SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 2)

Understanding Browser Artifacts Geo-location artifacts demonstrate an interesting concept with regard to browser-based evidence. Among the various browser artifacts, Internet history is a fan favorite because it provides such rich information. There is no easier place to look to identify sites visited by a specific user at a specific time.Browser history is so useful, a … Continue reading Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 2)


Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results

One of the biggest complaints that many have in the DFIR community is the lack of realistic data to learn from. Starting a year ago, I planned to change that through creating a realistic scenario based on experiences from the entire cadre of instructors at SANS and additional experts who reviewed and advised the attack … Continue reading Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results


Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 1)

[Author's Note: Geo-location artifacts have been a frequent focus of my research, and I am amazed at how quickly they are permeating operating systems, applications and file formats.In the fall of 2011 I had the pleasure of writing an article for Digital Forensics Magazine focused on browser-based geo artifacts, where much of this series was … Continue reading Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 1)


Digital Forensics Case Leads: Macs do need antivirus after all and Pastebin may start cutting what hackers paste

This week's Case Leads brought us anoutbreak of a trojan exploiting a Java flawthat has infected hundreds of thousands of Macs,several new tool releases, news (and humor) about forensic awards, and an announcement by Pastebin that they are taking action against people posting sensitive data on their site. If you have an item you'd like … Continue reading Digital Forensics Case Leads: Macs do need antivirus after all and Pastebin may start cutting what hackers paste


Digital Forensics Case Leads: Bulk_extractor how-to, Verizon Report, FTK review, China prime suspect in RSA and other incidents

In this week's edition of Case Leads we have a how-to for Bulk_extractor's find feature, first impressions on the new database options in FTK, an extension for log2timeline for parsing the cache in Firefox, the Verizon data breach report, and statements by current and former US government officials about Stuxnet and China. If you have … Continue reading Digital Forensics Case Leads: Bulk_extractor how-to, Verizon Report, FTK review, China prime suspect in RSA and other incidents