Monday, June 18, 2007

Windows Vista Forensic Artifacts

I recently presented at CEIC 2007 on Microsoft Windows Vista forensics. The presentation was a brief overview of new features and artifacts that Vista creates as well as some changes in the way Vista does certain things, such as Windows Mail, the recycle bin, etc.

The presentation can be viewed here:
Download Here

Wednesday, June 6, 2007

Extracting quarantined files from Norton 7.5 in EnCase

When Norton 7.5 (Corporate) locates a file it recognizes as malware, if quarantine is enabled, it will encrypt that file using XOR and rename it with a .VBN extension. It is important when doing an investigation that you examine the quarantine logs and extract any files that are quarantined so you can obbtain a hash and perform an analysis.

When a file is quarantined by Norton (and XOR encrypted) it will not be located by an external AV scan, or by any type of hash analysis because it is now in an XOR encrypted state.

This EnScript recurses through any files with .VBN extension and then decrypts the file and exports it so you can scan it or obtain a hash.

Download Here

Saturday, June 2, 2007

Command line IR tools

I am frequently asked during various training events and engagements if I have a list of command line tools that I use for incident response activities. While I commonly use EnCase to do my Incident Response, I have had a need for various command line incident response tools in the past so I created a spreadsheet with the various tools, what they did and where to find them:

Download Here

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles