SANS Digital Forensics and Incident Response Blog: Author - Joe Garcia

Digital Forensics Case Leads: A MiniFlame Has Been Lit, Learning a Language and New and Updated Tools.

In this week's SANS Case Leads, new tool pyMFTGrabber is out, a MiniFlame has been lit, learning a language and more. If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org Tools: The Sleuth Kit (TSK) 4.0 is out here. The Autopsy Forensic Browser is now … Continue reading Digital Forensics Case Leads: A MiniFlame Has Been Lit, Learning a Language and New and Updated Tools.


Digital Forensics Case Leads: Identifying TrueCrypt volumes with Volatility, Malware that can sneak into VM's and more....

In this week's SANS Case Leads, Malware that can sneak into Virtual Machines, watch those LastWriteTime timestamps, new tools, identifying TrueCrypt volumes with Volatility and much more'''' If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org Tools: Joachim Schicht posted a utility that can manipulate … Continue reading Digital Forensics Case Leads: Identifying TrueCrypt volumes with Volatility, Malware that can sneak into VM's and more....


Digital Forensics Case Leads: MBR Parser, VSC Toolset GUI, Memory Forensics Cheat Sheet & other goodness......

In this week's SANS Case Leads, we have a python script for parsing the Master Boot Record, a question of USB drive serial number uniqueness, some VSC goodness and some other stuff ;-) If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org Tools: Jamie Levy … Continue reading Digital Forensics Case Leads: MBR Parser, VSC Toolset GUI, Memory Forensics Cheat Sheet & other goodness......


Digital Forensics: Stuck on Stickies

Raise your hand if you've responded to a crime scene and had a suspect computer possibly involved in the crime. How many of you have responded to an incident where a victim's computer may have been compromised and needs to be analyzed but the victim is not available for questioning regarding user account information and passwords? How many of you have been taught, told or learned through experience to look for sticky notes attached to a monitor, on a computer tower case or even taped to the bottom of a keyboard?

The answer is probably most of you reading this. How many of you actually thought to look for the sticky notes of the digital variety? If you are organized, a neat freak or OCD like me, you hate a cluttered desk space. If that is the case, you have probably gone paperless. You scan your desk for whatever little bits of tree pulp may cross your gaze, sticky notes included. I (and many others) don't use physical sticky notes anymore, having switched to computer

... Continue reading Digital Forensics: Stuck on Stickies


Digital Forensics Reporting: CaseNotes Walkthrough/Review

One important aspect of Digital Forensics is reporting. There are many reasons for this. One is to keep track of work that you have done during analysis. Another is if you are working on a case and it ends up getting reassigned to another examiner, they can look over your notes and will know what you've done, how you've done it, when you've done it and what the results were up to that point of transfer. The most important reason though, is for your appearance in court to testify on a case. Now as most of us know, there are many cases that never make it to trial or end up getting settled out of court. That is no excuse to be lax in your reporting. Each case should be treated like it will go the distance.

With that said, I, like most, have taken my notes by hand. I find that handwritten notes tend to become sloppy in the long run. While taking notes, if you run out of room and don't have another clean sheet of paper handy to continue you may end up writing in

... Continue reading Digital Forensics Reporting: CaseNotes Walkthrough/Review