Wednesday, June 22, 2011

Quick Post

Wanted to do a quick post here to say my review of Digital Forensics with Open Source Tools is now up on the SANS Computer Forensics Blog. As a frequent user of open source forensic tools, I found this book an excellent addition to my library. I think most forensic examiners will benefit from it in some way, while I think it could be essential reading for newcomers to the field.

On another subject, it's not often I give props to Microsoft, but today will be one of those rare moments. I think it's great that they've released their Microsoft Safety Scanner for both 32 bit and 64 bit versions of Windows. This tool will create either a bootable cd, usb flash drive or an .iso image for later burning. Just this morning I used it on an infected system brought to me and was impressed with the ease of use. Basically, it's a stand alone version of their Microsoft Security Essentials antivirus and it seems to work very well. It's nice to get new tools from vendors to help clean up the messes created by the various malware people find accidentally every day. You can download the tool from Microsoft Safety Scanner webpage.

Speaking of malware, I've been seeing a lot of infections by yet another fake security application. Most recently I've been receiving quite a few machines for clean up that are infected with variants called XP Recovery, Windows Vista Repair and so on. This one sets the hidden attribute on most every file and folder on the system and then does a fake scan claiming all sorts of terrible problems exist on your system and encourages you to pay the ransom register the program so it can fix your problems and get your files back. It doesn't seem to do any serious damage at first, but the one I'm repairing now did get the extra gift of a rootkit patch to the C:\Windows\System32\drivers\volsnap.sys file. It would be really nice if those responsible for creating this fake security programs would find new jobs as speed bumps for trains.

An excellent resource for information on fake security app and other malware is the S!RI.URZ blog. The information there has been helpful to me on quite a few occasions.

That's all for now.

No comments:

Post a Comment