SANS Digital Forensics and Incident Response Blog: Author - jhamcorp

Network Forensics Puzzle Contest!

By Jonathan Ham

*Prizewinner to be announced at Sec558 Network Forensics in San Diego, 9/16-9/18.

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company's prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company's secret recipe.


Security staff have been monitoring Ann's activity for some


Fingerprinting Systems with Firewall Logs

By Jonathan Ham

How can you investigate a computer that isn't there any more?

A lot has been written about methods for "fingerprinting" systems with active scanning methods (eg. nmap). These of course require that the system be actively reachable, and that you don't mind totally giving away your position with a very noisy scan (sort of like shooting a shotgun directly at a suspect to see if you can get him to look at you, in hopes that you'll catch a glimpse of his face).

A lot has also been written about more covert ways of achieving the same goal, based on packets surreptitiously captured from the host of interest (a la p0f). This is certainly very cool, and can be inordinately useful...if you happen to have packet captures from the host of interest, or can begin to get them. (Either you


Acquisition is Dead, Long Live Acquisition

SANS Sec558 - Network Forensics Flag

Vive Sec558!

Sign up to take Sec558: Network Forensics at SANSFIRE!

By Jonathan Ham

Ahh, Acquisition. What a breeze, huh? We just dd (or dcfldd) the drive, store it all away with MD5 sums in a locker somewhere, and breeze through our work. Sometimes I wonder why they actually pay us for such trivialities!

And then reality hits:

The investigator found the attacker system, and unplugged it and brought it here...But it the drive was encrypted with