SANS Digital Forensics and Incident Response Blog: Author - Rob Lee

Computer Forensic Guide To Profiling USB Device Thumbdrives on Win7, Vista, and XP

Several times over the past year it has come up in a discussion about the key differences between examining USB Key/Thumbdrives on XP, VISTA, and Windows 7. We did an initial post several weeks ago, but found some new information and have updated our guides as a result. Thanks to SANS Digital Forensic Instructor Colin Cree for the wonderful feedback.

As a part of the SEC408: Computer Forensic Essentials course, we have an extensive section on residue left by USB Devices. I am providing a single guides to help you answer the key USB Key/Thumbdrive questions for your case covering XP, VISTA, and Win7.

196 Articles in a year! SANS Digital Forensic Blog One Year Anniversay!

Happy Birthday SANS Computer Forensic Blog! It has been one great year! Our first post was on Aug 27,2008.

If you have any comments on how to continue to improve we would love to hear it! I hope you have enjoyed the articles as much as the authors and I have created them

Special thanks goes out to Dave Hull for managing the blog on a daily basis. Dave has been extraordinary in making sure the author's posts get posted on a daily basis.

If you would like to contribute an article to the SANS Forensic Blog, we have a guest blogger program. Email if you are interested!

Continue reading! Hoping next year will be as wonderful as this one. Please comment below on how we can help make the blog even better. Would love to hear your ideas!

Thank you,

Rob Lee Continue reading 196 Articles in a year! SANS Digital Forensic Blog One Year Anniversay!

Sweeping 9th Circuit Decision Regarding Law Enforcement Officer Computer Forensics

Reposted from Greg Haverkamp from the GIAC Certified Forensic Analysts [GCFA] Mailing list

The 9th Circuit released its en banc decision today in U.S. v Comprehensive Drug Testing. The case itself has ties to seizures made in relation to the Balco investigations. The most significant aspect of the decision, based on my initial reading, is the elimination of the "plain view" exception as it pertains to warranted searches of digital media. Specifically, it clobbers the widely held position that all files, including those not pertaining to the instant investigation, are in plain view and may be used as evidence of criminal activity beyond the scope of the original investigation. (Images of child pornography seem to be the most common instance of


Signed into Law: No PI License Required in N.C. for Digital Forensic Services

Signed by the governor on 0 7/24/2009, in pertinent part:

SECTION 1. G.S. 74C-3(b) is amended by adding a new subdivision to read:

(b) "Private protective services" shall not include any of the following:

17) A person engaged in (i) computer or digital forensic services or in the acquisition, review, or analysis of digital or computer-based information, whether for the purposes of obtaining or furnishing information for evidentiary or other purposes, or for providing expert testimony before a court; or (ii) network or system vulnerability testing, including network scans and risk assessment and analysis of computers connected to a network.

Thanks to all who tirelessly worked on behalf of digital forensic specialists. Special thanks to Ryan Johnson and Jody Westby.

See the NC Senate Bill 584

Alternative Artifact Timeline Generation Tool (Link Files, Prefetch, Userassist, Recycle Bin, and more)

Wanted to give a quick shout out to Kristinn Gujnsson, one of the SANS blog authors, who released a Alternative Timeline Generation tool, log2timeline, that will enable the addition of time artifacts to a body file in addition to Registry last write times and file system MACB times.

Current version of the tool parses the following artifacts:

  • Prefetch directory (reads the content of the directory and parses files found