Saturday, August 28, 2010

Kristinn Gudjonsson’s GIAC Gold Paper Released

Kristinn has announced that his GFCA gold paper entitled “Mastering the Super Timeline With log2timeline” has been released. You can get it here.

Kristinn and I are also back at work on the Adobe Flash Cookie research and tool development project and we hope to have it wrapped up relatively soon.  The release of Flash Player 10.1 set my portion of the research back a little bit since there was some changes to how things work, but the fundamentals remain the same.

I have completed the file system tunneling research portion of the project and that will be part of the final paper since it’s critical to understanding time and date issues with these artifacts. The universal response when I have approached various forensic gurus on the issue has been unfamiliarity.  It’s appears that file system tunneling is something that was esoteric enough where it hasn’t appeared on anyone’s file system research radar until Kristinn and I ran into it during the course of our research.

Sometimes you just get lucky.


There have been a lot of interesting items that I have run across recently that I’d like to share with the group.

The first is an EFF article on Apple’s efforts to patent spyware and what EFF terms “traitorware”. Your spider senses should start tingling when you read the article.

The second is a fantastic Brad Garnett SANS Blog post on report writing.  Report writing is an area that is critically important for digital forensic examiners to learn and master, but it’s a very neglected topic when it comes to digital forensic training.

Lastly, Brandon Gregg has an excellent article over at CSO Online on free and cheap tools to help manage investigations.  I found the last segment on “hypothesizing your investigation” to be particularly intriguing. 

1 comment:

  1. I've started reading over Kristin's far, so good. The fact that timelines provide context was mentioned early, followed by the fact that a timeline can minimize the impact of "anti-forensics". I think that it's vitally important to constantly reiterate two very important points...not only does a timeline provide context to the data contained in the timeline, but increases your relative level of confidence in the data, particularly in the face of anti-forensics.