SANS Digital Forensics and Incident Response Blog: Author - jmbutler1

The NOISY U3 Thumb Drive File Access behavior in Windows

So I have a timeline analysis. What file activity should I see when someone inserts a U3 type USB thumb drive in a computer? And why should I care?

I care because files accessed on the hard drive, or the "Recent Documents" history, may tie directly to the actual time the thumb drive was plugged in. It turns out that U3 thumb drives actually run programs and create logs when plugged in. This means you have file creation and/or modification all the time the drive is inserted. Not only that, but cleanup routines run after it is pulled out, whether you exit nicely or just jerk it out.

You may wish to corroborate other evidence you have, from the registry for example, concerning the insertion of a particular drive. Or you may find files or file remnants that will give you more information about the thumb drive that was inserted. To understand what happens on insertion, and to know where to look for files, I have used Filemon1 and recorded the file activity that

... Continue reading The NOISY U3 Thumb Drive File Access behavior in Windows

Keeping Evidence Safe for Litigation

You have an incident. You have collected hard drives, USB drives, thumb drives, and PDAs. You made bit for bit images of all of them. Now, what do you do with the originals to ensure chain of custody?

First, make sure they are all stored inside static free bags, such as those in which hard drives are packaged when new. It is possible to obtain static free evidence bags, but the easiest thing to do is to use a plain static free bag to wrap the device, then store the device, bag and all, inside an ordinary plastic evidence bag. Such bags are available from companies that sell them to law enforcement.1 Just Google "Evidence Bags" for lots of choices. Here are the bags we use in my organization:

Lawyers Aren't So Bad, After All

This sentiment may vary depending upon whose side of a case you choose. I have had the good fortune to work with several capable lawyers. It has been my experience that lawyers are good listeners when they need input from me concerning my field - forensics. The important thing is to make sure you have a good relationship with legal. The communication lines have to be open, no matter what you think of the "legal eagles" with whom you are dealing.

Just Push a Button...

I wrote code in a former life for a guy who ran a trucking firm. He didn't even know how to turn the computer on. However, when he wanted some new feature, his comment was, invariably, " should just be able to push a button


Using a Database as a Forensics Tool - Part 2 of 2

In my first post...

I discussed the value of importing discovered flat files into a database in order to analyze them for the legal team. I showed two files of mock data based on an actual case where we were able to tie together relative fields of NPI/PII data to determine what the malicious user had stolen. We also discussed the need for legal to know what persons lost data and what type of data was exposed for each individual. Lawyers always want details!

In this post I will discuss the import procedure for Microsoft Access and some

... Continue reading Using a Database as a Forensics Tool - Part 2 of 2

Using a Database as a Forensics Tool - Part 1 of 2

What do you do, when your computer forensic tool of choice, Autopsy, EnCase, FTK, etc., helps you to find, say, 40 million data records containing credit card numbers, date of birth, SSN, checking account numbers or similar non-public personal information (NPI)? What if those data are in flat files created by an employee who pulled them from some data source belonging to your organization? What next?

Simulation of "discovered" flat files patterned after an actual case

Query from table 1