Blog: SANS Digital Forensics and Incident Response Blog: Category - Linux IR

Blog: SANS Digital Forensics and Incident Response Blog:

HeartBleed Links, Simulcast, etc.

At SANS 2014 last night, I gave a quick briefing on the HeartBleed vulnerability that impacts the security of the Internet. I wanted to post a few links in the interim (until the webcast itself is published, which I'm told will be by 3PM EDT).

The slides are available here.

I have built a server in the cloud that exposes the vulnerability. You can access the server at until it gets taken down by the hosting provider (which seems inevitable). However, if your management needs to see this in action, please feel free to use the server to demonstrate the vulnerability.

Additionally, I took a packet capture that exposes the vulnerability. This is suitable for testing your IDS signatures against. Hopefully you find this useful as well. The packet capture can be


Getting Started with Linux Memory Forensics

Like many of you, I have been watching the development of memory forensics over the last two years with a sense of awe. It is amazing how far the field has come since the day Chris Betz, George Garner and Robert-Jan Moral won the 2005 DFRWS forensics challenge. Of course, similar to other forensic niches, the majority of progress has been made on Windows memory forensics. There is good reason for this. Memory can be extremely fickle, with layouts and structures changing on a whim. As an example, the symbols file for Windows 7 SP1x86 is 330MB, largely due to it needing to support major changes that can occur in every service pack and patch. The fact that we have free tools such as Volatile Systems Volatilityand Mandiant


CaseLeads: China Cyber Espionage Exposed, Account Issues with Twitter and Plenty of Great How-To's

This week on Case Leads, we learn the truth of China's cyber espionage unit, Twitter verified accounts were hacked and there have been some updates to some of your favorite tools.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it


  • HMFTwas given a small update.

  • Autopsywas recently updated as well.

  • Passware can now extract passwords for certain popular websites from memory.

Good Reads:

Digital Forensic Case Leads: Report from the Forensic Expert Witness Conference, Judge: Viewing CP might NOT be possession, Mac crypto bug helps forensicators

Welcome to Digital Forensics Case Leads. Another a busy week in digital forensics, incident response and the law. In this edition: The SANS Computer Forensics Blog was at the Forensic Expert Witness Annual Conference, and your humble reporter asked a seasoned member of the bench: What is it like for a Judge to sit on the bench and digest the testimony of a foresicator / technical expert witness? * Another Judge rules that viewing CP might NOT be the same as possession under the law. * Has Law Enforcement tipped their hand in a report that spells out how to use anti-forensics to conduct criminal acts using BitCoin? * A bevy of encryption tools *And, could a forensicator leverage a Mac OS X bug to recover encrypted data, even after the user applies a new patch to "fix" the bug?

If you have an item you'd like to contribute to Digital Forensics CaseLeads, please send it to

Good Reads/Listens:

  • Law Enforcement

Digital Forensics: UID and GID distributions

On Unix and Linux systems each file has a user id and a group id, uid and gid respectively, showing the file's owner and group. On most *nix systems files in system directories are uid and gid root, which is represented by the numeric uid and gid value of 0, see the sample listing below:

davehull@64n6:/bin$ ls -ln | head
total 9080
-rwxr-xr-x 1 0 0 950896 May 18 2011 bash
-rwxr-xr-x 3 0 0 31112 Dec 13 10:30 bunzip2
-rwxr-xr-x 1 0 0 1719048 Sep 1 12:02 busybox
-rwxr-xr-x 3 0 0 31112 Dec 13 10:30 bzcat
lrwxrwxrwx 1 0 0 6 Dec 13 10:30 bzcmp -> bzdiff
-rwxr-xr-x 1 0 0 2140 Dec 13 10:30 bzdiff
lrwxrwxrwx 1 0 0 6 Dec 13 10:30 bzegrep -> bzgrep
-rwxr-xr-x 1 0 0 4877 Dec 13 10:30 bzexe
lrwxrwxrwx 1 0 0 6 Dec 13 10:30 bzfgrep -> bzgrep
In the output above, if we say columns are separated by whitespace, columns three and four represent the uid and gid values of each ...