SANS Digital Forensics and Incident Response Blog: Author - johnmccash

Copier Forensics in 2014: The Good, The Bad, and The Ugly

Recently, I had the opportunity to do forensic analysis on a HDD extracted from a Canon ImageRunner Advanced C5240 Multifunction Copier. After a story was broken by CBS News, back in 2010, it seemed likely that less would be available than is described in the copier forensic write-ups here and here. Nonetheless, I was hopeful. … Continue reading Copier Forensics in 2014: The Good, The Bad, and The Ugly


Hibernation Slack: Unallocated Data from the Deep Past

Hi Folks, I was recently doing some forensic research on a laptop which had been formatted and factory-reinstalled (using the preinstalled HPA partition it shipped with), and then used normally by another user for six months prior to collection. I wasn't really expecting to be able to recover much of anything from before the format, … Continue reading Hibernation Slack: Unallocated Data from the Deep Past


Forensically mining new nuggets of Google Chrome

I was recently creating some slides on Chrome forensics for a class I'm teaching, when I really discovered for the first time just how popular it's actually become. As of last month, according to http://www.w3schools.com/browsers/browsers_stats.asp, Chrome is not only 50% more popular than internet Explorer, but is actually neck and neck with Firefox (36.6% vs. … Continue reading Forensically mining new nuggets of Google Chrome


Ultimate Windows Timelining

Recently, I was considering material for an internal knowledge transfer session on timelining, when it occurred to me that the subject matter was likely of broader interest, and so, without further ado... First, a note about the way I personally use timelines. I find them a great way to identify dated tidbits which one might … Continue reading Ultimate Windows Timelining


Extracting Event Logs or Other Memory Mapped Files from Memory Dumps

Since Windows Event Logs are actually mapped into the memory space of the services.exe process, it's relatively simple, now that appropriate analysis tools such as Memoryze/Auditviewer from Mandiant, or Volatility from Volatile Systems are available, to extract them from a memory dump for analysis. This can come in quite handy if the data from the HD is unavailable for some reason.

You can do this in either Volatility or in Auditviewer. I'll cover the Volatility method to start. (If you need to get and install Volatility from scratch, I recommend Jamie

...