Digital forensics is much harder than crime forensics. When there's a murder, there's a body. There's evidence everywhere. In digital forensics, there's no body. You might not even know there has been a murder until months after it happened. -- Dan Kaminsky, Director of Penetration Testing at IOActiveSrc: Top Experts Examine Causes Of Breaches In Spy Museum Forensics Panel - breaches/Security | DarkReading
Showing posts with label forensics. Show all posts
Showing posts with label forensics. Show all posts
QOTD on Digital Forensics
QOTD on Fraud & Denial
Nobody really likes to know that a fraud is occurring under their noses. I have had fraud victims in complete denial when you show them all of the evidence of what has been transpiring and what has been transpiring for some time; where I have actually said 'We want to do a full investigation, can we pursue this?,' and they are so in denial in the 'it can't happen here' that it's hard to understand. People should look within their own organizations. They see fraud on the outside and they wipe their brow and say 'Whew, it hasn't happened to me!' But as I said, fraud is hidden so they are not going to know it; it is not going to rear its ugly head as obviously as one might think. -- Allan Bachman, Education Manager for the Association of Certified Fraud Examiners (ACFE)Src: Fighting Fraud - Allan Bachman, Association of Certified Fraud Examiners
Incident Response Templates, Cheat Sheets, and more
Yesterday I put out a call to the Twitterverse looking for Incident Response templates. There were many excellent suggestions so I decided to aggregate them here for future use.
Good start:
http://www.zeltser.com/network-os-security/security-incident-questionnaire-cheat-sheet.html
http://www.zeltser.com/network-os-security/security-incident-survey-cheat-sheet.html
CIO-level http://www.cio.com/research/security/incident_response.pdf
DDOS related - http://www.zeltser.com/network-os-security/ddos-incident-cheat-sheet.html
Good list - http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,3629.msg19357/topicseen,1/
More depth:
http://www.first.org/resources/guides/
http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf
Also see NIST Incident Response Templates: NIST SP 800-86, 800-83, 800-61rev1
http://www.sans.org/score/incidentforms/
http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html
http://labmice.techtarget.com/security/incidentresponse.htm
Digital Forensic Analysis Methodology Flowchart (PDF) http://www.cybercrime.gov/forensics_chart.pdf
Additional (not-IR specific sites):
http://www.cert.org/octave/
http://www.cerias.purdue.edu/tools_and_resources/
http://www.owasp.org/index.php/Main_Page
http://www.uribe100.com/index100.htm
Again, thanks to many in the Twitterverse who contributed: @lennyzeltser @shpantzer @idexperts @mikemurr @jth @cyberlocksmith @indi303 @raydavidson @richardebaker
Good start:
http://www.zeltser.com/network-os-security/security-incident-questionnaire-cheat-sheet.html
http://www.zeltser.com/network-os-security/security-incident-survey-cheat-sheet.html
CIO-level http://www.cio.com/research/security/incident_response.pdf
DDOS related - http://www.zeltser.com/network-os-security/ddos-incident-cheat-sheet.html
Good list - http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,3629.msg19357/topicseen,1/
More depth:
http://www.first.org/resources/guides/
http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf
Also see NIST Incident Response Templates: NIST SP 800-86, 800-83, 800-61rev1
http://www.sans.org/score/incidentforms/
http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html
http://labmice.techtarget.com/security/incidentresponse.htm
Digital Forensic Analysis Methodology Flowchart (PDF) http://www.cybercrime.gov/forensics_chart.pdf
Additional (not-IR specific sites):
http://www.cert.org/octave/
http://www.cerias.purdue.edu/tools_and_resources/
http://www.owasp.org/index.php/Main_Page
http://www.uribe100.com/index100.htm
Again, thanks to many in the Twitterverse who contributed: @lennyzeltser @shpantzer @idexperts @mikemurr @jth @cyberlocksmith @indi303 @raydavidson @richardebaker
QOTD - EnCase, FTK, and Hammers
EnCase Enterprise is not “court validated.” FTK Enterprise is not “court validated.” And they never have been. In competent hands, computer forensics is not a black box, pushbutton art, so the integrity of process hinges on the carpenter, not on the hammer. -- Craig BallSrc: "We're Both Part of the Same Hypocrisy, Senator" | EDD Update [tx @robtlee]
QOTD - Northcutt on Incident Response
The majority of security appliances report what happened, but not who was behind the activity, historical information about that system or similar events.Src: Whodunnit? | SearchSecurity.com
...
With log monitoring, nothing succeeds like success.
...
Logging, which is usually considered dull and boring work, becomes exciting. -- Stephen Northcutt, President of the SANS Technology Institute
On slack space, unused space, and unallocated space
Computer concepts in general, and forensic concepts are particular are often hard to explain to lay folks. This article does a good job at providing analogies for slack space, unused space, and unallocated space.
Src: Don’t let what Happened to Heartland Happen to You – Part One Ascension Blog [tx @kriggins]
Src: Don’t let what Happened to Heartland Happen to You – Part One Ascension Blog [tx @kriggins]
10 Things About Hard Drives You Didn't Know (ShmooCon'09 - YouTube)
Scott Moulton, a rising star in the computer forensics world (just recently created a new SANS forensics course) did at talk at ShmooCon 2009 entitled "10 Things About Hard Drives You Didn't Know." Here are the various parts of his talk on YouTube (to be watched in sequence):
- http://www.youtube.com/watch?v=fst8IZup44c
- http://www.youtube.com/watch?v=wXmennd0xkM
- http://www.youtube.com/watch?v=_Iw2I2hxjSA
- http://www.youtube.com/watch?v=GZLLeMP6uII
- http://www.youtube.com/watch?v=ylEiGEcKqN0
Subscribe to:
Posts (Atom)
