#5 took me a while.  That was fun

I got a server 500 error on a few of them too.   Fun challenges though.

Yep, this seems pretty spot on to me as well. 

I am definitely more a fan of ebooks.  I have a Kindle and it works well for reading the books cover to cover, like others have said.  I also make use of Calibre and convert the books to PDF.  I can then search them for what I need.   It's just not practical to carry print books anymore.

This is always a good start:

http://www.w3schools.com/sql/default.asp

I would also suggest reading as much as you can on SQL Injection.  There are a ton of varieties of this attack and a ton of Internet resources to go along with it. 

https://www.owasp.org/index.php/SQL_Injection

http://www.youtube.com/watch?v=rdyQoUNeXSg

This one is actually tough.  In forensics, we have live system analysis and dead-box forensics.  In order to do a complete investigation of a hacking/malware attack, you would want to capture RAM, other volatile information, and a forensic image of the box.  This is really the best evidence for an analysis.  Unfortunately, many Word Press, Joomla, and other CMS sites are run on shared hosting.  You will not get access to the actual server (or the virtual machine) in most cases. 

In that case you are stuck with log files and the malware itself.  Most Word Press compromises are designed to redirect you somewhere.  Although, some will aim for complete access.  You would want to look at the MySQL database and the code base.  Chances are you will find some malicious (and obfuscated) javascript code.  You may also see a ton of strange content stored in the database, fragments of SQLi or other attacks.  You can look at log files and database logs for the source of the injected files.  Most of the time, you will hit a proxy though. 

Congratulations and way to stick with it!

Unless you specifically used a copy utility that preserved the MAC times of the file, you can't trust the file was copied with metadata preserved.  You are also not sure if it is the same file unless you have cryptographic hashes of both, the source and the destination, to support this. 

Your best bet is to analyze the original file, or rather a forensically sound copy, of it. (You don't to work with the original evidence as a rule of thumb.)  As others have already stated, there are a ton of utilities that will give you the metadata of the file.  You may also want to look at autopsy and sluethkit (http://www.sleuthkit.org/autopsy/). 

Jason, thanks for the detailed review.  You were certainly very thorough in your description of the activities.  This sounds like a good introduction to forensic analysis.  It appears that it was limited to Windows forensics, but had some great topics on the subject.  Prefetch files, link files, and the tons of registry artifacts can keep an investigator busy  

It seems that people are pushing FTK these days.  Access Data has some nice tools, but for some reason many investigators become dependent on FTK and never seek other options.  This could lead to quite a few missed artifacts that FTK doesn't handle well, like Shadow Copies on Windows 7.

I am looking forward to your review of the Advanced Forensics course from SANS.  This is where the magic will happen

It happened.  It was a bit of a advertisement for Metasploit Pro, but good info still. 

I just wanted to let you know that the packet-openvpn.c is already in the svn tree.  I was able to compile wireshark in Linux (haven't tried on Windows).   I was able to detect and dissect the OpenVPN packets in my capture without many issues.  I love that you provided an option to change the port assignments for the protocol, since mine runs over a non-standard TCP port. 

My only issue is that some of the SSL / TLS key negotiation gets lost.  That's easily remedied by switching the decoding to SSL though. 

Thank you for the great work on this!

I personally think that they have some good causes they take up from time to time.  They are also misguided and juvenile at other times.  It's certainly a new breed of hacker groups.

Wow, this is exactly what I needed

Hey everyone,

I figured I would post another question that I have been stumped on.  I have a packet capture of an SSL VPN session.  The SSL VPN is basically a slightly modified implementation of OpenVPN over TCP.   

I am working in Wireshark to try to dissect and decode the captured data.  I have the private key files used for the key exchange.  I am working now to retrieve the session key (which seem to change every few KB). I am just missing a dissector for OpenVPN.  It looks like the Wireshark team has had requests for one.  Has anyone successfully been able to decode OpenVPN traffic in Wireshark? 

Thanks everyone.  I wish I could do SANS, but I don't have the budget for it.  I am also working with someone who needs a class-room environment to maximize the results from the training.  He doesn't absorb as well from books. 

I will definitely check out eLearnSecurity to see if I can make that work.