SANS Digital Forensics and Incident Response Blog: Author - mworman

Perl-Fu: Regexp log file processing

Remember that with Perl the key benefit is the ability to easily implement almost any kind of input/output processing system one might need or conceive, without the need for a lot of code or time in development. When you are faced with massive amounts of data and a small amount of analytical time, this agility is critical. I will not be teaching regular expression syntax but there are countless primers and resources on the web for this, and they almost universally apply to languages/interpreters other than Perl, including our favorite command line tool, grep. Consider the following code:

# Creates user-specific files from a single log file based on the field "User="
$logfile = $ARGV[0];
open(LOG, "

Forensics and Perl-Fu: Reducing Data and Cleaning Up Log Files

By: Mike Worman

Perl's simplicity and its raw power may seem paradoxical but this is simply a clever ruse. There is a lot going on behind the scenes when using Perl, which has often been described as the scripting language that attempts to figure out exactly what the developer wants in as little code as possible''and it usually succeeds. Even when it doesn't, another possible approach is usually immediately apparent. Never forget the Perl motto: TIMTOWTDI!

Forensics and Perl-Fu

Information Ordnance: Logic Bombs, Forensics, and the Tragical History of Roger Duronio

Given the ongoing investigation at Fannie Mae, it seems appropriate to start waxing philosophical a bit on some recent evolutionary changes in the digital forensics world. While it is true a majority of forensics cases revolve around suspected wrongdoing involving a computer (e.g. fraud), using computers and code as weapons themselves crosses into the realm of information warfare. Yet forensic analysts and incident response experts will have to continue to straddle both of these realms in the new millennium, as both fields continue to evolve and in many respects, converge.

I have seen the devastating results of logic bomb "detonation" up close, and I can assure everyone that carefully prepared information weapons are far more damaging than almost any


When Encountering Safeguard Easy's Boot-time Authentication Lockoutâ¦

Full disk encryption is great for security, but encrypting data carries with it some incidental risk. Forgotten or otherwise unknown encryption passphrases and keys can lead to serious consequences in many situations. In forensics and incident response we use and encounter encryption all the time, and accessing encrypted data in a timely fashion can be critical. I'd like to share a trick I learned while dealing with a "bricked" encrypted device utilizing SafeGuard Easy ("SGE") from Utimaco Software, a fairly common full disk encryption solution.

Safeguard Easy offers