Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

DFIRCON EAST Smartphone Forensics Challenge

DFIRCON EAST Smartphone Forensics Challenge:

The smartphone dataset contains Malware and an iOS backup file. The goal is to highlight application data often missed by forensic tools. Your job? Find it.

The object of our challenge is simple: Download the smartphone dataset and attempt to answer the 6 questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 4 of the 6 questions will be entered into a drawing to win a FREE DFIR OnDemand course. The contest ends on September 30th, 2014 and we will announce the winner by October 6th


Hibernation Slack: Unallocated Data from the Deep Past

Hi Folks,

I was recently doing some forensic research on a laptop which had been formatted and factory-reinstalled (using the preinstalled HPA partition it shipped with), and then used normally by another user for six months prior to collection. I wasn't really expecting to be able to recover much of anything from before the format, but it's always worth a look. My initial examination showed that even unallocated space had been largely overwritten during the six month post reinstall period. Even the fragments I was able to recover from file slack were largely useless. Then I got some very confusing keyword search hits from data in hiberfil.sys, the Windows hibernation file, and my Odyssey began.

The reason these hits were confusing was that they appeared to reference data from before the format, yet they occurred almost exactly in the middle of the 3GB+ hibernation file, andthat filehad been written to (whichI at first assumedmeant completely overwritten) only


Getting the most out of Smartphone Forensic Exams - SANS Advanced Smartphone Forensics Poster Release

Getting the most out of Smartphone Forensic Exams —

SANS Advanced Smartphone Forensics Poster Release

There is one certain thing in the DFIR field, and that is that there are far more facts, details and artifacts to remember than can easily be retained in any forensic examiner's brain. SANS has produced an incredibly helpful array of Posters and Cheat Sheets for DFIR in order to assist examiners with those tidbits of information than can help to jumpstart their forensics exams and or intrusion and incident response investigations. The most recent addition to the SANS DFIR poster collection is the Advanced Smartphone Forensics Poster, created by SANS FOR585 authors Heather Mahalik, Dominica Crognale, and Cindy Murphy.

These days, digital forensic investigations often rely on data extracted from smartphones, tablets and other mobile devices. Smartphones are the most personal computing device associated to any user, and


SRP Streams in MS Office Documents Reveal Earlier Versions of Malicious Macros

SRP streams in Microsoft Office documents can reveal older versions of VBA macro code used by the adversary in earlier attacks. After the attacker modifies the malicious document for a new attack, Microsoft Office sometimes retains a cache of the earlier macro inside these streams, allowing analysts to expand their understanding of the incident and derive valuable threat intelligence. In other words, SRP streams can help investigators travel back in time.

Managing and Exploring Malware Samples with Viper

Keeping track of all the samples on your plate can become cumbersome and at times, next to impossible; that's where projects like Viper come in. Viper is "a framework to store, classify and investigate binary files." The following article, contributed by David Westcott, explains how to get started with this tool.