Blog: SANS Digital Forensics and Incident Response Blog: Category - Uncategorized

Blog: SANS Digital Forensics and Incident Response Blog:

Digital Forensics Practitioners Take Note: MS DLL Hijacking

DLL Hijacking Issue Gets Out Of Band Fix / Work Around From Microsoft

Though not as simple to pull-off for the bad guys as today's drive-by hacking exploits; successful exploitation requires a user first be tricked into visiting an untrusted WebDAV server in the Internet Zone and then double-click on any type of file, this enables attackers to cause a malicious file to be executed on the user's PC.

Because this is not an enabler of traditional drive-by hacking, many dismissed the severity of this vulnerability. However, given the recent publication of a Microsoft Advisory, Insecure Library Loading Could Allow Remote Code Execution, an initial work around published last week and a new tool released

...

SANS Computer Forensic/IR Summit on 7-8 July: Last Call

Computer Forensic and Incident Response Blog Readers:

Two years ago SANS had only one course, 900 certified individuals, and no summits planned. In 2009 we have expanded to 6 forensics and IR courses, created a real curriculum path to follow, brought in more industry known expert instructors, planned two summits, maintain over 1500 certified, and GCFA is about to become accredited under ANSI 17024. We have come far, but our work is not done yet.


We are only a few weeks away from the Computer Forensic

...

Forensics 101: Acquiring an Image with FTK Imager

There are many utilities for acquiring drive images. I maintained my snobbish attachment to plain old dd for a long time, until I finally got tired of restarting acquisitions, forgetting checksums, and making countless other errors. The truth is: there are plenty of good tools that provide a high level of automation and assurance. The rest of this article will walk the reader through the process of taking a drive image using AccessData's FTK Imager tool.


FTK Imager is a Windows acquisition tool included in various forensics toolkits, such as Helix and the SANS SIFT Workstation. The version used for this posting was downloaded directly from the AccessData web site (

...

Facebook Forensics

by Jeff Bryner


Like most, I recently read the story of the EMT who posted a grisly picture to Facebook via his mobile phone. This got me thinking about social network forensics. I just happened to have joined Facebook (am I the last one?) and being of forensic mind... this post.

The issue that brings forensics into the case? The claim is that his post is by accident and was unintentional.

Now Facebook has a long history of privacy misunderstandings, and being a brand new user I can attest that it's nearly impossible at first glance to determine the privacy of the items you post. Is

...