SANS Digital Forensics and Incident Response Blog: Category - Case Leads

Digital Forensic Case Leads: Forensic 4Cast Voting is Open

Short post this week, as yours truly is under the weather. I hate colds, but they are far more miserable in the summer when the weather is beautiful.

It's con season. Last week was SANSFire, and this week started off with the Pen Test Summit, and FIRST and in the coming weeks we'll see the Forensics Summit (details below), Black Hat and Defcon. I love this time of year and can't wait to see what great tools and discoveries will be released in the coming months.

Tools:

  • For anyone who has ever had to dig through the registry piecing together information about various USB devices that have been plugged into a system, here's a useful tool that will do the heavy lifting for you. That link will take you to a post that discusses the various registry artifacts in play and includes a link to the tool.
  • Mandiant has

...


Digital Forensics Case Leads: ATT/Apple Rushes in The Forensics and Incident Response Team

A web application flaw was announced late Wednesday that appears to impact users of the 3G Apple iPad. According to press reports, AT&T is rushing in a forensic team in an attempt to determine the damage the flaw may have inflicted.

Gadget blog Gizmodo reports that a flaw in web application used to sign onto to an Apple/AT&T 3G iPad account allows an attacker to get into the account by incrementing the serial numbers on the SIM card on 3G iPads. It is not unusual for a web development team to not focus on using secure methods like using random numbers in generating web sessions. If there is no web application security team in place, these flaws can live on for years in web applications and sites.

AT&T claims that the team that discovered the flaw did not use responsible disclosure to alert AT&T and Apple about the flaw before going public. AT&T said that they closed this

...


Digital Forensics Case Leads: FTK's updates

Whether you use FTK or Encase, commercial products have incredible functionality that can be utilized in conjunction with open source computer forensics tools.For this week's Digital Forensics Case Leads, I wanted to focus on the updates to FTK. With commercial based products, just like with open source, it is a matter of preference which tool you want to add to you forensic arsenal.

Tools:

  • Forensic Toolkit (FTK') version3.1.2 was released May 17th with a 'New and Improved'section including 'View This Item in a Different List' feature that allows the user to right click on a folder, then go to that folder in a Graphics tab and see the files inside as well asimproved identification of JavaScript Object Notation (JSON) files such as those found in programs like FaceBook.
  • For the Password Recovery Toolkit'(PRTK') version6.5.1,and Distributed

...


Digital Forensics Case Leads: The Gauntlet Edition

Greetings Forensicators, Incident Responders and other cool people. I've called this week's article The Gauntlet Edition because a number of organizations have recently thrown down the gauntlet and introduced some cool forensics challenges.Sometimes, the best tool in our arsenal is neither software, nor hardware, nor even our wetware. In many cases, the best tool we can have is a challenge.More than anything else I can think of, it's the process of working a case and rising to a new challenge that really causes us to sharpen our skills. Whether the problem is new to the community, or just new to us, working it through to a solution or an answer is what really causes us to upgrade our wetware.

In that spirit, I've provided a list of recently announced and upcoming challenges, along with our usual assortment of cool tools, good reads and other forensic fun. I encourage you all to pick up The Gauntlet and try your hand at one or more of the challenges listed below.

... Continue reading Digital Forensics Case Leads: The Gauntlet Edition


Digital Forensics Case Leads: New RegRipper Feature, An Open Letter to Judges, the DFRWS Challenge and How Not to Seize Smart Phones

This week's installment of Digital Forensics Case Leads features a couple of tools useful for reviewing Window's systems. There is an announcement about a new feature of RegRipper and we have an open letter to the court on the use of neutral digital forensic examiners. The 2010 DFRWS Challenge is underway and law enforcement experiences the remote wiping feature of smart phones.

Keep those suggestions and topics for Digital Forensics Case Leads coming to caseleads at sans.org!

Tools:

  • Miss Identify is a cross-platform tool developed by Jesse Kornblum that identifies mislabeled Window's executables. A mislabeled executable is any executable without an executable extension of exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb.
  • If you've ever lost a software application key, (or need to audit installed software) the