Monday, May 20, 2013

CEIC 2013 and the public beta of the NTFS TriForce

Greetings Reader!,
                              Thanks to all of you who came in person to my presentation at CEIC this morning, we had a mountain of information to show you and you kept up! We had a standing room only session and lots of great questions were asked.  I'm going to try google drive for all my hosting of session materials this time, I hope it works well!

We had a lot of fun today, we walked attendee's through data structure, four labs showing how to use the Triforce to solve four different forensic scenarios and how to use libvshadow in windows to expose shadow copies that you can extract the $MFT, $Logfile and $USNJRNL::$J from!

I'll be posting blog entries in the next two weeks giving walk throughs of each of the labs and more fun data for everyone to try out our new tool on.

Lastly, its time for the public beta of the TriForce. Please click on the link below to download it and get updated on new versions that we will be releasing as we get closer to a defined product.


Here is the link to the public beta signup:
https://docs.google.com/forms/d/1GzOMe-QHtB12ZnI4ZTjLA06DJP6ZScXngO42ZDGIpR0/viewform


Here are my slides from today:
https://docs.google.com/file/d/0B_mjsPB8uKOARWdvdGRsQlh6V1E/edit?usp=sharing

Here is a link to the labs from today:
https://docs.google.com/file/d/0B_mjsPB8uKOAekQwTmQwYWoyY3M/edit?usp=sharing

Here is a link to the demo video today:
http://www.youtube.com/watch?v=5it4EenSaok&feature=youtu.be&a

Here is a link to download the windows compiled version of libvshadow:
https://docs.google.com/file/d/0B_mjsPB8uKOAMTRrcVJWbC01YzQ/edit?usp=sharing