Forensic 4:cast 2018

This year, I have been nominated by the #DFIR industry for two categories of the Forensic 4:Cast awards (https://forensic4cast.com/). Please vote for Devon Ackerman as "Digital Forensic Investigator of the Year" and vote for this website, AboutDFIR.com, for "Digital Forensic Resource of the Year" for 2018. Regardless of who you cast your Forensic 4:cast 2018 votes for, please consider joining Mary Ellen and I in Austin, Texas at the SANS conference to celebrate no matter…
Read More

AMD and Intel Chipset Vulnerabilities & Exploits: March 2018 Update

Author: ShadowSherlock Editor: Devon Ackerman UPDATE: March 2018 It seems we are nearing the end of the Spectre/Meltdown issues from a patch availability stand point. INTEL Patches for older versions of Intel Chipsets has been released - Haswell (4th-generation) and Broadwell (5th-generation). The performance hit will be about 10% to 20% for real world applications. Intel has also promised updates for the last generation of Core2 Duo chipsets. All microcode updates are now being deployed…
Read More

Rick Kiper’s Research Project

A personal friend and FBI colleague of mine, Rick Kiper, has a research project that he is currently working on for Forensics.  The next phase of his research study is to develop a digital forensics tool typology. Basically, the goal is to identify the most important characteristics of digital forensics tools, so that a forensic examiner may be able to quickly assess and select a digital forensics tool appropriate for a particular task.  The goal…
Read More

Digital Forensics & CPUs

Reprinted with permission as originally written by Mark Vogel of F.A.S.T Forensics.   Kind of a book here but there's a LOT going on in the processor market right now between Intel & AMD, so there's a ton of information and considerations between the two now.   I have done a couple Ryzen builds since the release of the Ryzen 7 CPUs earlier this year to test out.  The chipsets for this platform seem to…
Read More

Yandex.ru and Intrusion Investigations

Quite often I notice that unauthorized actors who compromise RDP access will execute a native web browsing application and navigate to a website such as whoer.net to enumerate browser header information, IP address, ISP, and a smattering of other host identification information.  In reviewing these cases with forensic tools, I would also quite often see a hit for https://mc.yandex.ru/metrika/watch.js.  Observing a .ru domain hit usually raises my suspicion level a bit, but I could not…
Read More

Petya Ransomware Recap

Twitter, news media, and malware researchers were busy the past 30 hours as news of a ransomware variant being identified as Petya (NotPetya) was leveraging ETERNALBLUE to spread similar to how WannaCry ransomware had spread back in May 2017.  While variants of Petya have been seen going back a few months to include code similarities shared with Petrwrap and GoldenEye/Mischa ransomware strains, this quickly spreading variant leveraged a different attack than WannaCry in that it…
Read More

SANS DFIR Summit 2017 Wrapup

Awesome presentations, great humor throughout and well deserved wins across all of the forensic4:cast awards.  It was tough to compete in the same category as Magnet Forensics and Cellebrite and having been nominated to the top 3 with these 2 alone was humbling.  It was my first SANS Summit, but it certainly won't be my last - already blocking off my calendar for next year.  It also got me thinking about a book that I had started about a…
Read More

Here in Austin Texas!

SANS DFIR Summit 2017 is beginning with pre-registration this evening and the first two days Thursday and Friday.  Can't wait to meet everyone.
Read More