Man Stalks Girl Online, Then Shows Up With Machete

Last year his 17-year-old daughter, whose identity we're protecting, met Patrick Daemon on MySpace. "He always kept saying he just wanted to be friends (with her)," says Lamb. "He just didn't get the picture of 'leave me alone.' He was pretty persistent."

As Daemon's interest in Lamb's daughter intensified, Lamb decided it was time to see what MySpace was all about. That day, Lamb's daughter showed her father Daemon's MySpace page with about 50 different pictures of her.

The family does not know where Daemon got them. The page also had captions like, "I like decapitating bodies," and "I'm going to cut her head off."

Read more from WOWT

Incident Response & Digital Forensics Seminar

Continuum Worldwide presents an Incident Response & Digital Forensics Seminar
Thursday, December 11 2008, 7:30am - 1:00pm
Sessions Include: A talk on policy that is guaranteed to keep you awake! Incident Response: What happens when reality gets in the way of your plan. Incident Response: Don't let your recovery destroy my evidence! Forensics: Why it always wins. Scott Conference Center - Click for more information Cost: $20 (payable day of event) --- Free for HTCIA Members! 7:30-8:00 Registration 8:00-12:00 Sessions Begin 12:00-1:00 Lunch To Register for this Event Click Here.

More Freeware Tools

There is a nice listing of some freeware security and forensic tools on Grand Stream Dreams including software for memory forensics, network forensics, and penetration testing. This is a great blog if you haven't checked it out yet.

November Meeting

Thanks to John Sharp for presenting and all others who attended the meeting last week. It was great to see a couple new faces! Please encourage other professionals to get involved as it will only strengthen the chapter.

There will be no meeting in December and the new board will take over in January. The chapter board for 2009 is:

President: Laurie John
1st VP: Bob Kardell
2nd VP: Lee Pierce
Treasurer: Don Kohtz
Secretary: Matt Churchill

Also, don't forget about the first Best of the Blog contest! As always, please feel free to email me with any other comments or suggestions.

Saved Password Locations

Many people ask me about the location in the Registry or file system that applications store the passwords. So I prepared a list of password storage locations for popular applications.
Be aware that even if you know the location of the saved password, it doesn't mean that you can move it from one computer to another. many applications store the passwords in a way that prevent you from moving them to another computer or user profile.

Read more from NirBlog

Gmail Security Flaw Proof of Concept

To understand how this exploit works let me first explain how I would carry it out (if I were a blackhat). Then we can move on and explain the exploit in detail. Let’s use a current example and assume that I was trying to steal MakeUseOf.com and I already knew it was registered by GoDaddy. Let’s also assume that I knew the owner’s Gmail address. I would want to create a filter like the one in the image above, where all email sent from GoDaddy Support was automatically deleted and forwarded to my email address.

Read more from GeekCondition.com

Pentagon Hit by Unprecedented Cyber Attack

"Due to the presence of commercial malware, CDR USSTRATCOM has banned the use of removable media (thumb drives, CDRs/DVDRs, floppy disks) on all DoD networks and computers effective immediately."

Read more from Fox News

Fed Blotter: Murder-For-Hire Plot Unfolds In Text Messages

When Tonia Mullins decided to hire a hit man to kidnap and murder her lover's wife, she didn't scour the local underworld dives or run an ad in Soldier of Fortune. She texted.

"Don't care who as long as they can in no way be traced 2 me or u guys through someone else," the 32-year-old Oklahoma woman texted a would-be intermediary. "Price is going 2 be the big factor here. What r we lookin at?"

Read more from Wired

NebraskaCERT Presentation

I did my presentation on Free Forensics Tools at the monthly NebraskaCERT Cyber Security Forum yesterday. You can download the slides here.

If you've never been to a monthly meeting or their annual conference, I highly suggest checking them out. They also conduct security certification training. Their website is www.nebraskacert.org.

More Deleted Keys Goodness!

Something to watch for...

While we're on the subject of the Registry, a good friend of mine contacted me last week with an issue. Apparently, he was working on an examination in which a key factor of the case was determining if and when the user had uninstalled Firefox. According to him, "...install and uninstall dates of programs are of great interest. This will also show destruction of evidence and add additional charges to cases. It also increases sentences sometime by 2x." To help him out, I wrote a plugin that would parse the default browser information from the Registry, but then I compiled the (as-yet-unreleased, still-private, not-even-in-beta) ripxp code, which he used, said that it worked like a champ!

Read more from Windows Incident Response

Best of the Blog Contest

John E. Reid and Associates was nice enough to give our chapter a free seat to their 3-day Interview and Interrogation class anytime in 2009. I figured this would be a good time for a contest! So here is our first "Best of the Blog Contest":

To enter, write an original 500 word or so blog entry that we can post on our site. Topics can be varied but should focus on information security or digital forensics. All entries will be judged by three independent members of the Omaha InfoSec community that haven't joined HTCIA yet. The judges will vote on their favorite posts and award the free pass to the winner.

The pass is good until the end of 2009, so the deadline for submissions will be Dec 31st, 2008 and the winner will be announced on January 15th, 2009. Only Nebraska HTCIA members can win, although everyone else is encouraged to contribute content.

Good luck!

My current impression of cell phone forensic tools

With computer forensics, you have different makes and models of computers and it generally has little effect on the analysis phase because how they each operate is standardized and follow a set of design specifications. Whereas in cell phone forensics, each cell phone manufacturer could be using their own proprietary operating system and each phone may operate completely different from other models by the same manufacturer. This makes developing an all-inclusive tool that can support all the manufacturers and models of phones very difficult and is something like hitting a moving target traveling at 200mph. By the time you develop a tool to deal with a specific phone, 5 more new ones have been released that don't follow the same standard(s).

Read More from Computer Forensics, Malware Analysis & Digital Investigations

I will be presenting at this month's NebraskaCERT Cyber Security Forum. If you want the low down on "Free Forensic Tools" hit the link below and sign up to attend. You can always download the presentation later in the month if you can't make it that day.

http://www.nebraskacert.org/CSF/

Once Thought Safe, WPA Wi-Fi Encryption Is Cracked

Security researchers say they've developed a way to partially crack the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless networks.

The attack, described as the first practical attack on WPA, will be discussed at the PacSec conference in Tokyo next week. There, researcher Erik Tews will show how he was able to crack WPA encryption, in order to read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.

Read more from PCWorld

Physical Data Recovery Training

Is anyone interested in this training? I'd love to bring this class to Omaha, but at least eight people have to attend for that to happen. I've heard nothing but good things about the class. Shoot me an email or mention in the comments if you'd like to attend.

http://www.myharddrivedied.com/presentations_classes.html

InfoSec Job Posting

Continuum Worldwide is looking for an Information Security Consultant.

View the job posting on CareerBuilder or search for job number 015372 at http://www.mutualofomaha.com/careers/

November Meeting

Our next meeting will be:

Thursday, November 20th, 10:30am
Continuum Worldwide
11422 Miracle Hills Drive, Suite 500
Omaha, NE 68154

John Sharp from the Baird Holm law firm will present and we will also announce the new board members for 2009.

Online System Security Scanners

Or in the case of a few online scanning services...they are dead-useful resources when working with a potentially compromised file that may not be registering with your installed anti-virus application, and you want peace-of-mind before opening it.

Or you might be getting what you think is a false-positive return of a file you a very sure is legitimate...but want a second opinion before progressing.

There are a number of lists out there like this one. I've tried to collect them together and group them by subject in an informative way.

Read more from Grand Stream Dreams

Shellbags Registry Forensics

Apparently the Windows registry keeps track of the display size of a folder window across different sessions. This information is stored in the registry, and is not cleaned up when the associated folders are deleted.

Is anybody drooling yet?

Even better, it keeps these values for folders that reside on external storage! Ever want to know what the folder structure on a suspect’s USB stick that you didn’t get looked like? Read on!

The data is stored as binary blobs under the following registry keys:

• HKCU\Software\Microsoft\Windows\Shell\BagMRU
• HKCU\Software\Microsoft\Windows\Shell\Bags
• HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU
• HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags

Read More from SANS Forensic Blog