SANS Digital Forensics and Incident Response Blog: Author - Dave Hull

Digital Forensics Case Leads: Herding botnet herders

It's been a busy week, with RSA and BSides conferences both taking place in San Francisco. Ira Victor will have a wrap up of news from RSA tomorrow so look for that. Be sure to check out Robert Shullich's paper on exFAT (see below) as we're sure to encounter this more and more in our digital forensics work.



Digital Forensic Case Leads: Introductions

Recently, the forensicator-in-chief, Rob Lee, put out the call for a new series of posts here at the SANS Computer Forensics Blog. Rob wanted to present a few short "case leads" that may interest practitioners. A small group of volunteers took on the task of formulating a weekly "Digital Forensic Case Leads" post each Friday to include coverage of tools both new and old, interesting reads, news items and more.

And so in the spirit of Kevin Riggins and his "Interesting Information Security Bits" or Dave Lewis, James Arlen (et al) and their "Liquid Matrix Security Briefings", we present "Case Leads: 20100205-001:"


  • Andreas Shuster released an update of his Vista event log parser,

  • NTFS: Attributes Part One

    In the previous post in this series on NTFS file systems, we were just dipping our feet in the complicated waters by examining the output of fsstat. Let's pick up where we left off. Below is the $AttrDef Attribute Values section of fsstat's output from the previous post:

    $AttrDef Attribute Values:
    $STANDARD_INFORMATION (16) Size: 48-72 Flags: Resident
    $ATTRIBUTE_LIST (32) Size: No Limit Flags: Non-resident
    $FILE_NAME (48) Size: 68-578 Flags: Resident,Index
    $OBJECT_ID (64) Size: 0-256 Flags: Resident
    $SECURITY_DESCRIPTOR (80) Size: No Limit Flags: Non-resident
    $VOLUME_NAME (96) Size: 2-256 Flags: Resident
    $VOLUME_INFORMATION (112) Size: 12-12


    NTFS: An Introduction

    Earlier this year, a life time ago in internet years, I published a series of posts on the FAT file system. Over the next few months, I'll be publishing a similar series on NTFS. Much of the information contained in these posts will come from Brian Carrier's excellent book, File System Forensic Analysis, articles from Microsoft and other sources. Where applicable, specific sources will be cited within each blog post.

    On day one of SANS Sec 508: Computer Forensics, Investigation and Response we cover the most common file systems in detail. Almost without fail, someone asks if the material is really important


    FAT File Sizes

    If you're just checking this blog for the first time, you should know that this post is one in a series of posts dealing with a FAT file system that has been tweaked in various ways to make recovery of the data more difficult, if only for the casual observer. Forensics folks like yourselves would have no issue recovering the data, but the point of this series is to learn about the FAT file system and how it works.

    In last week's FAT Tuesday post we looked at a file in our usb key image (get it here) called "Scheduled Visits.exe". We looked at the metadata for the file using