SANS Digital Forensics and Incident Response Blog: Daily Archives: Aug 14, 2009

Two Days of SEC441 - Windows Forensics for ONLY $99

Special One Time Deal - $99

27-28 August 2009 in Atlanta, GA at GFIRST

REGISTER HERE: https://www.sans.org/registration/register.php?conferenceid=18758

____________________________________

SEC441 - Windows Forensics is a special class that is a short version of the extremely popular Forensic Courses at SANS (http://forensics.sans.org).

Investigations involving Windows-based operating systems occur every day. As a result, it is essential for an investigator to know

...


Artifact Timeline Creation and Analysis - part 2

In the last post I talked about the tool log2timeline, and mentioned a hypothetical case that we are working on. Let's explore in further detail how we can use the tool to assist us in our analysis.

How do we go about collecting all the data that we need for the case? In this case we know that the we were called to investigate the case only hours after the alleged policy violation, so timeline can be a very valuable source. Therefore we decide to construct a timeline, using artifacts found in the system to start our investigation, so that we can examine the evidence with respect to time. By doing that we both get a better picture of the events that occured as well as to possibly lead us to other artifacts that we need to examine closer using other tools and techniques.

To begin with you start by imaging the drive. You take an image of the C drive (first partition) and start working

...