Tuesday, April 14, 2009

Sans "WhatWorks in Forensics and Incident Response Summit" in July

The agenda is out and it looks to be a fantastic lineup of expert briefings and panels. The summit will be in Washington DC July 7 and 8, 2009. I was lucky enough to be chosen to be on the "Essential Forensic Tools" panel. With me on the panel are some of the big names in the Forensic/IR community, they are:

Jesse Kornblum who has made significant contributions with the free tools (MD5Deep, SSDeep, and Miss Identify and others) he has provided as well as the excellent papers he has written ("Using Every Part of the Buffalo in Windows Memory Analysis" and "Implementing BitLocker Drive Encryption for Forensic Analysis" as well as others), Jesse also has a blog that can be found here.

Troy Larson who is the Senior Forensic Investigator with Microsoft’s IT Security Group. Troy has presented my times at different conferences (Recovering Information from Deleted Security Event Logs, Vista Shadow Volume Forensic, etc.. and is a coauthor of the Handbook of Computer Crime Investigation: Forensic Tools and Technology.

and finally

Lance Mueller of the blog Computer Forensics, Malware Analysis and Digital Investigations. Lance has provide many enScripts on his blog to be used by all. I do not use Encase but I have learned many things by looking at the enScripts that Lance has developed, they have provided me insights into many areas of computer forensics.

I look forward to joining this panel of experts who have distinguished themselves in the field of Computer Forensics and Incident Response as well as meeting quite a few people who I have had the privilege of trading ideas and email's with.


As always Thoughts/Comments/Questions.........

Posted by Mark McKinnon at 10:38 AM

2 comments

Labels: , , , ,

Wednesday, February 18, 2009

Gmail offline...

Not to long ago someone brought to my attention that Gmail was offering to be able to have your gmail account offline. What this means is that you can look at all your e-mail that had been synched even if you are not connected to the net, sorry to say you cannot send e-mails or save them at this time that I can tell. I have come up with a parser for your gmail offline account. It only does the basics right now but we will look to add more in the future. Some of the sample reports are:

1. Contact information
2. Email conversations with hyperlink to email
3. Word Xref to email

That last one has 2 flavors depending on the option you pick when you run the parser. In the gui if you choose not to create the e-mail xref report then you will only get a report with all distinct words in the emails. If you choose to create the e-mail xref report then it will create the report with distinct words and those words will be hyperlinked to a report that will show each e-mail that the word appears in. This may take a while depending on how big the mailbox is, but it is pretty cool.

The program can be found here.

As always Questions/Comments/Suggestions.

Posted by Mark McKinnon at 7:11 AM

2 comments

Labels: ,

Monday, February 9, 2009

Updated Prefetch Parser......

I have updated the prefetch parser so it will now read all the prefetch files in a directory. It will produce a main report that will show each prefetch file, the actual file name, the number of times run and the embedded date/time. You can also click on the prefetch file name and see the dll/files that were loaded when the program was run. This will work for XP, 2003 and Vista. The new program can be found here. I have left the old program out there as well in case you still want to parse a single file.

As always Questions/Comments/Thoughts?

Posted by Mark McKinnon at 12:06 PM

6 comments

Labels:

Tuesday, January 27, 2009

Internet Parser Update

In honor of Randy G (see this post) and the fact that I found a new browser, I have updated the Internet parser program to now include the Flock browser, which is based on the Mozilla framework. Now I have not done an extensive analysis on yet but I have done enough to know it fits right in with Firefox 3.x and Google Chrome as it uses SQLite to store its history and other files. One thing to note is that there is a new report added called Form History. This is a new database that flock uses that keeps data that was entered into any forms. That is about all I know about the forms at this point. There are quite a few new databases that Flock uses and I will have to test them out to see what data points can be pulled out.

So in honor of Randy G. here is the download.

Questions/Comments/Suggestions?

Posted by Mark McKinnon at 8:32 AM

3 comments

Labels: , , , ,

DOD Cybercrime Conference......

Well the DOD Cybercrime Conference should be getting into full swing now. Unfortunately I could not attend but it sounds like it will be a great conference. If there is anyone who reads this and is attending please find Randy G. who created this years (2009) and last years (2008) DC3 challenge and shake his hand and tell him what a wonderful job he did creating and running the challenge last year. Since I can not tell him personally since I am not there I will do that here.

Great job with the challenge Randy keep up the fantastic work and I look forward to this years challenge.


Questions/Comments/Suggenstions?

Posted by Mark McKinnon at 8:12 AM

0 comments

Labels: ,

Wednesday, December 31, 2008

Happy New Year

Thanks for stopping by this year. I hope I have helped some of you out with the programs/information I have provided. As always I wish I had posted more but things always seem to get in the way. I will be planning on posting more next year. If you can think of any topics or programs that would be nice to see/have then shoot me an email and we can discuss them mark dot mckinnon at sbcglobal dot net.

I hope everyone has a safe and happy new year.

Mark

Posted by Mark McKinnon at 1:53 PM

3 comments

Labels:

Updates Before the New Year

Here are a few updates to some of the programs I have provided this year.

Skype Log Parser:

This program will now parse the voicemail logs and report on them. It will also extract some more information about the users. The avatars will also be parsed out and saved to the report directory as well. The program can be found here. I also want to thank the University of New Orleans (Team NSSAL) for using this program in the DC3 Challenge this year, I created the program for my use in the challenge but when I got bogged down with other things I thought I would release it in hopes that someone would use it for the challenge.

Thumbnail_Html:

I do not recall if I ever released this or not but what what it will do is parse a directory and create a web page with thumbnails of graphics files in it. This program is good if you need to create a file that has graphics that you want to send to someone and be able to put it on a CD/DVD. This program will also read some of the EXIF info for the graphics and output that information as well. The program can be found here.

Internet Parser:

This is the updated google chrome parser with a few more reports and I have also added the option to include Firefox history files as well. With this program if someone had both Firefox and Google Chrome you can add both of there history files to the same database and do 1 reports instead of multiple reports. This program can be found here.

Internet History:

This program reads in the Internet Explorer index.dat, the cookie index.dat and the History index.dat files and will produce reports on them. The reports should be similar to the internet parser program. That program can be found here.

I hope you enjoy all these updated and new programs and that you get quite a bit of use out of them.

As always Questions/Comments/Suggestions/Thoughts?

Posted by Mark McKinnon at 1:22 PM

1 comments

Labels: , , , , ,

Subscribe to: Posts (Atom)