SANS Digital Forensics and Incident Response Blog: Daily Archives: Dec 24, 2008

Happy Holidays!! SANS SIFT Workstation Version 1.2 Released

SANS SIFT Workstation Overview

  • VMware Appliance

  • Ready to tackle forensics

  • Cross compatibility between Linux and Windows

  • Forensic tools preconfigured

  • A portable lab workstation you can now use for your investigations

The SANS SIFT Workstation is a VMware Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The appliance is utilized in the Computer Forensic, Investigation, and Response course offered by SANS. We teach analysts to examine core file system data and metadata structures to increase their understanding of the FAT/NTFS/UNIX/LINUX file systems. As a result, their capabilities as a forensic analyst


The Exam Before Christmas

I wrote this as a joke for my local HTCIA chapter. Hope you all have a Merry Christmas.

Twas the night before Christmas, when all through the lab
Not an examiner was working, except this tired crab.
All the evidence was filed and the forms were all signed,
In hopes that my work would soon be off my mind.

The drives were all wiped and in their special order,
With care taken not to be located next to the audio recorder.
I had documented I wrote to each sector a zero,
Knowing if it came up in court I would be a big hero.

When out of nowhere the doorbell did ring,
And I ran to the door opening it with a mighty swing.
It was my boss delivering me a brand new case,
And wanted it handled with utmost haste!

I hooked up the evidence to my write blocker,
I was moving so quick, just like a punk rocker.
Every action I took that was worthy of note,
Into my notebook the


Understanding Indirect Blocks in Unix File Systems

When I'm covering Linux Digital Forensics on the last day of Sec506 (that's my SANS Linux/Unix Security track for those sluggards out there that haven't memorized the SANS course numbering scheme), questions always come up about the function of indirect blocks in standard Unix file systems (meaning ext2/ext3 on Linux, UFS on Solaris, FFS on BSD, and others derived, directly or indirectly, from Kirk McKusick's original Fast File System from 4.2BSD). Generally these questions always arise in one of two contexts:

  • What's that extra information at the end of my istat output?
  • Why do I always need the -d option when using foremost on Unix file system images?

It turns out that even people who've been using Unix for a long time are a little fuzzy on the subject of indirect blocks,