SANS Digital Forensics and Incident Response Blog: Author - Gregory Pendergast

Digital Forensics Case Leads: File Systems, Memory Forensics, and a Pedophile Ring Dismantled

This week, we have a wealth of File System information, new and old, updates to the popular and versatile RegRipper program, and some very promising research in the area of memory forensics. But the best news, by far, is the success of Operation Rescue in taking down a substantial world-wild child exploitation ring. We applaud … Continue reading Digital Forensics Case Leads: File Systems, Memory Forensics, and a Pedophile Ring Dismantled


Digital Forensics Case Leads: Intruder Alert! Intruder Alert!

Seven years ago, in the Preface to his TheTao of Network Security Monitoring, Richard Bejtlich wrote: Three words sum up my attitude toward stopping intruders:prevention eventually fails. Every single network can be compromised, either by an external attacker or by a rogue insider. Fast forward to 2011, and we find McAfee saying, in the executive … Continue reading Digital Forensics Case Leads: Intruder Alert! Intruder Alert!


Digital Forensics Case Leads: Ready, Forensicate, Aim

Ready. Forensicate. Aim. Okay, seriously, don't do that. You know the correct order, right? If not, Chris Pogue spent part of last year presenting on the Sniper Forensics methodology, developed by the incident response team at TrustWave's SpiderLabs, and has what you need. Even if you already know the proper order is Ready, Aim, Forensicate, … Continue reading Digital Forensics Case Leads: Ready, Forensicate, Aim


Digital Forensics Case Leads: The Community Needs You

I don't know. I don't know. I don't know.

That little phrase, more than most others in the English language, has an amazing potential to be either mindbogglingly empowering or cripplingly demoralizing. A great deal of the difference depends on emphasis. Do you dwell on the fact that you don't have the knowledge and don't have "the time" to find the answer? Or do you focus on the opportunity to gain knowledge and make new discoveries? Do you hesitate or hold back because there are things you don't know? Or do you have a good grip on the fact that none of us know everything (or even most things)?

The answers to those questions have a lot to do with how and whether you decide to contribute to the digital forensics community (or any community). So I've focussed this week on using the various links I've compiled to illustrate how people can begin contributing to the community in ways that don't

... Continue reading Digital Forensics Case Leads: The Community Needs You


Review: Mandiant's Incident Response Conference (MIRCon) Day 2

The first Mandiant Incident Response Conference (MIRCon) is now in the bag, so to speak. It was an impressively valuable and fun-filled two days, and I have to thank Mandiant once again for throwing down on an excellent shindig. As with my review of Day 1, I'll recap some highlights from the various presentations. Those of you who weren't able to attend may also be interested in the recap webinar that Mandiant is presenting next week (Oct. 19): State of the Hack: The Hangover - What REALLY happened at MIRCon.

The Day 2 keynote was delivered by Gordon Snow, Assistant Director of the FBI's Cyber Division, who spoke about the

...