SANS Digital Forensics and Incident Response Blog: Author - craigswright

Forensic Mining

The creation of Quantitative models and techniques in Information Systems Security, let alone Digital Forensics, is a field in its infancy. The prediction of threats is oft touted as being too difficult due to a shortage of data and the costs associated with collecting and analyzing data for a site. What we are missing is the capability to create associative rules that will enable this field to be correctly perceived as a science and not an art.

A key feature in the acceptance and uptake of digital forensics is the ability to replicate the results of an engagement.

It has been deduced that three main problems exist within the analytical process involved with Information Systems security (Valentino, 2003):


Cisco Router Forensics

The basics of router forensics are collecting data from the device that can act as evidence. The standard process involves using issuing the "show" commands and collecting data such as logs and network activity data. Some of this information is detailed below.

Show Commands

Most of the required information to be collected from the router will be obtained using the Cisco "show" commands. The main commands that you need to become familiar with are:

  • show clock detail
  • show version
  • show running-config

The future of digital forensics

The concept behind the Memristor has been around for a long time, but they are only now starting to be built. HP's recent breakthroughs in this long touted technology will radically change the face of computing in the years to come, allowing Moore's law to continue and accelerating the advance of storage and memory space. Memristors combine several advantages of memory and disk based storage into a single unit. Basically, think of combining a flash hard drive and DRAM into one package.

Great, new tech, but how does this really impact forensics and security?

The answer is mind blowing when you think about it. Not only will the fundamentals of computational theory change when long term and short term memory start to combine; but memory will become static.

What occurs when you pull the


How math can help with forensics

Data mining, text mining and network association are all statistical tools that have come into their own as the shear quantity of available computational power increases. True, you do not need to have a strong basis in math to use these programs, but math can help determine where they may be used.

Text data mining takes the standard associative keyword based search techniques and increases their effectiveness through the ability to map associations with other words and to create visual representations of the data. This allows an investigator to drill down into previously undetermined associations and also allows the investigator to analyze immense amounts of data. One of the problems in the past has been in how to represent this data.

This is where visualisation technologies come to play. These allow the investigator to uncover previously hidden relationships in the data. More importantly, the visualisation techniques that are available today make the reporting

... Continue reading How math can help with forensics

CSI Stick - So who has a copy of your phone?

Most people I know will not loan out their phone, but they will leave it lying around. The standard responses to this are "my screen is locked" and "I am only gone for a few minutes". These were never particularly good excuses, but now they have gotten worse.

Paraben has released a tool it calls the CSI stick, Cellular Seizure Investigation Stick, in order to simplify the acquisition process for mobile devices. The device is inexpensive, compact and simple, these are its strengths. The problem is that this provides a means to simply capture the data from other people's phones quickly without being a forensic expert. In fact, the device can capture:

CSI Stick from Paraben

CSI Stick from Paraben