Tuesday, November 13, 2012

Windows Memory Forensics Training for Analysts by Volatility Developers

We are pleased to announce the first public offering of the Windows Memory Forensics for Analysts training course. This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework's extensive set of plugins. Now you can reap these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool. 

Please see the following details about the upcoming training event:

Dates: Monday, December 3rd through Friday, December 7th 2012
Location: Reston, Virginia (exact location will be shared upon registration)
Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda). Please see the VolatilityTeam wiki page for brief bios.

Overview:

The ability to perform digital investigations and incident response is becoming a critical skill for many occupations. Unfortunately, digital investigators frequently lack the training or experience to take advantage of the volatile artifacts found in physical memory. Volatile memory contains valuable information about the runtime state of the system, provides the ability to link artifacts from traditional forensic analysis (network, file system, registry), and provides the ability to ascertain investigative leads that have been unbeknownst to most analysts. Malicious adversaries have been leveraging this knowledge disparity to undermine many aspects of the digital investigation process with such things as anti-forensics techniques, memory resident malware, kernel rootkits, encryption (file systems, network traffic, etc), and Trojan defenses.  The only way to turn-the-tables and defeat a creative digital human adversary is through talented analysts.

This course will demonstrate why memory forensics is a critical component of the digital investigation process and how investigators can gain the upper hand.  The course will consist of lectures on specific topics in Windows memory forensics followed by intense hands-on exercises to put the topics into real world contexts. Exercises will require analysis of malware in memory, kernel-level rootkits, registry artifacts found in memory, signs of data exfiltration, and much more. This course is your opportunity to learn these invaluable skills from the researchers and developers that have pioneered the field.  This is also the only memory forensics training class that is authorized to teach Volatility, officially sponsored by The Volatility Project, and taught directly by the Volatility developers.

Who should attend?

This course is intended for malware analysts, reverse engineers, incident responders, digital forensics analysts, law enforcement officers, federal agents, system administrators, corporate investigators, or anyone who wants to develop the skills necessary to combat advanced adversaries.

Course Prerequisites
  • It is recommended that students have some experience with the Volatility Framework.
  • Students should possess a basic knowledge of digital investigation tools and techniques.
  • Students should be comfortable with general troubleshooting of both Linux and Windows operating systems (setup, configuration, networking)
  • Students should be familiar with popular system administration tools (i.e. Sysinternals Utilities)
  • Student should be both familiar and comfortable with using the command line
  • Student should have a basic understanding of Python or similar scripting language
Course Structure

This is a 5-day course composed of both classroom learning and hands-on training exercises and scenarios.  All course material, lunches, and coffee breaks will be provided (If you have unique dietary restrictions, please make them known during registration).

Course Requirements

In order to fully participate in the course, students are required to bring a properly pre-configured laptop.  Students are encouraged to bring laptops that can run both Linux and Windows, where either instance is virtualized based on student preference.  It is the student's responsibility to make sure the laptop is configured prior to the beginning of the course.  There is no time built into the course schedule to help people configure machines, so please make sure your laptop has been properly configured before showing up for class.

Minimum Hardware Requirements:
        2.0 GHz CPU
        4 GB of RAM
        20 GB of disk space
        DVD-ROM drive
        USB 2.0 ports
        Wireless Network Interface Card

Software Requirements:
        Python 2.6 or 2.7
        Microsoft Windows Debugger
        VMware Workstation 6/Fusion 3 or higher
        7-Zip (or ability to decompress zip, gzip, rar, etc)
        Wireshark

Additional free/open-source tools or libraries may be required to complete hands-on exercises. More information will be shared upon registration.

Course Fee:

The cost of the course is $3500. Law enforcement, government, and educational discounts are available.

Registration:

To obtain information on registration, please email voltraining [ @ ] memoryanalysis.net.

Other Course Benefits:

Students will be supporting open source development (Volatility)
Preparation for the Advanced Memory Analyst Certification (AMAC)

Monday, November 12, 2012

ACSAC 2012

I will be teaching a full day course on Windows Forensics and IR at Annual Computer Security Applications Conference (ACSAC) on December 4th at the Buena Vista Palace Hotel & Spa in Orlando, FL. There is still time to sign up for the conference and/or training and it looks like a good program this year.

Saturday, September 29, 2012

Week 3 of the Month of Volatility Plugins posted!

Cross listed from Andrew Case's blog:

I was writing to announce that week 3 of the month of Volatility plugins is finished, and we now have five more in-depth blog posts covering Windows and Linux internals and rootkit detection as well as a bonus plugin that analyzes Internet Explorer browsing history. These have all been posted on the Volatility Labs blog.

Post 1: Detecting Malware Hooks in the Windows GUI Subsystem

This Windows focused post covers detecting malware hooks in the Windows GUI subsystem, including message hooks and event hooks, and what effects these hooks can have on a compromised system.

http://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html


Post 2: Shellbags in Memory, SetRegTime, and TrueCrypt Volumes

This Windows focused post covers finding and recovering shellbags from memory, the forensics importance of shellbags, and analyzes the effects of anti-forensics on shellbag timestamps. It concludes with covering the traces left in shellbags by TrueCrypt.

http://volatility-labs.blogspot.com/2012/09/movp-32-shellbags-in-memory-setregtime.html


Post 3: Analyzing USER Handles and the Win32k.sys Gahti

This Windows focused post introduces two new plugins, one named gahti that determines the various different types of USER objects on a system and another named userhandles which traverses the handle table entries and associates them with the owning processes or threads

http://volatility-labs.blogspot.com/2012/09/movp-33-analyzing-user-handles-and.html


Post 4: Recovering tagCLIPDATA: What's In Your Clipboard?

This Windows focused post covers recovery of the Windows clipboard from physical memory.

http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html


Post 5: Analyzing the 2008 DFRWS Challenge with Volatility

This Linux focused post analyzes the 2008 memory challenge with Volatility. It walks through the artifacts produced by the winning team and shows how to recover the same information with Volatility. It then shows plugins in Volatility that can recover artifacts not produced by the winning team.

http://volatility-labs.blogspot.com/2012/09/movp-35-analyzing-2008-dfrws-challenge.html


Bonus Post: HowTo: Scan for Internet Cache/History and URLs

This Windows focused post covers how to recover Internet Explorer's cache and history from a memory sample.

http://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehistory.html

If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog.  

Friday, September 21, 2012

Week 2 of the Month of Volatility Plugins posted!

It's been an exciting week in the Volatility community.  We've just finished our second week of Month of Volatility Plugins (MoVP) blogposts, released Volatility 2.2 RC2 for testing, fixed a few minor bugs and now we're gearing up for our third week of posts and the upcoming Open Memory Forensics Workshop (OMFW).  Here is a list of this week's posts, compiled by Andrew Case:

I was writing to announce that week 2 of the month of Volatility plugins is finished, and we now have five more in-depth blog posts covering Windows and Linux internals and rootkit detection. These have all been posted to the new Volatility Labs blog.

Post 1: Atoms (The New Mutex), Classes and DLL Injection


This Windows focused post covers investigating malware and understanding infections by analyzing the atom tables.

http://volatility-labs.blogspot.com/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html

Post 2: Malware in your Windows

This Windows focused post covers enumerating and analyzing windows in the GUI subsystem.

http://volatility-labs.blogspot.com/2012/09/movp-22-malware-in-your-windows.html

Post 3: Event logs and Service SIDs

This Windows focused post demonstrates recovering event logs from memory and calculating service SIDs.

http://volatility-labs.blogspot.com/2012/09/movp-23-event-logs-and-service-sids.html

Post 4: Analyzing the Jynx rootkit and LD_PRELOAD

This Linux focused post covers analyzing the Jynx rootkit as well as generic methods for analyzing LD_PRELOAD based rootkits.
http://volatility-labs.blogspot.com/2012/09/movp-24-analyzing-jynx-rootkit-and.html

Post 5: Investigating In-Memory Network Data with Volatility

This Linux focused post goes through each of the Linux Volatility plugins related to recovering network data from memory, such as network connections, packets, and the routing cache.

http://volatility-labs.blogspot.com/2012/09/movp-25-investigating-in-memory-network.html

If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog.

We hope you've enjoyed this week's series.  Stay tuned, we have much more in store!

Friday, September 14, 2012

Week 1 of the Month of Volatility Plugins posted!

 I'm going to borrow from Andrew's blog here to let you know about our Month of Volatility Plugins:

I was writing to announce that week 1 of the month of Volatility plugins is finished, and we now have five in-depth blog posts covering Windows and Linux internals and rootkit detection. These have all been posted to the new Volatility Labs blog.

Post 1: Logon Sessions, Processes, and Images

This Windows focused post covers linking processes to their logon session, detecting hidden processes using session structures, and determining the loaded the drivers mapped into each session.

http://volatility-labs.blogspot.com/2012/09/movp-11-logon-sessions-processes-and.html

Post 2: Window Stations and Clipboard Malware

This Windows focused post covers enumerating and analyzing window stations and clipboard monitoring malware.

http://volatility-labs.blogspot.com/2012/09/movp-12-window-stations-and-clipboard.html

Post 3: Desktops, Heaps, and Ransomware

This Windows focused post covers finding rogue desktops used to hide applications and created by ransomware, linking threads to desktops, analyzing the desktop heap for memory corruptions, and profiling heap allocations to locate USER objects.

http://volatility-labs.blogspot.com/2012/09/movp-13-desktops-heaps-and-ransomware.html

Post 4: Average Coder Rootkit, Bash History, and Elevated Processes

This Linux focused post covers analyzing the Average Coder rootkit, recovering .bash_history from memory, even when faced with anti-forensics, and finding elevated processes.

http://volatility-labs.blogspot.com/2012/09/movp-14-average-coder-rootkit-bash.html

Post 5: KBeast Rootkit, Detecting Hidden Modules, and sysfs

This Linux focused post covers analyzing the KBeast rootkit, finding modules unlinked from the module list, and the forensic values of sysfs.

http://volatility-labs.blogspot.com/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html


If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog.

Future Volatility posts will appear on our official blog (http://volatility-labs.blogspot.com/).  Also you might want to follow our project on twitter: @Volatility for updates and news.  See you at OMFW!

Saturday, September 01, 2012

Job File Parser

While writing material for the Blackhat training course that Andrew Case and I gave this summer, I realized that there did not appear to be many tools that would parse job files. At that time, Harlan Carvey had written a blogpost on job files and had mentioned them in part of his timeline materials, but he had not yet released his Perl script (It has since been released here). This prompted me to write up a parser of my own in Python.

.job files consist of two sections: 1) Fixed Length and 2) Variable Length. The MSDN documentation is fairly good for letting us know how to parse out these sections.

So what does a .job file look like?

$ xxd At5.job 0000000: 0006 0100 e378 73f7 4d8b 2a45 a589 1cc5 .....xs.M.*E.... 0000010: fa64 cfd2 4600 cc00 0000 0000 3c00 0a00 .d..F.......<... 0000020: 2000 0000 0014 730f 0000 0000 0513 0400 .....s......... 0000030: 0200 e421 dc07 0700 0100 1000 0b00 1a00 ...!............ 0000040: 0000 0f00 0000 0400 6300 6d00 6400 0000 ........c.m.d... 0000050: 0f00 2f00 6300 2000 6e00 6f00 7400 6500 ../.c. .n.o.t.e. 0000060: 7000 6100 6400 2e00 6500 7800 6500 0000 p.a.d...e.x.e... 0000070: 0000 0700 5300 5900 5300 5400 4500 4d00 ....S.Y.S.T.E.M. 0000080: 0000 1e00 4300 7200 6500 6100 7400 6500 ....C.r.e.a.t.e. 0000090: 6400 2000 6200 7900 2000 4e00 6500 7400 d. .b.y. .N.e.t. 00000a0: 5300 6300 6800 6500 6400 7500 6c00 6500 S.c.h.e.d.u.l.e. 00000b0: 4a00 6f00 6200 4100 6400 6400 2e00 0000 J.o.b.A.d.d..... 00000c0: 0000 0800 0000 0000 0000 0000 0100 3000 ..............0. 00000d0: 0000 dc07 0700 1000 0000 0000 0000 0b00 ................ 00000e0: 1a00 0000 0000 0000 0000 0000 0000 0000 ................ 00000f0: 0000 feff ffff fd68 7377 0000 0000 0100 .......hsw...... 0000100: 0100 0416 10dd 78d9 b300 f7f0 9b20 9bd8 ......x...... .. 0000110: a0c4 5108 c943 d5c9 c64f 47ea 6052 0349 ..Q..C...OG.`R.I 0000120: 23e1 e1ab 6815 e8ef 219e 6d3b aa88 1360 #...h...!.m;...` 0000130: 706b c27b 2e44 9db1 4e89 81ca dd0a 869e pk.{.D..N....... 0000140: 2b61 .6..

We can see the first section of the job file below:

0000000: 0006 0100 e378 73f7 4d8b 2a45 a589 1cc5 .....xs.M.*E.... 0000010: fa64 cfd2 4600 cc00 0000 0000 3c00 0a00 .d..F.......<... 0000020: 2000 0000 0014 730f 0000 0000 0513 0400 .....s......... 0000030: 0200 e421 dc07 0700 0100 1000 0b00 1a00 ...!............ 0000040: 0000 0f00 ....

The fixed length section is pretty straightforward (I will only fill in a few):
0-2 : Product Info (0x600 - Vista)
2-4 : File Version (0x1)
4-20 : UUID ({F77378E3-8B4D-452A-A589-1CC5FA64CFD2})
20-22: Application Name Offset (0x46)
22-24: Trigger Offset (0xcc)
24-26: Error Retry Count (0x00)
26-28: Error Retry Interval (0x00)
28-30: Idle Deadline (0x3c)
30-32: Idle Wait (0xa)
32-36: Priority
36-40: Maximum Runtime
40-44: Exit Code (0x0)
44-48: Status (0x41305)
48-52: Flags
52-68: Run Date (Monday Jul 16 11:26:00.15 2012)

The variable length section actually contains sizes (denoted in red below) before some of the data members mentioned in the MSDN documentation:

0000 0400 6300 6d00 6400 0000 ...c.m.d... 0000050: 0f00 2f00 6300 2000 6e00 6f00 7400 6500 ../.c. .n.o.t.e. 0000060: 7000 6100 6400 2e00 6500 7800 6500 0000 p.a.d...e.x.e... 0000070: 0000 0700 5300 5900 5300 5400 4500 4d00 ....S.Y.S.T.E.M. 0000080: 0000 1e00 4300 7200 6500 6100 7400 6500 ....C.r.e.a.t.e. 0000090: 6400 2000 6200 7900 2000 4e00 6500 7400 d. .b.y. .N.e.t. 00000a0: 5300 6300 6800 6500 6400 7500 6c00 6500 S.c.h.e.d.u.l.e. 00000b0: 4a00 6f00 6200 4100 6400 6400 2e00 0000 J.o.b.A.d.d..... 00000c0: 0000 0800 0000 0000 0000 0000 0100 3000 ..............0. 00000d0: 0000 dc07 0700 1000 0000 0000 0000 0b00 ................ 00000e0: 1a00 0000 0000 0000 0000 0000 0000 0000 ................ 00000f0: 0000 feff ffff fd68 7377 0000 0000 0100 .......hsw...... 0000100: 0100 0416 10dd 78d9 b300 f7f0 9b20 9bd8 ......x...... .. 0000110: a0c4 5108 c943 d5c9 c64f 47ea 6052 0349 ..Q..C...OG.`R.I 0000120: 23e1 e1ab 6815 e8ef 219e 6d3b aa88 1360 #...h...!.m;...` 0000130: 706b c27b 2e44 9db1 4e89 81ca dd0a 869e pk.{.D..N....... 0000140: 2b61 .6..

Going over some of the data above we have:
Running instance count
Command Name Length (0x4 - includes ending '\x00')
Command Name (cmd )
Parameter length (0xf)
Parameter (/c notepad.exe )
Working Directory Length (0x0)
Working Directory (if Working Directory Length > 0)
User Name Length (0x7)
User Name (SYSTEM)
Comment Length (0x1e)
Comment (if Comment length > 0 - Created by NetScheduleJobAdd. )
User Data / Reserved data
Trigger count
Triggers
- Scheduled date (Jul 16 11:26:00.0 2012)
Job Signature

So I am releasing a job file parser script that can parse out almost all of these items mentioned above. You can find it here. The only things left off are the user/reserved data, some of the trigger data and the job signature sections. I have only tested this on 32 bit *nix systems, so let me know if you hit issues on another platforms. You can see an example output of the above job file below:

$ python jobparser.py -f At5.job Product Info: Windows Vista File Version: 1 UUID: {F77378E3-8B4D-452A-A589-1CC5FA64CFD2} Maximum Run Time: 72:00:00.0 (HH:MM:SS.MS) Exit Code: 0 Status: Properties not set Flags: TASK_FLAG_DONT_START_IF_ON_BATTERIES Date Run: Monday Jul 16 11:26:00.15 2012 Running Instances: 0 Application: cmd Parameters: /c notepad.exe Working Directory: Working Directory not set User: SYSTEM Comment: Created by NetScheduleJobAdd. Scheduled Date: Jul 16 11:26:00.0 2012

Here is some output of job files taken from a Windows 2008 machine:

$ python jobparser.py -d Tasks/ ************************************************************************ File: Tasks/At1.job Product Info: Windows Vista File Version: 1 UUID: {CE14B659-4115-4263-BFAD-A8318428AB68} Maximum Run Time: 72:00:00.0 (HH:MM:SS.MS) Exit Code: 0 Status: Properties not set Flags: TASK_FLAG_DONT_START_IF_ON_BATTERIES Date Run: Task not yet run Running Instances: 0 Application: notepad.exe Working Directory: Working Directory not set User: SYSTEM Comment: Created by NetScheduleJobAdd. Scheduled Date: Jul 17 02:20:00.0 2012 ************************************************************************ ************************************************************************ File: Tasks/At2.job Product Info: Windows Vista File Version: 1 UUID: {46F61E52-4581-49A9-9AD0-2244C206AEEB} Maximum Run Time: 72:00:00.0 (HH:MM:SS.MS) Exit Code: 0 Status: Properties not set Flags: TASK_FLAG_DONT_START_IF_ON_BATTERIES Date Run: Task not yet run Running Instances: 0 Application: notepad.exe Working Directory: Working Directory not set User: SYSTEM Comment: Created by NetScheduleJobAdd. Scheduled Date: Jul 16 14:20:00.0 2012 ************************************************************************

And here are a couple of XP Tasks, notice that one has "Running Instances" value of "1", this was copied when the command was currently running:

************************************************************************ File: Solitaire.job Product Info: Windows XP File Version: 1 UUID: {3824DDBB-A037-4016-B99A-28BD95D429AF} Maximum Run Time: 72:00:00.0 (HH:MM:SS.MS) Exit Code: 0 Status: Task has not run Flags: TASK_FLAG_INTERACTIVE, TASK_FLAG_DELETE_WHEN_DONE Date Run: Monday Aug 13 12:37:00.10 2012 Running Instances: 1 Application: C:\WINDOWS\system32\sol.exe Working Directory: C:\WINDOWS\system32 User: user Comment: Comment not set Scheduled Date: Aug 13 12:37:00.0 2012 ************************************************************************ ************************************************************************ File: Solitaire2.job Product Info: Windows XP File Version: 1 UUID: {3824DDBB-A037-4016-B99A-28BD95D429AF} Maximum Run Time: 72:00:00.0 (HH:MM:SS.MS) Exit Code: 0 Status: Task is ready to run Flags: TASK_FLAG_INTERACTIVE, TASK_FLAG_DELETE_WHEN_DONE Date Run: Monday Aug 13 12:37:00.10 2012 Running Instances: 0 Application: C:\WINDOWS\system32\sol.exe Working Directory: C:\WINDOWS\system32 User: user Comment: Comment not set Scheduled Date: Aug 13 12:37:00.0 2012 ************************************************************************

References:

[1] Windows Forensic Analysis 2nd Ed., Harlan Carvey
[2] .JOB File Format, http://msdn.microsoft.com/en-us/library/cc248285%28v=prot.13%29.aspx
[3] Windows Scheduler (at job) Forensics, http://computer-forensics.sans.org/blog/2009/09/16/windows-scheduler-at-job-forensics

Saturday, April 21, 2012

MBR Parser

With the increase in MBR infectors, I've decided to release a script I wrote that parses the MBR as well as hashes and disassembles the bootcode. I've found that MBR bootcode is pretty stable across systems of the same OS, so this script should allow you to quickly check for any discrepancies on a system.

You of course need Python and Distorm to use this script.

A shortened example output can be seen below:

$ python mbr_parser.py -f mbr.bin Disk signature: 96-80-96-80 Bootcode md5: 4ad444d4e7efce9485a94186c3f4b157 Bootcode Disassembly: 00000000: 33c0 XOR AX, AX 00000002: 8ed0 MOV SS, AX 00000004: bc007c MOV SP, 0x7c00 00000007: fb STI 00000008: 50 PUSH AX 00000009: 07 POP ES 0000000a: 50 PUSH AX 0000000b: 1f POP DS 0000000c: fc CLD 0000000d: 50 PUSH AX 0000000e: be007c MOV SI, 0x7c00 00000011: bf0006 MOV DI, 0x600 00000014: b90002 MOV CX, 0x200 00000017: f3a4 REP MOVSB 00000019: bf1e06 MOV DI, 0x61e 0000001c: 57 PUSH DI 0000001d: cb RETF 0000001e: b441 MOV AH, 0x41 00000020: b280 MOV DL, 0x80 00000022: bbaa55 MOV BX, 0x55aa 00000025: cd13 INT 0x13 00000027: 81fb55aa CMP BX, 0xaa55 0000002b: 7530 JNZ 0x5d 0000002d: f6c101 TEST CL, 0x1 00000030: 742b JZ 0x5d 00000032: be0008 MOV SI, 0x800 00000035: c7041000 MOV WORD [SI], 0x10 00000039: c744020600 MOV WORD [SI+0x2], 0x6 [snip] 000001b2: 0000 ADD [BX+SI], AL 000001b4: 002c ADD [SI], CH 000001b6: 44 INC SP 000001b7: 63 DB 0x63 ===== Partition Table #1 ===== Boot flag: 0x80 (Bootable) Partition type: 0x7 (NTFS) Starting Sector (LBA): 0x3f (63) Starting CHS: Cylinder: 0 Head: 1 Sector: 1 Ending CHS: Cylinder: 520 Head: 254 Sector: 63 Size in sectors: 0x7fb68a (8369802) ===== Partition Table #2 ===== Boot flag: 0x0 Partition type: 0x0 (Empty) Starting Sector (LBA): 0x0 (0) Starting CHS: Cylinder: 0 Head: 0 Sector: 0 Ending CHS: Cylinder: 0 Head: 0 Sector: 0 Size in sectors: 0x0 (0) ===== Partition Table #3 ===== Boot flag: 0x0 Partition type: 0x0 (Empty) Starting Sector (LBA): 0x0 (0) Starting CHS: Cylinder: 0 Head: 0 Sector: 0 Ending CHS: Cylinder: 0 Head: 0 Sector: 0 Size in sectors: 0x0 (0) ===== Partition Table #4 ===== Boot flag: 0x0 Partition type: 0x0 (Empty) Starting Sector (LBA): 0x0 (0) Starting CHS: Cylinder: 0 Head: 0 Sector: 0 Ending CHS: Cylinder: 0 Head: 0 Sector: 0 Size in sectors: 0x0 (0)

Update: Fixed output to 16bit assembly. Thanks for the feedback!

The script can be found here.

Friday, March 23, 2012

Upcoming Cybercrime Studies talk: For a Free Digital Society by Dr. Richard Stallman

Yet another interesting upcoming talk at John Jay College on Tuesday March 27, 2012:


Center for Cybercrime Studies

John Jay College of Criminal Justice

presents

For a Free Digital Society

Dr. Richard Stallman

President

Free Software Foundation

Abstract

Activities directed at ``including'' more people in the use of digital technology are predicated on the assumption that such inclusion is invariably a good thing. It appears so, when judged solely by immediate practical convenience. However, if we also judge in terms of human rights, whether digital inclusion is good or bad depends on what kind of digital world we are to be included in. If we wish to work towards digital inclusion as a goal, it behooves us to make sure it is the good kind.

Richard Stallman launched the free software movement in 1983 and started the development of the GNU operating system (see www.gnu.org) in 1984. GNU is free software: everyone has the freedom to copy it and redistribute it, with or without changes. The GNU/Linux system, basically the GNU operating system with Linux added, is used on tens of millions of computers today. Stallman has received the ACM Grace Hopper Award, a MacArthur Foundation Fellowship, the Electronic Frontier Foundation's Pioneer Award, and the Takeda Award for Social/Economic Betterment, as well as several honorary doctorates.

Date: Tuesday, March 27, 2012
Time: 1:30 PM

Location: L.61 Conference Center (New Building)

John Jay College of Criminal Justice

899 Tenth Avenue

New York, NY

RSVP: Nicole Daniels at 212-237-8920 or email ndaniels@jjay.cuny.edu. For additional information please contact Professor Doug Salane, Director of the Center for Cybercrime Studies, 212-237-8836 or email dsalane@jjay.cuny.edu.

For additional Center for Cybercrime Studies events visit our web site. Go to WWW.JJAY.CUNY.EDU , ACADEMICS, RESEARCH CENTERS and INSTITUTES.


Thursday, March 22, 2012

Differential EnScript

I know I haven't written much in the last few months; I've been busy. Even though I'm writing a blogpost today it's still going to be pretty short... this is because most of what I have to say has already been written up in documentation ahead of time. Today I'm releasing an EnScript that allows you to compare two disk images using various options. The purpose of this EnScript is to find differences on a machine after some event, such as infection, software installation etc. has taken place.

I'm also releasing the source in hopes that others will be able to troubleshoot or expand it themselves as needed. I offer no warranties for this script nor promises that it is beautiful code (in all reality this was written hastily out of necessity), this is "as-is" and has worked well enough for me for my purposes. Unlike most of my stuff, I actually took time to create a GUI for it, however, to make it easier to use. Information on how it works can be found in the documentation (pdf) so I will not cover it here. Hopefully someone out there will find it useful.

Please feel free to leave comments and suggestions here or by email. Here is the Differential.EnScript.

Friday, March 16, 2012

Upcoming Cybercrime Studies talk: Digital Forensic Crime Labs

I just wanted to take the time to announce the following upcoming talk at John Jay College next week:


The Center for Cybercrime Studies

John Jay College of Criminal Justice

Presents


Digital Forensic Crime Labs

Monique Mattei Ferraro

M.S., J.D., CISSP

Technology Forensics, LLC



Digital forensics labs throughout the country were set up and subsidized by United States Department of Justice. Most labs are administered by police or law enforcement agencies. In 2009, the National Academy of Science released “Strengthening Forensic Science in the United States: A Path Forward,” which made several recommendations. Among the recommendations were that criminal labs should be independent of police/law enforcement in order to retain an appearance of objectivity. This talk delves into the tensions between the recommendations and the practice, the ethical implications and current issues affecting digital forensics labs today.



Date: Wednesday, March 21, 2012
Time: 1:30 PM

Location: Haaren Hall, RM 630
899 Tenth Avenue
(10th Avenue and 59th Street)


RSVP: Nicole Daniels at 212-237-8920 or email ndaniels@jjay.cuny.edu. For additional information please contact Professor Doug Salane, Director of the Center for Cybercrime Studies, 212-237-8836 or email dsalane@jjay.cuny.edu.

For additional Center for Cybercrime Studies events visit our Web site (http://www.jjay.cuny.edu/centers/cybercrime_studies/index.php) or go to WWW.JJAY.CUNY.EDU, ACADEMICS, RESEARCH CENTERS and INSTITUTES.