I'm back

I've been "away" for a bit. Even though the school semester has come to na end, I immediately took off for Floriday, for a much needed vacation. My wife and I enjoyed the sun, the surf, and the sights. Then I was back again for a week before I was off again. This time to Virginia to take SANS FOR408 - Windows Forensics.
A couple of quick notes. I still don't like Windows, and I'm still not a fan of Microsoft. However, I am amazed at all the information you can gather from a Windows box after someone has used it. It blew my mind to see all the little fragments of data and evidence of activity that gets strewn about a system during normal use. I can't wait to take a deeper dive into the world of digitial forensics. But for now, I have to study up for the GIAC certification that corresponds to the FOR408 class.
One thing that came up in class that got me thinking was the topic of drive wiping. As a class we came to the conlcusion that a single pass of all 0s is sufficient to render data on a drive unrecoverable. However, there are still people out there that insit Gutman idea is viable for data recovery, though no one has proven it, yet. It's possible someoen could test the idea with a number of hard drives, and some volunteers to put data on them, and then wipe them. Then someone could examine the drives' platters with magnetic field microscopy or maybe even a scanning electron microscope. When 757 labs recently posted on G+ that they got their hands on an SEM, it got me thinking. I suggested that they give it a shot, themselves, but if I manage to get my hands on the gear to do either contactless atomic force, scanning election, or magnetic field microscopy, I am definitely going to try to put the debate to rest once and for all.
Anyway, now that I'm back, and I have a little time before school starts up again, I'm going to see if I can a small project or two completed. I also have to get back to figuring out what's going on with our local robot war ... :)


I almost forgot. I have a new favorite open source application ... At least one for the Windows platform ... ProcessHacker.
Jason Fossen gave a SANS after-hours talk about this little gem, and it was amazing! the talk was called "Windows exploratory surgery with Process Hacker" and he wasn't kidding. If you run process hacker so that it runs with system priveleges, you can do just about anything you want to Windows or any process / thread running in Windows, including arbitrary DLL injection, altering permissions on the fly, changing memory page permissions (e.g. go from RW to RWX), and writing arbitrary values to a process's allocated memory. Not to mention Jason is a *rally* smart guy, and a really good presenter. If you ever get a chance to listen to this talk or take any of his classes, you absolutely should. Jason wrote the day 5 curriculum of SANS SEC401, all of SEC505, and part of SEC569. Verry good stuff.