SANS Digital Forensics and Incident Response Blog: Author - mchurchill

Digital Forensics: Introducing ForensicArtifacts.com

??There always seems to be common questions asked on forensic mailing lists, forums, and blogs. One of the common questions is, "Does anyone have contact information for ABC company?" Another question commonly seen is, "Has anyone dealt with ABC program or have a whitepaper for it?" The first question is solved by the ISP list at Search.org. The second question didn't have a unified source of information - until now.

The website ForensicArtifacts.com was recently launched to provide a reference database for forensic examiners looking for specific information on artifacts of operating systems, programs, and user activity. The website was set up in blog format allowing examiners to subscribe to the RSS feed or simply visit the site and use the global search functions. There is also a


Computer Forensics: Using Evidence Cleaners to Find Artifacts

I have used CCleaner for years and it is one of the first programs I put on new computers. It has handy functions to clean up temporary files, logs, and even the Registry. While many can argue that such a program may help erase digital evidence, it can also shed light on where to look for important items of interest.

CCleaner used to store settings in the Registry, but has now opted to use an .INI file to assist in application portability. This is a great asset to forensic examiners who like to research new artifacts. The default installation has the necessary .INI files embedded within the executable, but they are usually available for download in this

...


People Searches

In the course of assisting corporations with their incident response activities, we are occasionally asked to help find information about employees that might reside on the internet. During a computer exam for an employee threats case, we found activity on Facebook, Twitter, and two different webmail accounts. We captured the public facing social media pages and included them as part of our exam report.

While this is nowhere near new territory, it may be useful to compile a quick hit list of websites to quickly and efficiently build a profile of an individual's social media and internet use. In our case, if the person of interest made public threats outside the business as well as the private threats that occurred inside the business, we needed to find them as quickly as possible and make sure we had them documented.

Here are some good places to start your search:

Social Media


Turning RegRipper into WindowsRipper

Harlan Carvey has given us a great tool inRegRipper andit's undeniable that many examiners have found it to be a useful addition to their toolbox. RegRipper has a very specific purpose - parse the Windows registry. With some modification, we can turn RegRipper into WindowsRipper, an extremely powerful Windows triage tool. Using WindowsRipper we can parse much more than just the registry.

Adam James, a coworker who did the coding for this project, and I took a look at RegRipper and decided it could be morphed nicely into an amazing triage tool. The first thing Adam did wasmodify RegRipper to work against a mounted drive. You can read his explanation in the previous post or simply know that his code allows RegRipper to look at a mounted drive, find the Windows

...


Give Your Forensic Images the Boot, Part I

At its worst, incident response in the past consisted of someone with a little bit of knowledge sitting down at the affected machine and poking around at its contents. Computer forensics has influenced the initial response, but you may still find quality information from taking a live look at a suspect machine. For instance, I have no idea where the settings are that effect how icons are arranged on the desktop. But by booting into the captured image, I get to look and feel how the user environment was actually set up.

Booting the image into a virtual environment has other advantages. First, you can interact with the computer in a more natural and

...