Like many of you, I have been watching the development of memory forensics over the last two years with a sense of awe. It is amazing how far the field has come since the day Chris Betz, George Garner and Robert-Jan Moral won the 2005 DFRWS forensics challenge. Of course, similar to other forensic niches, the majority of progress has been made on Windows memory forensics. There is good reason for this. Memory can be extremely fickle, with layouts and structures changing on a whim. As an example, the symbols file for Windows 7 SP1x86 is 330MB, largely due to it needing to support major changes that can occur in every service pack and patch. The fact that we have free tools such as Volatile Systems Volatilityand Mandiant...
This week on Case Leads, we learn the truth of China's cyber espionage unit, Twitter verified accounts were hacked and there have been some updates to some of your favorite tools.
If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it firstname.lastname@example.org.
- HMFTwas given a small update.
- Autopsywas recently updated as well.
- Passware can now extract passwords for certain popular websites from memory.
- A very interesting article about finding and reverse
Welcome to Digital Forensics Case Leads. Another a busy week in digital forensics, incident response and the law. In this edition: The SANS Computer Forensics Blog was at the Forensic Expert Witness Annual Conference, and your humble reporter asked a seasoned member of the bench: What is it like for a Judge to sit on the bench and digest the testimony of a foresicator / technical expert witness? * Another Judge rules that viewing CP might NOT be the same as possession under the law. * Has Law Enforcement tipped their hand in a report that spells out how to use anti-forensics to conduct criminal acts using BitCoin? * A bevy of encryption tools *And, could a forensicator leverage a Mac OS X bug to recover encrypted data, even after the user applies a new patch to "fix" the bug?
If you have an item you'd like to contribute to Digital Forensics CaseLeads, please send it to email@example.com.
- Law Enforcement
On Unix and Linux systems each file has a user id and a group id, uid and gid respectively, showing the file's owner and group. On most *nix systems files in system directories are uid and gid root, which is represented by the numeric uid and gid value of 0, see the sample listing below:
In the output above, if we say columns are separated by whitespace, columns three and four represent the uid and gid values of each ...davehull@64n6:/bin$ ls -ln | head
-rwxr-xr-x 1 0 0 950896 May 18 2011 bash
-rwxr-xr-x 3 0 0 31112 Dec 13 10:30 bunzip2
-rwxr-xr-x 1 0 0 1719048 Sep 1 12:02 busybox
-rwxr-xr-x 3 0 0 31112 Dec 13 10:30 bzcat
lrwxrwxrwx 1 0 0 6 Dec 13 10:30 bzcmp -> bzdiff
-rwxr-xr-x 1 0 0 2140 Dec 13 10:30 bzdiff
lrwxrwxrwx 1 0 0 6 Dec 13 10:30 bzegrep -> bzgrep
-rwxr-xr-x 1 0 0 4877 Dec 13 10:30 bzexe
lrwxrwxrwx 1 0 0 6 Dec 13 10:30 bzfgrep -> bzgrep
This is a series of blog articles that utilize the SIFT Workstation. The free SIFT workstation, can match any modern forensic tool suite, is also directly featured and taught in SANS' Advanced Computer Forensic Analysis and Incident Response course (FOR 508). SIFT demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.
The SIFT Workstation is a VMware appliance, pre-configured with the necessary tools to perform detailed digital forensic examination in a variety of settings. It is compatible with...