SANS Digital Forensics and Incident Response Blog: Category - Case Leads

Digital Forensics Case Leads: FTK's updates

Whether you use FTK or Encase, commercial products have incredible functionality that can be utilized in conjunction with open source computer forensics tools.For this week's Digital Forensics Case Leads, I wanted to focus on the updates to FTK. With commercial based products, just like with open source, it is a matter of preference which tool you want to add to you forensic arsenal.

Tools:

  • Forensic Toolkit (FTK') version3.1.2 was released May 17th with a 'New and Improved'section including 'View This Item in a Different List' feature that allows the user to right click on a folder, then go to that folder in a Graphics tab and see the files inside as well asimproved identification of JavaScript Object Notation (JSON) files such as those found in programs like FaceBook.
  • For the Password Recovery Toolkit'(PRTK') version6.5.1,and Distributed

...


Digital Forensics Case Leads: The Gauntlet Edition

Greetings Forensicators, Incident Responders and other cool people. I've called this week's article The Gauntlet Edition because a number of organizations have recently thrown down the gauntlet and introduced some cool forensics challenges.Sometimes, the best tool in our arsenal is neither software, nor hardware, nor even our wetware. In many cases, the best tool we can have is a challenge.More than anything else I can think of, it's the process of working a case and rising to a new challenge that really causes us to sharpen our skills. Whether the problem is new to the community, or just new to us, working it through to a solution or an answer is what really causes us to upgrade our wetware.

In that spirit, I've provided a list of recently announced and upcoming challenges, along with our usual assortment of cool tools, good reads and other forensic fun. I encourage you all to pick up The Gauntlet and try your hand at one or more of the challenges listed below.

... Continue reading Digital Forensics Case Leads: The Gauntlet Edition


Digital Forensics Case Leads: New RegRipper Feature, An Open Letter to Judges, the DFRWS Challenge and How Not to Seize Smart Phones

This week's installment of Digital Forensics Case Leads features a couple of tools useful for reviewing Window's systems. There is an announcement about a new feature of RegRipper and we have an open letter to the court on the use of neutral digital forensic examiners. The 2010 DFRWS Challenge is underway and law enforcement experiences the remote wiping feature of smart phones.

Keep those suggestions and topics for Digital Forensics Case Leads coming to caseleads at sans.org!

Tools:

  • Miss Identify is a cross-platform tool developed by Jesse Kornblum that identifies mislabeled Window's executables. A mislabeled executable is any executable without an executable extension of exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb.
  • If you've ever lost a software application key, (or need to audit installed software) the

Digital Forensics Case Leads: Guidance Busy this week.

This week big news from Guidance Software, maker of Encase. The U.S. Secret Service will now add more data to the Verizon Breach Report. Microsoft release Office 2010 and several new/updated tools and virtual pit bulls are now protected.

Tools:

Good Reads:

...


Digital Forensics Case Leads: Good reads and coming events

It's been a very busy week this week, so this week's Case Leads post is all about brevity. There were a bunch of great articles put out this week and I'm sure I've missed a few. At the end of this week's post there's an email address for the Case Leads series. If you have written or read something you think should be included in the weekly round up, please let us know.

Last week I posted a few sites that regularly publish lists of domains that are known to be serving malware. I'm working on a project that's scraping some of these sites and building lists of IPs for use in a network security monitoring program. What I didn't know at the time was that malwaredomains.com has a text file that they regularly update with new domain names. This makes my task much easier.

For fun this week, I took the text file and extracted the hostnames from all the uncommented lines in

...