Rogue DBA's article
Pete Finnigan's website has a collection of papers, including a recent one on securing ORACLE
Wednesday, July 29, 2009
How to dismantle a nuclear bomb
Link from BBC website on how to dismantle a nuclear bomb without giving away any secrets.
Sunday, July 19, 2009
NetWitness Investigator
NetWitness
Seen this product before but everytime i play with it seems to have more and more. Would be a useful product to use for near real time analysis of network traffic. Don't think it has an ability to read traffic from the wire direct, certainly not in the free version. Could use something like DaemonLogger to provide continuous 50Mb pcap files for analysis.
Has as a nice interface that seems relatively intuitive to use.
Apparently PhoenixDatacom are the UK suppliers of it, so at least its easy to get a look at.
Saturday, July 18, 2009
USB Device Forensics
Taken from Windows Incident Response by
I posted to the Win4n6 Yahoo Group on USB removable storage devices and tracking connections, and got some really good confirmation from Rob Lee, so I thought I'd share it here, as well.
So, when I was writing WFA 2/e, I did some testing and found that when connecting a USB removable storage device to a system, beneath the unique instance ID key (under the DeviceClasses key), a Control subkey was created, and when the device was disconnected, the Control subkey was deleted. The creation/deletion of this subkey constitutes a modification to the unique instance ID key, updating the key's LastWrite time and allowing us to track the usage of the device.
However, there appear to have been changes to this functionality since then, and Rob's more expansive testing has confirmed my own. Essentially, if you sit down to a running system (XP SP2 or 3, Vista, Windows 7), and plug in a USB removable storage device (even one that's been previously connected to that system), you'll see the Control subkey created...but when you disconnect the device, the Control subkey will remain until the system is rebooted. Rob has confirmed that this LastWrite time survives logins, as well.
So, now the LastWrite time on the unique instance key refers to the time that the device was last connected to the system, which is an important distinction to make when performing analysis of the usage of these devices. This requires further testing for more complete confirmation, but this is how things appear at this time. Shout outs to Rob Lee for the testing on this!
So this should give us a bit more on when and should look to automate it if possible
So, when I was writing WFA 2/e, I did some testing and found that when connecting a USB removable storage device to a system, beneath the unique instance ID key (under the DeviceClasses key), a Control subkey was created, and when the device was disconnected, the Control subkey was deleted. The creation/deletion of this subkey constitutes a modification to the unique instance ID key, updating the key's LastWrite time and allowing us to track the usage of the device.
However, there appear to have been changes to this functionality since then, and Rob's more expansive testing has confirmed my own. Essentially, if you sit down to a running system (XP SP2 or 3, Vista, Windows 7), and plug in a USB removable storage device (even one that's been previously connected to that system), you'll see the Control subkey created...but when you disconnect the device, the Control subkey will remain until the system is rebooted. Rob has confirmed that this LastWrite time survives logins, as well.
So, now the LastWrite time on the unique instance key refers to the time that the device was last connected to the system, which is an important distinction to make when performing analysis of the usage of these devices. This requires further testing for more complete confirmation, but this is how things appear at this time. Shout outs to Rob Lee for the testing on this!
So this should give us a bit more on when and should look to automate it if possible
Social Media Staff Policies
A good blog to read for social media policies, if for nothing else than the well put together graphics!
Social Media Staff Policies
Social Media Staff Policies