I have been doing massive amounts of PDF analysis lately and found my self utilizing a tool set that I haven't really heard that much about its a framework called Origami it has the standard pdf analysis features with one cool exception called pdfwalker that allows you to step through the pdf and for those looking to preload a pdf with some goodies it supports injection... It's a ruby gems framework so not too difficult to get up and running.  Take a look:  http://esec-lab.sogeti.com/dotclear/index.php?pages/Origami

Yeah redline has potential I hate the .net requirement and keep in mind this is the first release of the product.. Things I have on my Ironkey-Sysinternals suite, mir standalone scan (we do have an appliance but you never know when you need to do the odd offline capture) I tossed redline on there as well as a few other custom goodies.  Only beef I have with the iron key is that its a thousand times bigger than any other memory key I have.  Over all though the product roxxs.

Sil what are you thoughts on DFF? I'm playing around with it and find it to be pretty robust so far, I'd recommend kamikaze go for the Mandiant Memorize and the Memorize viewer initally till he gets more comfortable with the more advanced memory forensic tools.  There really is no end to memory analysis kit out there, if your comfortable with nix then you could play around with the sans sift workstation....

Actually Mandiant put out a new memory analysis tool called Redline, I have yet to play with it (dling now) but it might be worth looking into, overall I think the make a decent product.  So to recap Memoryze & Audit Viewer, or Redline would be great starting points.

Sil you are a mad genius, if this is what you get into when your bored I can only imagine what your capable of when properly motivated 

Sil what version of FTK are you using? Have you gotten your hands on the latest release?  Just wondering what your impressions are..  BTW I love the forensic challenges, hard to stay on top of all of em 

Well there goes my faith in EC council, I was going to do a write up on the sheer amount of padding in their course ware but looks like someone beat me to the point.  I can't begin to figure out how EC took such a bad turn.  It seems that the organization needs to take a long hard look at its materials.  Untill I hear otherwise I'm going to remove them from my list of cert's to get.

Excellent, keep us updated!

Ah I'm on my second pass through college as well, getting an AAS in Computer Forensics from ITT.  I signed up in a panic when my son was born and now I have a daughter as well.  A 3 year old Son and 2 year old daughter who are both little hell spawns and Irish twins if you catch my drift  make's any kind of schooling rough. Add that to a full time job and life is interesting for sure. 

Ah yeah I'm on both of those forums and I'd have to agree with you! 

What Forensics forum are you on?

Ahh the age old problem that every IT department faces, passwords.  The complexity requirements at my current place of employment are I'm sure the bane of the helpdesk.  I'd love to go to passphrase's however I'm sure we wouldn't be able to due to the strict gov regs that companies in my industry face.  We are actually looking at beefing up secuirty even further by utilizing CAC card's in addition to our normal password complexity requirments.  One thing I'm currently working on is getting the ISO to make all the Domain Admins use two seperate accounts.  One with User level rights for day to day stuff and the other a unique domain admin accout to use for any work that requires elevated permissions.  I myself have been working this way for about 6 mo. at first it was difficult but you quickly adapt to creating short cuts with runas in the target path.  I've taken to documenting cases where users have their passwords written down.  God one of our users who handles finances had a file called Passwords.xls out on a freaking network share that was accessable to everyone.   

Simple we dont allow iTunes to be installed in the environment.  As part of our user acceptance policy for the iPhones we state that:

1) All iOS updates must be applied within 7 days of release or we will disable access to enterprise mail.  For those users unable to update their iPhone's in a timely manner we disable it, update it for them and then re-enable email access.

2) The end user is responsible for backing up any content on their device, we recommend they install iTunes on a computer at home for this purpose since we A) don't allow iTunes on any of our machines and B) My users don't have rights to install sofware, they don't have any elevated privilages beyond the standard user account.

The product we are using for enterprise mail requres that A) Any backup be encrypted by defualt and B)Does not back up data contained in the app only the application itself. 

Sans Forensic classes are excellent from what I've heard, I'm hoping once I finish my AAS in Computer Forencis in Oct to be able to get work to shell out to send me to some of the training.  I live in NVA so Sans HQ isn't tooo far away from me.  Josh what forum are you on?

Thats not true at all, in fact if you search apple's support site they strongly recommend antivirus software on their machines.  Apple has never said AV was unnecessary.

Android while a great device os is open sourced, the major issue here is that there is absolutely 0 quality control by google over the Android Marketplace.  This makes it extremely easy to introduce malicous software onto the device and potentially back into you environment.  That reason alone was enough for me to make the Android a no go in my environment because why give your users an advanced device then deny them the ability to utilize it to its full potential by blocking the Marketplace (which is the only way I would allow Android in the enterprise).

In Nov. I was just awarded approval by our ISRB (information security review board) to introduce a fully functioning iPhone into the enterprise,  by leveraging 3rd party software I am able to create an encrypted isolated segment on the device that does nothing but interact with the enterprise and it prevents external access from other applications on the device.  By utilizing this method I'm able to give my users iPhones that are not restricted with policy only applying to the enterprise "container".  I can help you out with some of the logistics and some good points of discussion that essentially help me convince the board that providing employees these powerful mobile devices while ensuring the integrity and security of our corporate data was viable let me know.