Profile

Cover photo
Chad Tilbury
Attended United States Air Force Academy
351 followers|16,145 views
AboutPosts+1's

Stream

Chad Tilbury

commented on a post on Blogger.
Shared publicly  - 
 
Hi Dave.  Could you clarify this:  "My system drive has 628,480 MFT records, its been in active use for over a year with the current install. Of those 628,480 have POSIX filespace records."   

Are you saying that of 628,480 MFT entries on your test system, 100% had POSIX records?  

Great stuff! -Chad
1
David Cowen's profile photo
 
Woops, I need to fix that.
Add a comment...

Chad Tilbury

Shared publicly  - 
 
+David Cowen and I were chatting about his recent post on Windows time manipulation.  Here is an example of a time change event occurring in the System event log (Windows 8).  In this case it was an automatic update as evidenced by the User field showing the SYSTEM account.  If a user initiated the time change we would see their account recorded.

http://hackingexposedcomputerforensicsblog.blogspot.com/2013/10/daily-blog-128-detecting-fraud-sunday.html  
3
Add a comment...

Chad Tilbury

Shared publicly  - 
 
Windows 8 memory forensics is here!
12
1
John Ormonde's profile photoEmory Mullis's profile photo
 
Great news, thanks...
Add a comment...

Chad Tilbury

Shared publicly  - 
1
Paul Henry's profile photoEric Humphries's profile photo
2 comments
 
Indeed. I'm worried about Google Voice the most.
Add a comment...

Chad Tilbury

Shared publicly  - 
 
Excellent infographic from Ange Albertini showing the universe of executable packers.
4
Add a comment...
Have him in circles
351 people
Courtney Imbert's profile photo
Craig Wright's profile photo
Joachim Metz's profile photo
Elizabeth Schweinsberg's profile photo
Dan Pullega's profile photo
Kevin Johnson's profile photo
 
If you aren't familiar with the Malware Analysis Quant Project from Securosis, their whitepaper is worth a read.  
3
Add a comment...

Chad Tilbury

commented on a post on Blogger.
Shared publicly  - 
 
The Security log should be the first place to check for time manipulation in Win7/8, but if for some reason the log has rolled over or auditing was turned off, you will also often find similar reporting in the System event log  - Event ID 1 (Kernel-General). 
2
David Cowen's profile photoChad Tilbury's profile photo
3 comments
 
Thanks!
Add a comment...

Chad Tilbury

Shared publicly  - 
 
I recently re-read Chris Ries' whitepaper, Inside Windows Rootkits, and was impressed at how well he explains Windows internals concepts.  The paper is surprisingly relevant seven years later.    
4
Add a comment...

Chad Tilbury

Shared publicly  - 
 
If you haven't played with the most recent Volatility plugins for Linux (and Mac) memory forensics, you really should.  The capabilities they provide are impressive.   
3
1
Kory Kyzar's profile photo
Add a comment...

Chad Tilbury

Shared publicly  - 
 
Investigate Shadow Copies from your Windows forensic workstation:  ShadowKit v1.6 released!

While I am thankful that we finally have excellent tools for investigating shadow copies (i.e. ShadowKit and Joachim Metz's libvshadow project), I find it frustrating that it took so many years for good solutions to emerge.  Now with the emergence of Windows 8, we are back to where we started (Windows 8 has a different implementation for "previous versions").  Shadow copies are arguably the most important forensic artifacts available in Windows 7.  Why are commercial forensic vendors not at the cutting edge of providing these kinds of capabilities?    
ShadowKit 1.6 has been released. This release adds a new dialogue window when exporting files that gives you the options to choose if you want a Manifest and/or file-list. During exports if a file can not be exported the exce...
1
1
Harlan Carvey's profile photoAndy Dove's profile photoChad Tilbury's profile photo
3 comments
 
"...I would love to see is "skunkworks" outfits at our commercial vendors..."

I think it's interesting that you'd say this, Chad...not that there's anything wrong with that, but I tend to believe that the commercial product vendors are somewhat too "risk averse" to allow for something like this.

First off, the "skunkworks" outfit would need to be able to generate suitable revenue, in either a direct or indirect manner, that paid for the costs of staff salaries, equipment, etc.

Second, even with some parsing going on, there's too much room for confusion.  Analysts are still making mistakes with USB device identification, thinking that the LastWrite time for the device key beneath the USBStor key is indicative of when the device was connected.

Third, some of the stuff that they could parse is pretty complex, and even some of the popular, commonly-used tools do not completely parse some of the artifacts.  Given this, I can understand why the commercial vendors are sitting on the sidelines and not implementing some of this stuff.
Add a comment...
People
Have him in circles
351 people
Courtney Imbert's profile photo
Craig Wright's profile photo
Joachim Metz's profile photo
Elizabeth Schweinsberg's profile photo
Dan Pullega's profile photo
Kevin Johnson's profile photo
Work
Occupation
Computer Forensics and Incident Response Consultant
Basic Information
Gender
Male
Story
Tagline
Computer forensics, incident response, and network security professional.
Introduction

Technology executive with diverse background overseeing Internet operations in both large and small organizations. A recognized computer security and forensics expert. Broad international experience stemming from managing Internet anti-piracy operations in over sixty countries. Strategic thinker, leader, and experienced manager with a successful track record of building technology departments. Extensive law enforcement experience specializing in computer crime investigations working with a variety of corporations, legal groups, and government agencies. Find me on Twitter @chadtilbury or at http://ForensicMethods.com.

Education
  • United States Air Force Academy
    Computer Science
  • Northeastern University
    Computer Science
Links
Contributor to
Chad Tilbury's +1's are the things they like, agree with, or want to recommend.
Event Log Explorer - Windows event log management, security, system anal...
www.eventlogxp.com

Event Log Explorer. Features and Benefits. Screenshots. Online Help. Download. Get license. Local resellers. Our customers. FSPro Labs home

M-unition » Blog Archive » Research Tool Release: ApateDNS
blog.mandiant.com

Research Tool Release: ApateDNS. Written by Steve Davis. Here at Mandiant we deal with our fair share of malicious code. Being able to quick

Klein&Co Computer Forensics Australia | Thoughts & Events
kleinco.com.au

Forensic timeline Splunking. Fast and powerful searching of timeline data. Saturday, 19 November 2011. Computer forensic timeline analysis h