SANS Digital Forensics and Incident Response Blog: Author - Keven Murphy

Mass Triage: Retrieve Interesting Files Tool (FRAC and RIFT) Part 2

FRAC is a GPLv2 project that can run remote commands across a Windows enterprise network. It consists of a Perl script, basic configuration files, and an SMB share. It uses PAExec or Winexe to connect to the remote machines, and then runs the commands required. It doesn't require a powerful system to run from, but does require lots of disk space if it has been configured to collect files. FRAC can run on the Linux, *NIX, and OSX using Winexe to connect to the remote Windows machines. Continue reading Mass Triage: Retrieve Interesting Files Tool (FRAC and RIFT) Part 2

Mass Triage: Retrieve Interesting Files Tool (RIFT) Part 1

In the course of an incident incident responders will have to retrieve files from a machine in a forensically sound manner. RIFT copies files from a subject machine in a forensically sound manner using the Sleuthkit toolset. By simply running RIFT with a regex list of file names or directories, specific files and folders are targeted for extraction. For each match, icat is then used to copy the file or folder to a drive/share other than the C drive. Continue reading Mass Triage: Retrieve Interesting Files Tool (RIFT) Part 1

Solaris Digital Forensics: Part2

This series of articles is a primer on Solaris forensics. As such each article will build upon the last and should be read from start to finish for those new to Unix. Part 1 is available at

Reading ls output

Being able to correctly read the ls command's output is critical for moving around the OS and to looking for signs of compromise. As you go through the filesystem, keep in mind you may not be truly seeing an accurate picture of the filesystem. If the machine has a rootkit installed on it, some of the files and directories may be hidden.

In the UNIX filesytem we have some basically defined file types:

  • Regular files
  • Directories
  • Symbolic Links (hard and soft)
  • Device


Solaris Forensics: Part 1


Welcome to the first set of a series of articles on doing forensics on Solaris systems. Initially, I am going to go over the basics of Solaris from the forensics point of view. That is to say that I will not be going over Solaris administration, but rather how things work in Solaris. Our first few steps involves:

  • How the filesystem is laid out (i.e. what kinds of files are in the main directories),
  • A brief discussion on reading ls output as this sets up for:
    • How permissions work
    • What users and groups are
    • Soft and hard links
    • Link counts
    • Basic file types (regular files, directories, links, character devices, and block devices)
  • Breakdown on Solaris slices (partitions)
  • Imaging Solaris drives remotely
  • More stuff to follow :)

I think it is important to understand the basics of how Solaris functions, or any OS for that

... Continue reading Solaris Forensics: Part 1

Custodians of Digital Evidence

Let's think like a system administrator for a moment....

Here is the scenario:

You're the corporate incident handler/digital forensics person and you've just finished your latest case. The finished forensics report has been handed off to your boss, human resources, and the legal team. You are looking at your raid 5 volume with all of the data the case generated. With 500 gigabyte drives and terabyte drives almost a standard now, the case data might be nearly that big. So you back up your data and tools you used on the case to your DLT tape drive or another hard drive, wipe your drives, and pack the media away for storage.

Now it is four and half years later, legal counsel calls you into their office to tell you that the ex-employee has decided the sue. Not a problem, you've got your all of the case data backed up. It is just a matter of restoring it and providing copies to counsel as required.

But here is the problem, the DLT drive you have been using,

... Continue reading Custodians of Digital Evidence