This topic is not brand new, there exists plenty of solutions to forward Windows event logs to Logstash (OSSEC, Snare or NXlog amongst many others). They perform a decent job to collect events on running systems but they need to deploy extra piece of software on the target operating systems. For a specific
Category: Forensics
Online Router Forensics Lab
When my friend Didier Stevens contacted me last year to help him with a BruCON 5×5 project, I simply could not decline! Didier developed a framework to perform forensic investigations on Cisco routers. His framework is called NAFT (“Network Appliance Forensic Toolkitâ€). It is written in Python and provides a
Are You Playing “Cold Case” with Your Logs?
Two days ago, I attended an event about “big data” (yeah, another buzz word) and how to use it for security purposes. One of the presented talks was very interesting and almost changed my mind about our best friends (or nightmare)… logs! When I’m talking about log management with customers,
Your Car Knows a Lot About You!
I got a new company car. W00t! After the basic welcome-tour of the different options, I went deeper and reviewed the on-board computer configuration options. Today, modern cars integrate multimedia interfaces to manage information from several sources: GPS coordinates (past as well as present) Phone books synchronized from phones over
Analyzing your Pcap Files with the Cloud
pcapr.net is a cloud (again!) service available for a while. Basically, it’s a repository of pcap (“packet capture”) traces uploaded by members. The packets are dissected and presented in a human readable form. Once inspected and indexed, a search engine helps you to find interesting traces using a simple syntax
Belgium will have its Own Cybercrime Competence Center?
As I wrote in a previous blog post, I went to the FIC2010 conference last week. One of the talks I attended was about the “2centre” initiative. 2centre (“2c” for “cc”) means “Cybercrime Centers of Excellence Network for Training, research and Education“. Those centers of excellence focus on law enforcement.
What’s Behind Microsoft COFEE?
It was announced a few days ago: Microsoft COFEE has been leaked on the wild Internet! Microsoft COFEE stands for “Computer Online Forensic Evidence Extractor“. This “forensic swiss army knife” is available for free to police forces around the world to conduct official forensics investigations. Note: It’s reportedly illegal for
Secure Amsterdam Workshop 2009 Review
Back from a one-day trip to Amsterdam where I attended the “Secure Amsterdam Workshop 2009” meeting organized by ISC2. This year topic was forensics IT investigations. The first speaker was Matthijs van der Wel from Verizon Business who reviewed the 2009 Data Breach Investigations Report. It was interesting to have
Forensics: Reconstructing Data from Pcap Files
Sometimes during forensics investigations, it can be useful to recover deleted or temporary files transferred by users and/or processes with protocols like FTP or HTTP. Let’s see how to achieve this using pcap files! libpcap is an API which provides network packets capture facilities. Very common on Unix, there is