Blog: SANS Digital Forensics and Incident Response Blog: Category - USB Device Analysis

Blog: SANS Digital Forensics and Incident Response Blog:

When Cases Involve SSNs and Credit Card Data: "Sensitive Data Search and Baseline" Python Script

A key component of any investigation is the type of data exfiltrated. If sensitive data is on a compromised machine, risk is increased significantly. Also, there is a patch work of legislation covering various types of data which is considered sensitive ( In general, social security and credit card numbers are at the top of the concern list. Since many states have encryption exemptions, a forensicator needs to know, does any media storage in the case have sensitive data in the clear?

Data can be encrypted by system administrators/DBAs or by attackers. Attackers usually encrypt data as part of the staging process prior to data exfiltation. Attackers commonly password protected and compressed the data as a .rar file. With strong passwords (32+ character pass-phrases) .rar files can be difficult to almost impossible to open with normal computing power.

Using a cross


Digital Forensics Case Leads: MBR Parser, VSC Toolset GUI, Memory Forensics Cheat Sheet & other goodness......

In this week's SANS Case Leads, we have a python script for parsing the Master Boot Record, a question of USB drive serial number uniqueness, some VSC goodness and some other stuff ;-)

If you have an item you'd like to contribute to Digital Forensics Case
Leads, please send it to


  • Jamie Levy (@gleeda) posted a script that she wrote that parses the MBR in order to help find MBR infectors. Read Jamie's Blog post. Grab the script here.

  • Jason Hale came up with a GUI front-end for Corey Harrell's batch scripts used to rip/examine Volume Shadow Copies, called VSC Toolset

  • DEFT Linux 7.1 was released earlier this month. Read the

Digital Forensics Case Leads: Do SSD Drives Auto Destroy Forensic Evidence? Industrial Espionage, and Cloud Computing Forensics

Solid State Drives (SSD) Forensics continue as the top story this week. Two University researchers published shocking research that indicates that the firmware in SSDs can destroy forensic evidence as part of it's everyday functionality. Details in MUST Reads (upgrading this week from "Good Reads"). Apple made big news with the launch of new tablet (this week) and new laptop offerings (last week). We bring you news of forensic tools for the Mac. Plus, industrial espionage featuring Chinese spies paying American employees to steal intellectual property. And, do you have naked passwords?


  • MacQuisition 2.53 from BlackBag Technologies, is a forensic acquisition tool for legacy and new Mac hardware. The new version now supports Intel i5 and i7 processing architecture, enabling it to work with the latest Mac laptops and desktops. This update also offers dual boot options for working with new Intel powered Macs as well as legacy PowerPC Macs.

Digital Forensics Case Leads: Industrial Controls Forensics, Cracking Crackberries, Mobile Forensics

While most technical and non-technical types focus on servers, desktop, and mobile phones/pads when thinking about security and forensics, an area of growing concern is industrial controls security. This was brought to light in the wake of the Stuxnet worm. The accusations continue to fly, via arm-chair forensics. Was it an attack on Iran? Or maybe an attack against India, since it seems Stuxnet may have knocked out a TV Satellite. Security honcho Bruce Schnier says we may never know.

What is certain is a growing concern over industrial controls security. According to a San Francisco Chronicle story that ran on this week: "... Liam O Murchu, a researcher with the computer security firm Symantec, used a


Quick Look - Cellebrite UFED Using Extract Phone Data & File System Dump

It is not the intent of this blog post to be an all-encompassing guide to the forensic analysis of an iPhone. Rather it is a look at some of the tools I use in my practice and how they can be applied to iPhone forensic analysis. That being said lets get to it.

Why would you use the Cellebrite File System Dump instead of the traditional Extract Phone Data ?

If the subject of your forensic analysis is collecting information regarding the telephone such as call logs, phone book, SMS, pictures, video and audio/music then you will find what you need using the standard Cellebrite processing found under "Extract Phone Data". However if you want to do a deep dive in to the file structure, Internet usage or look deep in to the applications that are being used on the device and perhaps run some of your "favorite forensic tools" against it, I highly recommend complimenting your traditional