SANS Digital Forensics and Incident Response Blog: Author - craigswright

What makes an expert?

I have recently been involved in a case where the argument came to one of who is an expert. This is not an uncommon attack when the issues at hand are not really in dispute and the opposing team wants to focus the case on other things. It may seem strange that a person with … Continue reading What makes an expert?

Erasing drives should be quick and easy

In the past years, I have seen many many false and misleading statements about what is needed to securely erase or wipe a hard drive. The FUD surrounding this topic with many still purporting to have a means of recovering data using SEMs and AFM (electron microscopy will do) is incredible. The problem is that … Continue reading Erasing drives should be quick and easy

Linux Programming Tools

Digital forensics practitioners, incident responders and *nix system administrators should be aware of programming tools that can aid attackers. It is simple for an attacker to load code when compilers or other tools are installed on a system. In this event, the attacker can simply add any tools that are desired by compiling them on the host. Source code can be uploaded over ASCII connections such as telnet, so even a console can be used to load one's favorite tools when compilers are installed.

In many cases, compilers and other similar tools have been restricted or (ideally) not installed on production systems. Where this is the case, it is still common to discover many related tools (including disassemblers) on a host. Some of these tools are covered in this section. These may allow an attacker to create and load code on a system, so when analysing a compromised host, you need to think beyond gcc and the common compilers.

In many instances, systems

... Continue reading Linux Programming Tools

NDIFF for incident detection

A good way to see changes to the network is with a tool called ndiff.

Ndiff is a tool that utilizes nmap output to identify the differences, or changes that have occurred in your environment. Ndiff can be downloaded from The application requires that perl is installed in addition to nmap. The fundamental use of ndiff entails combining ndiff with a baseline file. This is achieved by using the "-b" option to select the file that is the baseline with the file to be tested using the "-o" option. The "-fmt" option selects the reporting format.

Ndiff can query the system's port states or even test for types of hosts and Operating Systems using the "-output-ports" or "-output-hosts" options.

The options offered in ndiff include:

ndiff [-b|-baseline ] [-o|-observed ]

[-op|-output-ports ] [-of|-output-hosts ]

... Continue reading NDIFF for incident detection

An anti-forensics dd primer

dd is the swiss army knife of file tools - with /dev/tcp it can also be a network tool (but nc is simpler).

First we need the basics for dd. For this we have the man page and some definitions. I have taken (blatantly paraphrased) the man file info for dd and included this below (which is simple to obtain - "man dd").

For the purpose of a task such as reversing files and swapping them, we need to concentrate on the following options:

  • bs - This is block size. Setting "bs=1" means that we can use dd as a bit level (instead of a block level tool). Although it does slow down the process from a block copy, we are not looking at how fast we can copy here.
  • skip - this tells us to skip "n" blocks. In our case, we want "n" bits.

What we are going to do is start at the value of "n" set to our last bit in the file. We will loop the dd function to next copy bit "n - 1", then "n - 2", ... to

... Continue reading An anti-forensics dd primer