SANS Digital Forensics and Incident Response Blog: Daily Archives: Oct 15, 2010

Long Beach, CA hosts SANS Computer Forensics Essentials, December 6 - 11

SANS is pleased to announce our most popular new course of 2010, Forensics 408:
Computer Forensics Essentials, in Long Beach, CA, from December 6 - 11. The course
will be taught by certified SANS instructor and co-author of this course, Chad Tilbury.
For complete course information and to register, please visit (

Save $400 on tuition fees when you register for this course by October 27.

Forensics 408: Computer Forensic Essentials focuses on the critical knowledge that a
computer forensic investigator must know to investigate computer crime incidents successfully.
You will learn how computer forensic analysts focus on collecting and analyzing data from
computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

Course Details:
Dates: December 6 - 11
Course: SANS Forensics 408: Computer Forensics Essentials

... Continue reading Long Beach, CA hosts SANS Computer Forensics Essentials, December 6 - 11

Solaris Forensics: Part 1


Welcome to the first set of a series of articles on doing forensics on Solaris systems. Initially, I am going to go over the basics of Solaris from the forensics point of view. That is to say that I will not be going over Solaris administration, but rather how things work in Solaris. Our first few steps involves:

  • How the filesystem is laid out (i.e. what kinds of files are in the main directories),
  • A brief discussion on reading ls output as this sets up for:
    • How permissions work
    • What users and groups are
    • Soft and hard links
    • Link counts
    • Basic file types (regular files, directories, links, character devices, and block devices)
  • Breakdown on Solaris slices (partitions)
  • Imaging Solaris drives remotely
  • More stuff to follow :)

I think it is important to understand the basics of how Solaris functions, or any OS for that

... Continue reading Solaris Forensics: Part 1

Review: Mandiant's Incident Response Conference (MIRCon) Day 2

The first Mandiant Incident Response Conference (MIRCon) is now in the bag, so to speak. It was an impressively valuable and fun-filled two days, and I have to thank Mandiant once again for throwing down on an excellent shindig. As with my review of Day 1, I'll recap some highlights from the various presentations. Those of you who weren't able to attend may also be interested in the recap webinar that Mandiant is presenting next week (Oct. 19): State of the Hack: The Hangover - What REALLY happened at MIRCon.

The Day 2 keynote was delivered by Gordon Snow, Assistant Director of the FBI's Cyber Division, who spoke about the