SANS Digital Forensics and Incident Response Blog: Author - johnhsawyer

Network Forensics On A Shoestring Budget Pt 1

By John Sawyer

Ever had that case where so many more questions could have been answered if you had recordings of network traffic to backup your other evidence? Yeah, me, too. Network forensics can be a really valuable tool but commercial solutions don't come cheap. In this post and its followup, I'll be discussing how you can do network forensics in-house with little to no cost.

First off, what is network forensics? It is essentially an extension of computer forensics where network traffic is analyzed to backup answers or answer questions that couldn't be answered by traditional disk-based forensics. Their are two main approaches: capture all data on the network and capturing just network flow data. Both approaches are valuable with the former providing the best evidence because all traffic is recorded and deep packet analysis can be performed to determine what really happened. Files


Windows Physical Memory: Finding the Right Tool for the Job

I'm a big proponent of live incident response and forensic analysis, and as such, I've been following the windows memory analysis field of research closely for the last 3 years. There have been leaps and bounds made over the last year with the release of many great acquisition and analysis tools; however, there are caveats that must be taken into consideration before simply inserting these tools into your investigations. You must know what you're doing, how the tools you're using will impact the system and be able to explain those things to others, whether they be peers or jurors.

I also believe in having more than one "right" tool for the job as it gives me choices as I conduct an investigation and it provides validation that each tool is doing what it should. Below is a comprehensive list of available tools accompanied by screenshots