SANS Digital Forensics and Incident Response Blog: Category - artifact analysis

Digital Forensics: Too Much Porn, Too Little Time

I recently had a case where one of the requirements was to determine if the PC had been used to view and or download pornographic images from the Internet. First let me say that in my view the only party that can ultimately determine if an image is pornographic is the court. That being said we agreed in the onset of the investigation that any image that clearly showed sexual organs would be the definition we would use in determining if a particular image met the client's definition of a pornographic image.

Processing the case with FTK 3.12 and both collecting images in allocated space as well as carving for images in unallocated space revealed well over 60,000 images. The client needed and answer quickly hence manually reviewing and classifying the large number of images was not an option. If you simply did a quick view of each image for just 5 seconds you would burn about 2 weeks of labor. The process needed to be automated and sooner than later. I had heard AccessData had

... Continue reading Digital Forensics: Too Much Porn, Too Little Time


Computer Forensics: Armor For Your Feet

Hal Pomeranz, Deer Run Associates

As forensic professionals we take a great deal of care when acquiring and analyzing evidence. Write blockers, checksumming, working copies- these are part of everybody's standard policies and help to prevent corruption of our digital evidence. However, beyond spoiling your original evidence, there are still various mistakes that you can make that won't ruin your case but will cost you time and increase your frustration level. In this article I'm going to demo a couple of different ways you can shoot yourself in the foot when doing forensics on the Unix command-line (e.g., in the SIFT workstation) and some easy ways to prevent these mistakes.

Output Redirection is Your Friend... Until It Isn't

Let's say you

...


Benefits of using multiple timestamps during timeline analysis in digital forensics

Timeline analysis is a highly valuable tool. However, like everything else in computer forensics, it requires a skilled investigator to examine all the data available in order to find the evidence and provide an accurate account of the events. When analyzing Windows systems, it is common to use key timestamps in forensics such as Creation Date, Last Modified Date, Last Accessed Date, and the Last Modified Date for the file's Master File Table (MFT) entry. A key factor in using these timestamps is to not rely solely on a single timestamp, but use the combination of these timestamps in digital forensics. The combination of these timestamps can prove to be far more powerful and revealing than any single timestamp on its own. I will use an example to illustrate.

A forensic investigator was reviewing volatile evidence collected during an investigation into

...


Digital Forensics: Introducing ForensicArtifacts.com

??There always seems to be common questions asked on forensic mailing lists, forums, and blogs. One of the common questions is, "Does anyone have contact information for ABC company?" Another question commonly seen is, "Has anyone dealt with ABC program or have a whitepaper for it?" The first question is solved by the ISP list at Search.org. The second question didn't have a unified source of information - until now.

The website ForensicArtifacts.com was recently launched to provide a reference database for forensic examiners looking for specific information on artifacts of operating systems, programs, and user activity. The website was set up in blog format allowing examiners to subscribe to the RSS feed or simply visit the site and use the global search functions. There is also a


Computer Forensics: Using Evidence Cleaners to Find Artifacts

I have used CCleaner for years and it is one of the first programs I put on new computers. It has handy functions to clean up temporary files, logs, and even the Registry. While many can argue that such a program may help erase digital evidence, it can also shed light on where to look for important items of interest.

CCleaner used to store settings in the Registry, but has now opted to use an .INI file to assist in application portability. This is a great asset to forensic examiners who like to research new artifacts. The default installation has the necessary .INI files embedded within the executable, but they are usually available for download in this

...