SANS Digital Forensics and Incident Response Blog: Author - Chad Tilbury

NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files

Daunting as it may seem, one of the most wonderful aspects of Windows forensics is its complexity. One of the fascinating aspects of digital forensics is how we often leverage conventional operating system features to provide information peripheral to their original design. One such feature is the Windows NTFS Index Attribute, also known as the … Continue reading NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files

Live Memory Forensic Analysis

As memory forensics has become better understood and more widely accomplished, tools have proliferated. More importantly, the capabilities of the tools have greatly improved. Traditionally, memory analysis has been the sole domain of Windows internals experts, but recent tools now make analysis feasible for the rank and file forensic examiner. Better interfaces, documentation, and built-in … Continue reading Live Memory Forensic Analysis

Computer Forensic Artifacts: Windows 7 Shellbags

As Windows Registry artifacts go, the "Shellbag" keys tend to be some of the more complicated artifacts we have to decipher. But they are worth the effort, giving an excellent means to prove the existence of files and folders along with user knowledge. Shellbags can be used to answer the difficult questions of data enumeration … Continue reading Computer Forensic Artifacts: Windows 7 Shellbags

Computer Forensics How-To: Microsoft Log Parser

As any incident responder will agree, you can never have too many logs. That is, of course, until you have to analyze them! I was recently on an engagement where our team had to review hundreds of gigabytes of logs looking for evidence of hacking activity. I was quickly reminded of how much I love … Continue reading Computer Forensics How-To: Microsoft Log Parser

Digital Forensics How-To: Memory Analysis with Mandiant Memoryze

Mandiant's Memoryze tool is without question one of the best forensic tools available. It is an incredibly powerful memory analysis suite that should be part of every incident responder's toolkit. It's free, but requires some patience to traverse the learning curve. Memoryze was built by Jamie Butler and Peter Silberman, a couple of hardcore memory / malware analysts that operate on a completely different level than most of us mere mortals. In this post I'll cover how to get started with Memoryze, because if you haven't added memory analysis to your intrusion investigations, there is a whole lot of evil out there that you are missing.

Getting Started

The first step is to go out and download the tool. An important thing to keep in mind is that Memoryze actually consists of two components: Memoryze and Audit Viewer. Each must be downloaded individually from the free tools section of the Mandiant