Network Forensics Puzzle #3 Finalist!
Today, results were posted for Sherri Davidoff and Jonathan Ham’s third network forensics puzzle contest. The puzzles, hosted at forensicscontest.com, are meant to encourage the development of network forensic tools that might be integrated into SANS training and toolkits. Puzzle #3 involved pulling information from an Apple TV device’s network traffic.
I participated in [...]
GhostExodus, the ETA, and a Control-Systems Incident at Carrell Clinic (Part 1)
My phone has been blowing up most of the day about this. To sum it up: On the evening of the 18th, a script kiddie that was involved in a previous post on this site (“Perl Hacking is Dead”), XXxxImmortalxxXX, contacted me and began to brag about hacking a hospital’s HVAC system. Upon [...]
Dale Beauchamp on RAM forensics for incident handlers
Marcus J. Carey has uploaded videos from January 8th’s DojoSec event to his Vimeo account here. I just watched Dale Beauchamp’s talk, “Practitioner’s Guide to Capturing and Analysis of RAM”, and enjoyed it. It’s definitely worth watching, especially if you’re coming at this from the perspective of an incident handler. He presents a few Windows [...]
Slides for a forensics class lecture on ext2/3
Tommorow at 8:00AM, I will be giving a lecture to the CSE 4273/6273 Computer Crime and Forensics class here at Mississippi State University. I was asked to speak on the topic of “Linux Filesystems”, and I have chosen to focus on the ext2 and ext3 filesystem data structures. The class is using the excellent “File [...]
Video of msramdmp being demonstrated by Intelguardians Liston and Davidoff
I was searching for something completely different on Google’s video search and ran across this video of Tom Liston and Sherri Davidoff demonstrating cold-boot memory attacks at CanSecWest. As I have covered before, they used my msramdmp tool to make an image of RAM:
Princeton Cold-Boot Memory Forensics Tools Released
Today, Jacob Applebaum is giving a talk at The Last HOPE conference on the tools they have for dumping and retrieving keys from memory after a cold boot. These are the tools that were demonstrated some months ago, and got everyone interested in the security of whole-disk encryption products. There was a lot of interest [...]
Sexyhacking.com censorship fail.
It’s a weekend, so I’m all for a fun post.
The sexyhacking.com videos are not safe for work, however they’re probably even less arousing than you’d think. They are hosted on YouTube, after all. You might want to have a look, though, since they’re funny (intentionally and unintentionally), and who knows how long they’ll actually be [...]
Scammer edits Wikipedia entry on Advance fee fraud
Last night, I received a phishing email wanting my university email account information. Whenever I’m picking through email headers, or any other kind of network forensics, I find it useful to punch the IP addresses I find into Google. You can often build a good image of what that particular system or network is used [...]
The Defendant, Wesley McGrew
I just received these two pictures via email from my major professor, and thought I’d share. They’re from a series of mock trials that were held for this past fall semester’s computer forensics class. The students had the opportunity to take the stand and present expert witness testimony regarding the evidence that they had examined [...]
msramdmp Now Available as a Bootable ISO
A lot of older computers have issues with booting from USB. I have computers that I can’t boot from USB, and so do some people that have wanted to experiment with msramdmp. I have had a few people ask about booting msramdmp from a CD (and an email from one person who did it themselves!), [...]