SANS Digital Forensics and Incident Response Blog: Author - Dave Hull

No obligation higher than the truth

In a recent criminal case the defendant admitted he was under the influence at the time of arrest. However, the prosecutor overreached, charging the defendant with attempted kidnapping. According to the defendant, an officer took statements at the scene using mobile recording equipment. These recordings were said to contain exculpatory evidence.

photo courtesy of justinbaeder at

photo courtesy of justinbaeder at

The defense wanted to review the statements taken at the scene, but law enforcement could not produce them. Conflicting testimony was given about whether the recordings had ever been made so a judge agreed that an expert could investigate.

Given that the


You will be hacked, will you be prepared?

"Hope for the best, prepare for the worst." — English proverb

"Before anything else, preparation is the key to success." — Alexander Graham Bell

Forensic analysts and the organizations employing them can simplify and expedite the forensic analysis process with preparation. If you accept that system compromise is a matter of when not if, then prepare your systems in advance for forensic analysis.

Before moving systems into production, grab a copy of Jesse Kornblum's MD5Deep from and create MD5 checksums of all the files on the system. Have your desktop folks incorporate this into their image building process. If you're really diligent, update your hashes after applying patches.

Astute readers will say, "I can download known hashes from NIST's