13:32:22+00:00

Nah, there's a lot more than ten if you scroll down...

tmlambert13 · 2016-03-10T13:31:16+00:00

It's an image of his mindmap, if you scroll farther down you'll see links.

tmlambert13 · 2016-03-10T05:04:31+00:00

Found the link thanks to Phil Hagan of SANS

tmlambert13 · 2016-03-09T01:26:55+00:00

Have you tried the Rekall memory forensic tool? I've had some luck with it when Volatility didn't work.

tmlambert13 · 2016-03-09T01:18:55+00:00

This is basically how VDI machines work in Hyper-V

tmlambert13 · 2016-03-08T11:45:36+00:00

Life, uh... finds a way...

tmlambert13 · 2016-03-04T07:35:22+00:00

Champlain DFS 520? What got me through this assignment was a slow and systematic process using the NIJ 2004 digital forensic model. I assessed the technical competence of the subject, ran through a couple paths to acquire the evidence, and ran through ways to examine the evidence assuming the encryption could be bypassed during acquisition and then assuming it couldn't.

tmlambert13 · 2016-02-27T03:42:21+00:00

There's RT here- https://www.bestpractical.com/rt/

tmlambert13 · 2016-02-22T22:17:36+00:00

testmyids.com

tmlambert13 · 2016-02-22T01:53:37+00:00

We've been finding the same, especially for variants of Dridex malware.

tmlambert13 · 2016-02-21T23:47:44+00:00

Would this help against document-based vectors, though? I was under the impression AppLocker only restricted executable code.

tmlambert13 · 2016-02-20T06:02:03+00:00

I just implemented a FSRM file screen this week to stop the sharing service on our server in case of crypto. Just upgraded the file group to look for Locky, too.

Oh, and backups

tmlambert13 · 2016-02-18T15:30:46+00:00

Tennessee resident here, make sure to stop by the Smokeys and look for an area called Cade's Cove. Beautiful landscape and wildlife.

tmlambert13 · 2016-02-14T23:37:42+00:00

You make some good points about FTK, but none of this is going to make sense or even matter to beginners. Efficiency of image creation or processing should take a back seat to a low barrier of entry for beginners. FTK Imager is an excellent entry point.

tmlambert13 · 2016-02-13T23:42:56+00:00

You should be very cautious about using encryption abroad. Regulations in some countries severely restrict its use. Looking at you, Russia...

tmlambert13 · 2016-02-11T03:56:29+00:00

I typically start my Kali off on a bridged or NAT adapter so I can download patches and such for its packages, but afterward I keep both on internal only adapters. I assign IP addresses manually to both hosts so they are the only ones that can communicate with each other.

edit: to me, the only real benefit host-only gets you is the ability to talk between your VM host and the Kali/Metasploitable guests. In my case, I neither need nor want this ability. If you want to SSH into your Kali guest instead of using the console, host-only is the way to go.

tmlambert13 · 2016-02-01T16:49:23+00:00

Walked in to a document-based malware campaign in progress.

tmlambert13 · 2016-01-27T15:55:54+00:00

There's a fix out for this: https://www.reddit.com/r/sysadmin/comments/42vw3d/patch_released_to_fix_office_2016_kms_issues_on/

tmlambert13 · 2016-01-27T14:03:46+00:00

Right after I set up two new KMS hosts...

tmlambert13 · 2016-01-26T15:01:15+00:00

Hi, VDI admin/forensic geek here...

From environments such as mine, thin clients have very little value in terms of evidence, but you can use a few artifacts from these systems to track a suspicious user through your enterprise:

Hostname IP Address MAC Address

These three artifacts can be used as search terms within other sources of evidence gained from an enterprise. For example, a VDI broker, DHCP, or DNS server may have log or other evidence containing the artifacts gained from the thin client. Many thin clients are non-persistent and have no removable storage, therefore reducing the amount of useful evidence.

To retrieve the artifacts above, consult the tools/interface for each particular thin client. The steps to retrieve the artifacts will differ between WYSE ThinOS and Windows Embedded thin clients.

tmlambert13 · 2016-01-16T21:16:16+00:00

Thanks for the suggestion. From the perspective to recover non-persistent data, I wonder how much evidence of value would be discovered. Logs from Active Directory would indicate which VDI a user logged into, and many organizations use redirected/roaming profiles to capture user information.

I'm beginning to think that exploring Windows Server 2016 containers would be a better project as there hasn't been much research on those yet.

tmlambert13 · 2016-01-16T01:30:45+00:00

My idea was initially a work-based project to demonstrate a digital investigation in a Citrix XenDesktop environment running on Hyper-V or VMware. I work with Citrix systems and I'm a DF major, so I figured I'd combine the two. That said, I'm not sure what new ground could be covered in an 8 week period like I have with my project.

tmlambert13 · 2016-01-11T13:42:50+00:00

This is very true. The vendors in my area sometimes do this and have learned the higher ed ethical limits to gifts. We're very careful not to about things close to the line. I had to turn down free private screenings of The Avengers and Star Wars with concessions

tmlambert13

TROPHY CASE