SANS Digital Forensics and Incident Response Blog: Author - jogorman

NCS vs DRN: ToorConX

Recently, a coworker and I wereprivileged with the opportunity to speak at theToorConXseminars on the topic of digital forensics. It was a 75 minute talk, to a smaller group the day before the main conference was to start. It was structured to be an environment with significantlymore interaction between the audience and the presenter.ToorCon

Coming into this sort of talk, the biggest problem is "What do I cover?". It would be foolish to think you are going to be able to have anyone come into the room having never been exposed to forensics in the past and walk out an expert. And at these sort of cons, you have many people that don't work in the field full time but rather have to go into it from time to time


NCS vs DRN - Educating the Client

As forensic analysis, our product is only as good as our input. And unfortunately, many times our input is not what we would hope for.

If you have worked many unauthorized access cases in the past, you know what I am talking about. These cases are my favorite to work honestly. Seeing the new methods used to compromise systems and the challenge of trying to find every way the system was affected is great. However, much of the evidence from these cases has issues that are common from one case to the next.

First response

For years now users have been taught that on the first sign of problems with their system, the best thing to do is run a full anti-virus check of the entire system. And for good measure, follow that up with an anti-malware scan or two. And for the most part users have got this message.

It is not just users that do this. How many times do you see companies with very informal incident response plans which leaves the process of what to do

... Continue reading NCS vs DRN - Educating the Client

New, Cool and Sexy vs. Dull, Repetitive and Necessary

Computer forensics has a tendency to focus on the new, the cool and the sexy. I call it the NCS.

Most training, books, blogs, articles and so on have a tendency to focus on the NCS. NCS holds the audience's interest so much better and is more fun to talk about.

Unfortunately, most work in computer forensics does not focus on NCS. Most of the work is on the dull, repetitive and the necessary. The DRN.

This column will talk about the DRN.


In the practice of digital forensics, each step has a tendency to build upon the last. While it's hard to make a call on the most important phase, reporting stands out.

The report is the output. It is what the layperson can access. The final product. The report is the culmination of all the work that has come before it and must be treated with the respect it deserves. Unfortunately, the report is also the prime example of the DRN to most people.

That said, let's lay out

... Continue reading New, Cool and Sexy vs. Dull, Repetitive and Necessary