SANS Digital Forensics and Incident Response Blog: Author - sansdfir

Kick off the new year with the industry's top CTI experts at the SANS Cyber Threat Intelligence Summit

This January, cyber threat intelligence (CTI) practitioners from around the world will gather in Arlington, Va., for the SANS DFIR Cyber Threat Intelligence Summit & Training. One of only a handful of events devoted to cyber threat intelligence and analysis, the SANS CTI Summit brings together leading experts and analysts for in-depth threat intelligence talks, … Continue reading Kick off the new year with the industry's top CTI experts at the SANS Cyber Threat Intelligence Summit


Strengthen Your Investigatory Powers by Taking the New FOR498: Battlefield Forensics & Data Acquisition Course from SANS

Digital forensics is a high-stress, high-stakes job. There are so many devices, repositories, and massive data sets, yet in most cases you have only one chance to find and properly extract the evidence that can make or break your case. The new SANS new courseFOR498: Battlefield Forensics & Data Acquisitionis designed to provide first responders, investigators, and digital forensics teams with the advanced skills to quickly and properly identify, collect, preserve, and respond to data from a wide range of storage devices and repositories.

FOR498 is co-authored and taught by certified SANS instructorsKevin RipaandEric Zimmerman, both veteran cybersecurity experts who are highly regarded in the digital investigations field. With 25 years of experience in digital forensics, Kevin has assisted in complex cyber-forensics and hacking response investigations around the world. He is sought after for his expertise in information technology investigations and frequently serves as an expert witness. Keven is president of The Grayson Group of Companies, which consists of Computer Evidence Recovery, Pro Data Recovery Inc., and J.S. Kramer & Associates, Inc. Eric, a former FBI Special Agent, has written more than 50 programs used by thousands of law enforcement officers in over 80 countries, and has created many world-classopen-source forensic tools (EZ Tools). Today, Eric serves as a Senior Director at Kroll in the company's cybersecurity and investigations practice.

Kevin and Eric decided to create FOR498 in response to growing demand from SANS students for more guidance on data acquisition. Traditionally, law enforcement officers who enrolled in SANS forensics classes already had forensics experience and a strong working knowledge of how to image a device. However, examiners outside of law enforcement are often not as familiar with imaging. In addition, data acquisition and forensics are more challenging than ever before because of the constantly increasing numbers and sizes of data sets and the more complex nature of acquiring evidence from so many different types of devices and repositories. With any given hard drive, forensicators might have to deal with 1, 2, or even 4 terabytes of data, and traditional ways to get at those data are no longer tenable.

As Kevin points out in awebinar about FOR498, attacks require not only a thorough investigation but also one that produces evidence quickly. Take, for example, the Las Vegas mass shooting in October 2017, the deadliest in modern U.S. history. Investigators got to work right away, especially since there were concerns about possible accomplices who might have fled the scene. At the same time, investigators had to work thoroughly to try and determine the shooter's motives, including documenting his Internet search history and examining all computers and cell phones tied to the case. Of note, it was reported that a hard drive in a laptop found in the shooter's hotel room was missing, and that the shooter had purchased software designed to erase files from hard drives.


iOS Location Mapping with APOLLO Part 2: Cellular and Wi-Fi Data (locationd)

Myprevious articleshowed a new capability ofAPOLLOwith KMZ location file support. It worked great''for routined data, but there was something missing. What about the cellular and Wi-Fi locations that are stored in databases? Well, turns out I need to test better. I fixed the locationd modules to have the activity as "Location" versus "LOCATION". Case sensitivity is apparently thing in Python''my bad. '''''

I should also mention with the fixes, my total location data points for a iOS 12.1.1 device jumped to ~57,000! I should note this is not inclusive of workout locations. Those are a bit different as they are stored as separate records, one for latitude and one for longitude. In the future I might attempt to pair these up for KMZ support.


iOS Location Mapping with APOLLO Part 1: I Know Where You Were Today, Yesterday, Last Month, and Years Ago!

I added preliminary KMZ (zipped KML) support toAPOLLO. If anyAPOLLOmodule's SQL query has "Location" in its Activity field, it will extract the location coordinates in the column "Coordinates" as long as they are in Latitude, Longitude format (ie: 38, -77). These are more a less an upgrade/replacement from my previous iOS location scripts. (FYI: Those will not likely be updated further.)


Countdown to DFIRCON 2019!

At this year's annual DFIRCON 2019, one of the industry's most unique Digital Forensics and Incident Response (DFIR) training events, you'll train, network and battle with the best. Join us in Coral Gables, Fla., Nov. 4 - Nov. 9, to level up your DFIR skills, get in on the latest in research and technology, and … Continue reading Countdown to DFIRCON 2019!