OMENS v2.11
OMENS v2.11 is completed and ready for download. I've gone through the code and changed the database routines to prevent some of the occasional hanging issues. I think I've squished that bug for good, but please let me know if you are still experiencing hangs with OMENS.
You can download OMENS v2.11 from here
DFIR 101
Well... My first Blog Post of 2015 is up. This year I'll be focusing my posts on DFIR 101 for Windows. I'll also be sticking to free tools that run on the Windows platform. I know the arguments for doing DFIR on Linux. They are decent arguments. But since this series of posts will be targeted at the beginner, I have decided to focus on Windows DFIR tools that run on Windows. I think you will be surprised at how many great tools are freely available!
In this first post I will cover the $MFT. What it is, and how to extract and parse it.
I hope you enjoy this series posts.
Happy Hunting.
Welcome to 2015
This year I am hoping I will have some time to write a few more blog posts. It's always hard for me to decide what I want to do with the small amount of spare time I have.
Right now I am imaging a drive, and so I have a few hours of time to fill.
I'd like to do more blog posts, and possibly a con presentation on DFIR 101 tools. I see a lot of information about artifacts, forensics, and DFIR tools - But nothing that really tells someone new to DFIR how and why to use a specific tool.
I have a few goto tools that I really like. I'll start with those, and then move on to some more obscure tools (if I get the time). I will try to limit my blog posts to Windows forensics tools that are free. This series of blog posts are not for the advanced investigator - so I will try to limit my blog posts to stuff that anyone can download and play with.
The first blog post I'll be working on is on parsing the $MFT.
Stay tuned for that post in the next couple weeks
OMENS v2.10 Beta
C'mon... Admit it...
You thought I'd dissapeared from the WeberNets. Or at least abandoned OMENS...
Neither could be further from the truth. I have been SWAMPED with DFIR work - And still found some time to take and pass the GCIH... In fact, I may be mentoring SANS Sec504 in 2015 if everything works out. But now I'm mostly caught-up with my work, and can get back to some of my projects.
Over the (2014) holiday season I had some time to add a new feature to OMENS. Now OMENS 2.10 can be configured to query the ShadowServer Bin Check Service database to see if any new or changed files are known-good binaries. ShadowServer is another amazing and free service. The ShadowServer Bin Check Service aggregates known-good hashes from several sources and makes them available via a simple HTTP query (JSON). I found this new feature critcal when my webserver binaries were updated recently, and I wanted to make sure the updates were legitimate.
When configured properly, OMENS can now use this great service to determine if a new or changed file is known to be good (even if it contains some questionable content).
Important Note: PLEASE check ShadowServers Terms Of Service before you configure this option. WE are very grateful for these free services and we ask that you use them in accordance with their Terms Of Service.
You can download OMENS v2.10 from here, but please remember this is still Beta. Caveat Emptor!
Disclaimer:
The views and opinions expressed here and throughout this web site are my own. They do not reflect the views or opinions of my employer, their clients, customers, or partners. I do not speak for them and they do not speak for me. The opinions and views expressed here represent my opinions at the time of writing, and can change without notice or warning.