geschonneck.com » Forensics

Windows Memory Forensics Tools

Alexander Geschonneck — Tue, 23 Dec 2008 20:32:58 +0000

SANS recently published a good summary of Windows memory forensics acquisition and analysis tools. It’s a good compilation of must have tools for the right occasion.

SANS forensics

new linux incident response script

Alexander Geschonneck — Sat, 18 Oct 2008 10:53:05 +0000

We updated the ForensiX Linux Incident Response Script. You can find the new version at my german site http://computer-forensik.org/tools/ix/ix-special/.

open forensics jobs

Alexander Geschonneck — Sat, 18 Oct 2008 10:13:28 +0000

I have some open positions in my german forensics & discovery team. Please

take a closer look at the following job postings:

Senior Consultants (m/w) Forensic Technology & Discovery Services

and

Consultants (m/w) Forensic Technology & Discovery Services

ch-ch-ch-changes

Alexander Geschonneck — Sat, 05 Jul 2008 08:46:07 +0000

After ten happy and successful years with HiSolutions, I’m now with the Ernst & Young Fraud Investigation & Dispute Services department. I’m leading as a senior manager the Forensic Technology & Discovery Services unit in Germany. And yes, we’re hiring

Anonymous Quote

Alexander Geschonneck — Wed, 21 May 2008 16:53:14 +0000

“If you’re a good hacker…everybody knows.
If you’re a GREAT hacker…nobody knows.”

3rd edition of my book

Alexander Geschonneck — Sun, 04 May 2008 06:47:35 +0000

3rd Edition of “Computer-Forensik. Computerstraftaten erkennen, ermitteln, aufklären.”

The new revised edition of my book on computer forensics in German language is available.

For detailed information and the TOC check out computer-forensik.org or go directly to amazon.

computer forensics workshops in Berlin and Frankfurt

Alexander Geschonneck — Fri, 04 Apr 2008 15:00:33 +0000

In collaboration with the german IT journal iX I’m going to give again computer forensics lessons in Frankfurt and Berlin.

05. – 06. June 2008, Frankfurt/M.
12. – 13. June 2008, Berlin

More information on my computer forensics website or the iX conference website.

Vista Forensics Slides

Alexander Geschonneck — Thu, 06 Mar 2008 14:21:23 +0000

I pulished my Vista Forensics slides on my german computer forensics website.

Link to computer-forensik.org

Bypassing a Windows login password with forensic tools

Alexander Geschonneck — Sun, 24 Feb 2008 13:37:40 +0000

Lance Mueller published a good article about bypassing a Windows login password with forensic tools . You can use his instructions if you plan to boot an Windows image within a virtual machine and like to login.The other way is of course attacking the password hash with rainbow tables. But sometimes this is not the best option.

Read the full story on Lance’s blog.

frozen memory aquisition

Alexander Geschonneck — Fri, 22 Feb 2008 15:33:09 +0000

Cool stuff from Princeton researchers. They published a paper “Cold Boot Attacks on Encryption Keys” and showed that whole disk encryption can be defeated by relatively simple methods. They demonstrated their methods by using them to defeat three disk encryption products: BitLocker, FileVault, which comes with MacOS X; and dm-crypt, which is used with Linux.

Link to the project with sample video

Insider Threat Research

Alexander Geschonneck — Mon, 28 Jan 2008 17:25:28 +0000

CERT and the United States Sectret Service published an insider threat research that focuses on both technical and behavioral aspects of actual compromises. The key findings are

Current and former employees carried out insider activities in nearly equal numbers.
Sixty-three percent of the insiders held technical positions within the targeted organizations.
Thirty-eight percent of insiders had prior arrests.
A specific work-related event triggered most (73%) insiders’ actions.
The majority (76%) of insiders planned their activities in advance.
Half (50%) of the insiders had authorized access to the system/network at the time of the incident.
Over half (58%) of the insiders used relatively sophisticated tools or methods for their illicit activities, including scripts or programs, autonomous agents, toolkits, probing, scanning, flooding, spoofing, compromising computer accounts, or creating unauthorized backdoor accounts.
Insiders committed their illicit activities both from the workplace (51%) and remotely (43%) in nearly equal numbers.
The incidents took place during (51%) and outside (49%) normal working hours in nearly equal numbers.
Most (80%) of the insider incidents were only discovered through manual (non-automated) detection of an irregularity or failure of an information system.
The majority (74%) of the insiders took steps to conceal their identities and their activities.

http://www.cert.org/insider_threat/

Talk about Windows Vista Forensics

Alexander Geschonneck — Sat, 29 Dec 2007 10:52:50 +0000

I’m going to talk about Windows Vista Forensics at the DFN-CERT workshop. The workshop will be held on Februray 13 and 14, 2008 in Hamburg, Germany.

You can find the full program and registration information here.