SANS Digital Forensics and Incident Response Blog: Author - mikecloppert

Is Digital Forensics a Science?

I was reading a great article the other day in the latest Communications of the ACM [1] (membership required) which had an insert titled Computer Science as a Science that discussed the merits of the profession as a bona fide science. Reading it, I could not help but to think: what about digital forensics? I'd not once questioned the notion in the past. The similarities to classic forensics, already widely accepted to be a true science, provided transitive reason for me to consider digital forensics a science as well. Thinking more critically about the question, however, I am not so sure. In fact, I would posit that digital forensics is not in fact a science. This distinction may seem academic, but as we will see, it is in fact an important acknowledgment that may facilitate the advancement of the profession and


Deconstructing a Webserver Attack

by Michael Cloppert

I was looking for a good example to highlight two very useful and often overlooked features of Wireshark: the flexibility of tshark and the tool suite's HTTPS/SSL decryption capability. The following example covers both, and goes a bit further to describe one way of investigating an attack to assess the likelihood of compromise. While contrived, make no mistake about it, this is reflective of a real-world attack seen recently, later linked to sophisticated adversaries.

We are in the business of risk management. As such, our response to suspicious activity should be guided by the components that risk is the product of. While terminology may vary, the breakdown I use is:

  • Impact
  • Vulnerability
  • Threat

An understanding of risk components in the context of a computer security incident is often


Insights into Information Warfare, by Example

By Michael Cloppert


This past weekend, news broke from a variety of sources about the IWM's release of a document detailing a sophisticated long-running campaign of attacks which compromised computers at the Office of His Holiness the Dali Lama (OHHDL), titled The snooping dragon: social-malware surveillance of the Tibetan movement. The linked document is the best reference I can find as of writing of this entry; it appears to be a summary by Cambridge University researchers of the same


Perl scripts for parsing PDFs, MACs, IPs, URLs, etc.

By Michael Cloppert

I hoped to be writing to you about how I found a great chi-square technique to identify trojaned PDF's (we've certainly seen our share - 8.1, 8.1.1, and now 8.3/9.0...). Sadly, it's not so. I couldn't even get as far as rejecting my null hypothesis since component bytes, as random variables, are - no surprise - not

Building a complete timeline for intrusion cases

Anyone who has worked intrusion cases can tell you that they are a wholly different animal than classic pornography or computer abuse/misuse cases, yet our tools have grown out of a distinct need for the latter. Particularly fractured are the tools that enable the analyst to build timelines. Sure, we can sort event logs, or use mactime to get a readable dump of our filesystem metadata, but assembling a complete picture remains a struggle. Some products offer a bit more along these lines, such as Encase, but the barrier for entry in assembling disparate logs into a comprehensive timeline is high both in terms of financial funding and product-specific knowledge, vis Enscripts.

To address this need, I built Ex-Tip. Roughly named after "Extensible Timelines in Perl," Ex-Tip is really nothing more than a framework of input and output modules to normalize log data and sort by time. While it is currently