SANS Digital Forensics and Incident Response Blog: Author - Chad Tilbury

Help Improve EDD - Encrypted Disk Detector!

Device acquisition may not be the sexiest phase of digital forensics, but it has the most number of pitfalls and can result in catastrophic loss. If a practitioner makes a mistake during acquisition, the investigation may simply be over, with nothing left to examine. Establishing an acquisition process is important, and a critical part of … Continue reading Help Improve EDD - Encrypted Disk Detector!


Memory Forensics Cheat Sheet

I recently wrote on my personal blog about some of the new updates to the SANS Forensics 508 course and included a link to a new memory forensics cheat sheet. By popular request, I am posting a PDF versionof the cheat sheet here on the SANS blog. Feedback is appreciated! Chad Tilbury, GCFA, has … Continue reading Memory Forensics Cheat Sheet


Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 3)

Application Specific Geo-location Web applications can often leave their own geo-location clues similar to those found via the mapping services. While mapping artifacts are largely consistent, geo-artifacts created by applications are more haphazard. Thus the number of available artifacts can be as numerous as the applications using geo-location services. To illustrate this, we will analyze … Continue reading Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 3)


Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 2)

Understanding Browser Artifacts Geo-location artifacts demonstrate an interesting concept with regard to browser-based evidence. Among the various browser artifacts, Internet history is a fan favorite because it provides such rich information. There is no easier place to look to identify sites visited by a specific user at a specific time.Browser history is so useful, a … Continue reading Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 2)


Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 1)

[Author's Note: Geo-location artifacts have been a frequent focus of my research, and I am amazed at how quickly they are permeating operating systems, applications and file formats.In the fall of 2011 I had the pleasure of writing an article for Digital Forensics Magazine focused on browser-based geo artifacts, where much of this series was … Continue reading Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 1)