Blog: SANS Digital Forensics and Incident Response Blog: Category - Book Reviews

Blog: SANS Digital Forensics and Incident Response Blog:

Case Leads: DFIR Lessons from Sandy; The Advanced Persistent Intruder; The Secure Breach; Windows8 Forensics; South Carolina Tax Info Protected by "TWO FIREWALLS"

The general public is getting a lesson in incident response with the post Hurricane Sandy storm damage in the Northeastern part of the United States. Your case leads blogger is working on incident responses related to the storm. Many non-technical professionals have had a chance to witness the challenges of DFIR. And some are starting to ask some very intelligent questions: How resistant are IT systems to intentional cyber attacks? Could attackers do more damage than a natural disaster? We have stories this week that try to answer the question this way: Do we need a strategic shift in how we respond to incidents? Listen to the interview with Conrad Constantine on his take regarding a new approach to incident response.

Before all the storm coverage saturated the news, there were a flurry of news stories following Secretary of Defense Leon Panetta's statements on how poorly prepared the nation's critical infrastructure is vulnerable to cyber attacks. And, after Hurricane


Digital Forensics Case Leads: New version of REMnux, tools for imaging iPhone and Android devices, and a list of "Best Reads" from 2011

This week's edition of Case Leads features a new version of REMnux for malware analysis and we have two tools for collecting forensic images from iPhone and Android devices. We also have a couple of articles on Android memory analysis and the use of Open Source digital forensics tools to validate commercial tools.

As always, if you have an item you'd like to share for Digital Forensics Case Leads, please send it to

  • Version 3 of the REMnux for reverse engineering malware is now available as a VMware virutal appliance and a Live ISO. The latest version is based on Ubuntu 11.10 and includes significant updates to the Volatility Framework (memory analysis) and Origami Framework (PDF analysis). This version of REMnux includes several analysis tools that were not in previous versions. The newly added tools provide network, PDF, JavaScript

Digital Forensics Case Leads: PFIC 2011 Report, DNS forensics, Massive Flaws in Amazon EC2?

The Paraben Forensics Innovator's Conference was held last week in Park City, Utah. Your SANS Digital Forensic blogger attended the event, along with over 300 fellow, forensicators and lawyers. With information security events like BlackHat, and DefCon drawing thousands, this is yet another small event that has many advantages over the larger conferences.

At these smaller conferences you really get a chance to spend time with the same people. At PFIC, one of the attendees I met had an interesting incident at the office, and we were able to spend the time to discuss the case. And, these smaller events allow for more comparing of notes from different sessions over lunch. It's so much more difficult to get to really know someone at large conferences, with so many sessions and so many vendor events. Even the lunch events are like an army chow line at the large


Digital Forensics Case Leads: Massive eDisco Penalty, Dodd-Frank Law and Digital Forensics, It's Not Business, It's Personal

Legal, regulatory matters, and threats to Law Enforcement and members of the US armed forces top this edition of Digital Case Leads. An appeals court uphold a massive penalty against a company for not properly retaining electronically stored information (ESI). If the offending party doesn't cough up over $1,000,000 in penalties, a senior exec from the firm could be placed behind bars. And, while most executives, and members of the general public, think that the Dodd-Frank law was only to regulate financial services...the reality is that it covers ALL public companies. This law has significant digital forensic elements. One seasoned Chief Information Security Officer (CISO) recommends a new approach to incident response and breach prevention: a counter-intelligence response. And, just about every end user is using one or more services or products from The Google. A new book breaks down the data The Google might be holder for your next


Book Review: Digital Forensics with Open Source Tools

I was excited awhile back to learn Digital Forensics with Open Source Tools was being written and even more pleased when I heard who its authors were. I worked almost exclusively with open source tools while beginning my foray into the digital forensics world and happily continue using them today, so I knew this book would be of great interest to me. I had a general idea of what I thought the book would be like, but what I found in it was so much better than I expected. This book is an excellent introduction to open source forensic tools, but in many ways it's also a "how to do forensics" book. In the interest of full disclosure, I did receive a review copy of this book without cost to me, although I did buy a second copy to keep at my office as well.

Digital Forensics with Open Source Tools was written by Cory Altheide and Harlan Carvey. Both authors are very well known and respected in the digital forensics and incident response world. The book is published by Syngress and