SANS Digital Forensics and Incident Response Blog: Author - craigswright

Using HELIX LIVE for Windows

by Craig Wright

The following is a simple introduction to starting Helix Live for Windows.

In the event that the CD autorun features is enabled, a Helix license Window should appear. If autorun is disabled, you can run Helix by double clicking on the helix.exe file on the CD. Newer versions of Helix are available, but the process is basically the same.

The Helix Live function is used to collect volatile data (evidence) and in cases where the system cannot be shutdown. Whenever you work on a live system, you need to ensure that you take care to minimize any changes to the system. Changes always occur on live systems. Just letting a system run creates change.


Code skills make better Forensic Analysts

by Craig Wright

I know I am pushing something up a hill here in suggesting this, but .Net coding in a Windows environment and general coding skills for Linux should be a goal for all Forensic Analysts to learn. These are essential skills. In fact, they make life far easier if you can write code and think creatively. It is also not difficult to learn how. The ACM and IEEE both offer members free CBT courses on this topic.

I have recently noticed a number of conversations around reading Windows Event logs. The difficulty in extracting events and the limitations of the commercial tools are frequently mentioned. The reality is that is is a simple task that has been incorporated into the .Net framework since version 1.0 first came out. Classes and libraries are available for this very task. There are

...


Code in a Flash

by Craig Wright

Recently I have been involved with the analysis of a number of rogue web sites linked to a fast flux network. Tracking websites is hard enough, but the process to analyse the flash code and other scripts has been a head-ache in the past. There are a number of tools that can be used (mostly commercial, though there are some on the OWASP site that are open). The issue being that few of these help to filter the content of the code.

In small cases, this is not an issue. Decompiling flash when there is only one or two files to verify is easy. The problem comes when you have several hundred (or more sites) with a variety of code samples - some good, some bad and no easy way to determine which is which.

In the past this has been a process of decompiling all of the samples (where a hash cannot be used to show that the files are the same) and

...


SQL Rootkits


Forensics and Data Access Auditing

by Craig Wright

Data access auditing is a surveillance control that intersects with forensics and incident handling. In all events, the same level of care needs to be taken as any event can lead to a forensic engagement. By monitoring access to all sensitive information contained within the database, suspicious activity can be brought to the examiner's awareness. Databases commonly structure data as tables containing columns (think of a spreadsheet, only more complex). Data access examinations should address six questions:

  1. Who accessed the data?
  2. When was the data accessed?
  3. How was the data accessed? (This is what computer program or client software was used?)
  4. Where was the data accessed from (this is the location on the network or Internet)
  5. Which SQL query was used to

    ...