SANS Digital Forensics and Incident Response Blog: Author - craigswright

Hard Drive Errors and Replacements

Many poor quality hard disk drives manage to get to market. This is especially true with "bleeding edge" models. These drives often suffer failures. For the average individual or corporation, this is problematic enough (and worse when a backup has not been made). For the forensic analyst, this can be devastating, at least if you do not know what must be done.

A common problem is a preamplifier failure. This failure will generally result in the drive creating a clicking or hissing noise. Another cause of this sound can come from a head stack failure. In this post I will detail some of the issues and steps associated with the replacement of a drive head or preamplifier.

The first thing is to access the drive internals. This will invalidate your warranty, but when conducting a forensic examination, the ability to have the drive replaced is of small concern. First, ensure that you have a clean work area.

A clean room is not necessary.

... Continue reading Hard Drive Errors and Replacements


Live Investigations


Simple Anti-Forensic and Signature stamping techniques using Unicode

by Craig Wright

The introduction of Unicode characters (such as Persian, Cyrillic and Arabic characters) has introduced both a simple means of fingerprinting intellectual property (signature stamping) and a very simple steganographic data hiding technique.

The following is an extract from the Cyrillic Unicode character set [1].

Unicode #Character

0410 ? CYRILLIC CAPITAL LETTER A

0430 ? CYRILLIC SMALL LETTER A

0412 ? CYRILLIC CAPITAL LETTER VE

0415 ? CYRILLIC CAPITAL LETTER IE 0435 ? CYRILLIC SMALL LETTER IE

041C ?CYRILLIC CAPITAL LETTER EM

041E ? CYRILLIC CAPITAL LETTER O

043E ? CYRILLIC SMALL LETTER O

0420 ? CYRILLIC CAPITAL LETTER ER

0440 ?

...


A Step-by-Step introduction to using the AUTOPSY Forensic Browser

by Craig Wright

This is a brief tutorial on how to use the Autopsy Forensic Browser as a front end for the Sleuthkit. This tool is an essential for Linux forensics investigations and can be used to analyze Windows images.

We will start with the presumption that you have the Forensic Toolkit Installed (whether through the use of a Live CD such as Helix or if it is installed on a Forensic Workstation). Autopsy is built into the SANS Investigative Forensic Toolkit Workstation (SIFT Workstation) that you can download from forensics.sans.org. You can start Autopsy by clicking on the magnifying glass in the upper right corner.

Step 1 - Start the Autopsy

...


System Scanner

by Craig Wright

System scanner (available from http://www.codeproject.com/w2k/system_scaner.asp) is designed as a replacement to the Task manager. For the forensic or incident handling professional, this tool allows for the dumping of virtual memory at a point in time on a Windows system.

Figure 1 System Scanner provides a visual map of a systems Virtual Memory


The Windows task manager lacks the ability to fetch more specific info about the processes that is supplied using the System Scanner (such as the IDs of all the threads, handles to DLLs, ability to suspend specific threads of a specific

...