Monday, 31 March 2014

So many Computer Forensics tools but no time

Do you want to get your hands in Computer Forensics but you don't really know where to start. Are you looking for a tool that does a specific job but you don't know which one to download and use. Forensic Control [1] have a list of free tools as a free resource for all. The tools are grouped in categories and a detailed description allows you to find what you are looking for. 

The main categories of the tools you can find are:

  • Disk tools and data capture
  • Email analysis
  • General tools
  • File and data analysis
  • Mac OS tools
  • Mobile devices
  • File viewers
  • Internet analysis
  • Registry analysis
  • Application analysis
  • Abandonware




[1] https://forensiccontrol.com/resources/free-software/

Monday, 24 March 2014

Booby-trapped documents in Rich Text Format are being used for targeted attacks


There are booby-trapped documents being circulated in the Rich Text Format (RTF) that exploit a vulnerability in the 2010 version of Microsoft Word [CVE-2014-1761]. 

Microsoft Advisory published on Monday 24/Mar/2014 (2953095) [2] warns about the Vulnerability in Microsoft Word which could allow Remote Code Execution. A Temporary fix is available by Microsoft [3].

[1] ​http://arstechnica.com/security/2014/03/zero-day-vulnerability-in-microsoft-word-under-active-attack/

[2] http://technet.microsoft.com/en-us/security/advisory/2953095

[3] https://support.microsoft.com/kb/2953095

Sunday, 23 March 2014

SANS Investigate Forensic Toolkit (SIFT) Workstation Version 3.0

SANS SIFT 3.0 Virtual Machine Released [1]

Developed and continually updated by an international team of forensic experts, the SIFT is a group of free open-source forensic tools designed to perform detailed digital forensic examinations in a variety of settings. With over 100,000 downloads to date, the SIFT continues to be the most popular open-source forensic offering next to commercial source solutions.

[1] http://digital-forensics.sans.org/blog/2014/03/23/sans-sift-3-0-virtual-machine-released

Friday, 28 February 2014

Guest Speaker for Derby University (Digital Forensic Investigation Course)

I had the pleasure to be invited as a guest speaker to Derby University in order to give a talk about Penetration Testing in the real world and more specifically for the Digital Forensic Investigation course.

The talk included an introduction to the Payment Card Industry (PCI),  Payment Card Industry Data Security Standard (PCI DSS) and the Payment Card Industry Security Standards Council (PCI SSC). The participant had an opportunity to understand what is an Approved Scanning Vendor (ASV), a Qualified Security Assessor (QSA) and last but not least a PCI Forensics Investigator (PFI).

The students were introduced to penetration testing types, practices, methodologies, real stories from the industry, tools, and techniques. Black Box testing versus White Box testing was explained, the significance of white-listing was discussed and comparison of ASV, Vulnerability Assessment and Penetration Testing was given.

The second part of the talk focused on malware and included a more practical approach with a hands-on session. The talk focused on how easy could it be to create malware that is capable of evading AntiVirus detection (including reputation based detection). The students were given an executable file and a hex editor which allowed them to modify the given binary. Social engineering and spear phishing were also discussed. The purpose was to raise their awareness and allow them to understand with examples why we say there is no 100% security.

I had a wonderful day at the University, the students were very excited and I do hope they learned a lot. All the best with their course. The industry needs these knowledgeable future professionals. 

Saturday, 22 February 2014

Apple's SSL/TLS Bug


Yesterday, Apple pushed a rather spooky security update [1] for iOS that suggested that something was horribly wrong with SSL/TLS in iOS but gave no details​. 

A very quick test site for testing if you are vulnerable to this bug (use Safari browser) can be found here: https://www.imperialviolet.org:1266 

Note the port number (which is the CVE number), the normal site is running on port 443 and that is expected to work. On port 1266 the server is sending the same certificates but signing with a completely different key. If you can load an HTTPS site on port 1266 then you have this bug.

[1] http://support.apple.com/kb/HT6147