Suggested Blog Reading – Monday July 9th, 2007

ReadJust got back from a very enjoyable bachelor party in Ottawa over the weekend and I feel recharged. Funny how some downtime fixes you up 🙂

Here’s the list

AFF for Windows – Interesting…I’ll have to give it a shot.

Since version 2.3 the shared libraries and utility programs which implement the Advanced Forensic Format (AFF), are also available for the Microsoft Windows platform.

AFF is meant to be an open-source, extensible alternative to proprietary forensic image file formats. Beside the main program library, afflib, the package comes with the following utility programs:

* afconvert converts AFF into RAW/ISO and vice-versa
* afcopy copies a forensic image and verifies the resulting file
* affix attempts to repair a corrupted forensic image
* afinfo provides some information about the forensic image
* afstats calculates some statistics, e.g. the amount of data contained in an AFF image and the compression ratio
* aimage creates a new forensic image

ARP Spoofing in Real Life – Richard is right. This is probably one of the hardest attacks for students or people new to security to visualize actually happening and it’s great that a documented example is available.

Sometimes I wonder if students are thinking “That is so old! Who does that anymore?” In response I mention last year’s Freenode incident where Ettercap was used in an ARP spoofing attack.

Thanks to Robert Hensing’s pointer to Neil Carpenter’s post, I have another documented ARP spoofing attack. Here a malicious IFRAME is injected into traffic by ARP spoofing a gateway. We cover that in my Black Hat class, both of which are now officially full.

“Good Practice Guide for Computer-Based Electronic Evidence” Updated – I would think this would also be very good for organizations who interact with law enforcement on a regular basis.

The Association of Chief Police Officers in co-operation with 7Safe released an updated edition of their Good Practice Guide for Computer-Based Electronic Evidence.

On 66 pages the free guide provides background information, flowcharts and sample questions to aide in the investigation of computer-related crimes. While it is primarily intended to be used by police officers, the guide is also helpful for investigators working within the private sector.

Vista security events get noticed – Notice how he says “for most security events”? My developers have noticed lately that Microsoft documentation has a lot of “most” scenarios where log files have more columns than documented and examples show what should happen “most of the time”.

Doriansoft noticed that there’s a relationship between our pre-Vista security event IDs and our Vista-era security event IDs.

For most security events:
VistaEventId = PreVistaEventId + 4096

Why is this?

We needed to differentiate the Vista events from the pre-Vista events, because we were significantly changing the event content and didn’t want to break automation. However we wanted to preserve the knowledge that security professionals already had in their heads about security events, so we wanted to make sure that there was a relationship between old and new event IDs.

We decided to offset the old IDs by some constant to get the new IDs. I wanted to offset them by a decimal number (say 6000, so 528 would become 6528, etc.). However event IDs are declared in hex in the source code and are all 3 digits long (528 = 0x210), and Raghu, my developer, wanted to conserve effort, and he won that battle so we added 0x1000 (4096) to the existing event IDs.

CarvFS at Work – Documentation is good but examples are always a bonus! Good work.

“Chopstick” published two articles about CarvFS in his blog Chirashi Security.

His first post describes the installation of CarvFS on Ubuntu Linux. he also installs libewf in order to access disk images in Expert Witness format, which is normally used by EnCase.

Just to give us an example of how CarvFS works, a second article shows the examination of a memory card.

Scroll to top