Poweliks: Persistent Malware Living Only in the Registry? Impossible!

James Habben

The ultimate desire for malware authors is to be able to have their code run every time a computer starts, and leave no trace on the disk for us to find. Let me reassure you that it hasn’t happened just yet, at least not that I have seen. There have been plenty of examples over the years that have taken advantage of some clever techniques that disguise their disk-based homes, but that’s just it–disguise!

A couple of recent posts on “Poweliks” here and here shed light on creative measures attackers use to store malware in the Windows Registry. In short, there is a registry value that executes an encoded script stored in another registry value, which then drops a file on disk for execution.

Tableau TD3 Forensic Imaging System: Raising the Bar Since 2012

Robert Bond

When Guidance Software originally released the Tableau TD3 forensic imaging system back in 2012, it was revolutionary. Forensic investigators had asked for and eagerly awaited innovations like the color touchscreen user interface, modular architecture, network imaging, and remote triage capabilities. The TD3 also supported write-blocked imaging of SATA, IDE, SAS, FireWire, USB 3.0, and iSCSI (network) storage devices. In 2013, Forensic 4Cast voters named it the Forensic Hardware Tool of the Year. Since its launch, the TD3 development team has relentlessly focused on adding new features, capabilities and options that help investigators get more work done faster, with more options. So if the last time you looked at TD3 was back in 2012, it may be time to take another look.

CEIC 2014 / EnCE Myth Busted

Thank the interwebs for making what was once old new again. Earlier this week, denizens of the #DFIR hashtag on Twitter dredged up an old blog post from May 2014 about CEIC 2014.

At the risk of provoking the Streisand effect, I'd like to offer a contrasting perspective on what I can only describe as an emerging conspiracy theory. Let's walk while we talk (in case someone is listening...).

So many artifacts, so little time… Summer edition

Ken Mizota

EnCase is an extensible digital investigation platform. Simply put, extensibility reduces time and effort for the investigator. One way to validate this claim for yourself is to take a look at the depth and breadth of the ways EnCase can work with existing tools in your kit. For example: Do you already own Magnet Forensic's IEF? IEF and EnCase work together to reduce work for investigators. Have you considered how to integrate threat intelligence into your DFIR regimen? EnCase and Cisco Security (formerly ThreatGRID) collaborate to reduce IR time and effort. Let’s walk through a few ways extensibility works in your favor.

Working with EnScript and .NET/C#

Ken Mizota

The ability to manipulate and interpret data structures within evidence has long been a strength of EnCase. EnScript—a core EnCase technology—has enabled investigators and incident responders to be efficient, automating the most sophisticated or mind-numbingly rote techniques. For instance, take Simon Key's (@SimonDCKey) recent post on the OS X Quick Look Thumbnail Cache: the ability to mine, extract and work with critical data for your case is available now. This app, courtesy of Guidance Software Training, just happens to be free, enabling the DFIR community to take advantage. If you need to keep pace with the perpetually accelerating gap between data and the investigator’s ability to understand that data, having extensible, flexible tools in your kit is not optional.