Brad Garnett

Welcome to my Digital Forensics and Incident Response oasis!

Digital Forensics, Incident Response, and Information Security

Filtering by Tag: DFIR

2016 Blog Update: Reviving my DFIR Corner

Happy New Year.

I wanted to take a minute to update my blog. It has been a while since I've blogged and a lot of exciting going on in my DFIR corner. Reviving my blog and will post more often.

First, I am happy to report that beginning next week I will be teaching a Basic Cyber Crime and Computer Forensics evening course at a local university this semester. I am excited to begin teaching this undergraduate course to business, technology, and law enforcement majors. Perfect blend of student majors and backgrounds, which should create a good learning environment. During my law enforcement career, I taught recruits at the academy and it's one thing I miss. Nowadays, in my forensic consultancy and caseload, I do not have much free time for instructional development, as it'll be nice to get back into the classroom one evening per week. Speaking of caseload, the last 3 weeks of 2015 and into 2016 has kept me busy. Casework is great, but it leaves little much needed lab time and testing. If you understand the saying, "feast or famine" then you must be a forensic consultant. Friend and fellow forensicator, Hal Pomeranz wrote an excellent series several years ago about getting into the forensic consulting world. If you are looking into forensic consulting, make sure you checkout Hal's series.

Second, on a recent IR engagement I was conducting triage level analysis on a Windows 7 machine. If you new to DFIR you may not be familiar to ShimCache. While I will not go into a high-level of detail of this known artifact in this particular blog post, I wanted to highlight its importance in your intrusion and malware investigations. Corey Harrell has an excellent write-up on this artifact that you must read. According to Microsoft, Windows Application Compatibility Infrastructure, or ShimCache Infrastructure uses a form of API hooking for application compatibility from version to version of Windows.  On a Windows 7 machine, C:\Windows\AppCompat\Programs\ directory. 

C:\Windows\AppCompat\Programs

C:\Windows\AppCompat\Programs

RecentFileCache.BCF stores full UNC paths of executables recently executed on the system. You can read the RecentFileCache.BCF file with a hex editor.

RecentFileCache.BCF

RecentFileCache.BCF

 

Harlan released rfc.exe and other tools with his WFA4e book release. Using HC's tool and XWF, I quickly identified malware in VSCs.

 

Usage: 

C:\forensics\rfc.exe %Path%\RecentFilecache.bcf 

Links:

  1. RFC.exe by HC
  2. LRC: Brian Moran's Live Response Collection

 

References:

  1. ForensicsWiki: http://www.forensicswiki.org/wiki/Windows_Application_Compatibility
  2. Journey Into Incident Response: http://journeyintoir.blogspot.com/
  3. Windows Incident Response: http://windowsir.blogspot.com/

 

Well, that's all the time for now folks...

 

Faith. Family. Football. Forensics

DFIRSummit: FOR 408, DFIRNetWars, & DFIRSummit

I thought I would take a few minutes to share my thoughts regarding DFIR NetWars that SANS offers and a DFIRSummit prelude. For more information on DFIR NetWars visit http://www.sans.org/netwars

This week I am in Austin, Tx taking FOR 408 with Rob Lee. We are having a good week and have a good class. What I always enjoy most about attending a SANS course or event, is the plethora of talent in the DFIR community that attend these events and courses. Ovie, Rob, and Chad have put a lot into FOR 408. This course is NOT an introduction to Digital Forensics. It requires a core knowledge of Windows forensics. I have completed several courses in the SANS DFIR curriculum. When I first completed 508 six (6) years ago, 408 did not exist and focuses on core Windows forensic analysis. Just as David Cowen points out in this week's Forensic Lunch, there is so many Windows artifacts that still require further testing and research. No matter if you are a veteran forensic examiner or new to the DFIR field, you will learn a lot from the FOR 408 course.

Day 1 of DFIRNetWars was earlier this evening and just a few quick comments. This experience was an eye opening experience for me and others  that I spoke to afterwards...many of whom were competing in DFIRNetWars for the first time, including myself. After Day 1, @CdtDelta is leading the competition (good job Tom). DFIRNetWars is a fun, challenging competition that covers hosted-based forensics, network forensics, malware, and memory analysis. Early on in the competition, game stress got the best of me and I dropped out of the top 10 (it's a marathon, not a sprint). I found out quickly that I needed to slow down and get in my zone. Even if you have been doing forensics for years, competing in a cyber competition (like DFIRNetWars and others) is a great way to grade your current skill-set and get an idea of what you need to do to improve your forensic and IR processes. Smooth is fast...fast is smooth. 

The SANS @ Night talks have also been great. I plan on completing a review in the form of a blog post and will share it right here.

If you are traveling later this weekend to the Summit, the XGames is going on here in Austin through the weekend. Follow #XGamesAustin, #DFIRNetWars of course #DFIRSummit