SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Help Improve EDD - Encrypted Disk Detector!

Device acquisition may not be the sexiest phase of digital forensics, but it has the most number of pitfalls and can result in catastrophic loss. If a practitioner makes a mistake during acquisition, the investigation may simply be over, with nothing left to examine. Establishing an acquisition process is important, and a critical part of … Continue reading Help Improve EDD - Encrypted Disk Detector!


SANS #DFIR Summit 2013 - Call For Speakers - Now Open

Dates: Summit Dates: - July 9-10, 2013 Post-Summit Course Dates: July 11-16, 2013 Summit Venue: Omni Hotel Downtown Austin 700 San Jacinto @ 8th Street Austin, TX 78701 Phone:(512) 476-3700 Fax: (512) 397-4888 Omni Hotel The 6th annual Forensics and Incident Response Summit will again be held in the live musical capital of the world,Austin, … Continue reading SANS #DFIR Summit 2013 - Call For Speakers - Now Open


Digital Forensics Case Leads: A MiniFlame Has Been Lit, Learning a Language and New and Updated Tools.

In this week's SANS Case Leads, new tool pyMFTGrabber is out, a MiniFlame has been lit, learning a language and more. If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org Tools: The Sleuth Kit (TSK) 4.0 is out here. The Autopsy Forensic Browser is now … Continue reading Digital Forensics Case Leads: A MiniFlame Has Been Lit, Learning a Language and New and Updated Tools.


FTK 4 Added to SANS FOR408 Windows Forensics Training Course

We are pleased to report the successful introduction of Access Data's Forensic Toolkit (FTK) v4 into the SANS FOR408 Course (Computer Forensic Investigations - Windows In-Depth). While students have access to well over a hundred free and open source tools during the course, we also felt it important for them to gain an understanding of … Continue reading FTK 4 Added to SANS FOR408 Windows Forensics Training Course


Resident $DATA Residue in NTFS MFT Entries

Hal Pomeranz, Deer Run Associates I came across a small but interesting artifact in the course of a recent investigation. Quick Google searching failed to find any documentation elsewhere, so here's a brief summary of my findings. The bottom line is that residue of old resident $DATA entries may exist in NTFS MFT records after … Continue reading Resident $DATA Residue in NTFS MFT Entries