Last week I was in Boston teaching SANS FOR 408: Computer Forensic Essentials, now renamed to Windows Forensics In-Depth. Thank you to all those in my class, it was fun. Huge thanks to my facilitator, Mike.
I mention the course here, because I had a mix of students from experienced veterans to those brand new to the field. The course offers something for everyone. My favorite part of the week was the last day’s challenge exercise where students are divided up into teams and work a case and then have an opportunity to present their findings at the end of the day. I had more than a handful of law enforcement in the room and though they quickly cracked the case, they didn’t want to present. They did play the attorney role very well during the “mock trial” and I think it really gave the students an idea of what they may be facing when and if they ever have to go to court.
In this week’s case leads, some items I pulled from the DFIR mailing list, including an announcement about Volatility and support for Linux and an older, but still valuable post from Anton Chuvakin on discovering compromised systems.
If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to email@example.com.
- Andrew Case has been working with developers of Volatility to add Linux memory analysis support to the framework. He says it is still very beta, but that it is at a point where he’s comfortable having a wider audience check it out. More information may be found at
- I came across an interesting slide deck for a presentation given last week in Madrid at Rooted Con called radare2: from forensics to bindiffing. The main site for radare looks to have plenty of documentation available to get started experimenting.
- For those into reverse engineering, a good post on the PE Header from Marco Ramilli.
- And from a discussion on the SANS Digital Forensics and Incident Response (DFIR) mailing list, an old post from Anton Chuvakin on Issues Discovering Compromised Machines.
- CanSecWest 2011 is under way and that means Tipping Point’s Pwn2Own 2011 competition is underway. ZDNet has the story.
- And Bloomberg.com has a story of apparently more fall out this week from the Anonymous attacks against HBGary and HBGary Federal, including news that DuPont, Johnson & Johnson, GE and Disney were possibly victims of the Aurora style attacks that hit Google last year.
- First-ever Honeynet Project Public Conference -Paris, France, March 21, 2011
- Forensics 408: Computer Forensics Essentials – Morristown, NJ – May 9 – 14, 2011
- Guidance Software Computer and Enterprise Investigations Conference (CEIC) 2011 – Orlando, May 15 – 18, 2011
- AccessData User’s Conference – Las Vegas, May 15 – 18, 2011
- SANS What Works in Forensics and Incident Response Summit – Austin, TX, June 7 – 8, 2011
- 3rd International ICST Conference on Digital Forensics & Cyber Crime – Dublin Ireland, October 26-28, 2011
- The 2011 Sleuth Kit and Open Source Digital Forensics Conference has issued a call for papers. The event will be held on 14 June in McLean VA, and the CFP is available here.
- The ACFE is holding a fraud conference in San Diego, CA on June 12-17, 2011. Track E of the conference is geared specifically toward investigators performing digital forensics. More info on the conference is available at http://www.fraudconference.com.
- 2011 DC3 Digital Security Challenge for US High School Students.Registration now open!
Digital Forensics Case Leads for 20110310 was compiled by Dave Hull, forensicator, IRer and Community SANS instructor. If you have an article to suggest for case leads please email it to firstname.lastname@example.org.