SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics Case Leads: Hacking into the New Year, and a Virus Causes a Man to Get a New Trial

Happy New Year from the Case Leads team! In this first Case Leads of the year several organizations have been hacked, a man gets a new trial because of a computer virus and Windows 8 will have a reset button. Several tools have been updated and introduced and some good reads along with a little … Continue reading Digital Forensics Case Leads: Hacking into the New Year, and a Virus Causes a Man to Get a New Trial


Reverse Engineering Malware - FOR610 - in Phoenix, AZ

In February, Hal Pomeranz will be in Phoenix to teach FOR610: Reverse Engineering Malware. This advanced course at the SANS Institute has been incredibly valuable to investigators worldwide trying to fight the Advanced Persistent Threat (APT). The course runs from Monday, February 13, 2012 to Friday, February 17, 2012. "This was a great course that … Continue reading Reverse Engineering Malware - FOR610 - in Phoenix, AZ


New Incident Response and Digital Forensic Techniques - Countering the Advanced Persistent Threat

Over the past two years, we have seen a dramatic increase in sophisticated attacks against organizations. Cyber-attacks originating from China named the Advanced Persistent Threat (APT) have proved difficult to suppress. Financial attacks from Eastern Europe and Russia obtain credit card, and financial data resulting in millions of dollars stolen. Commercial and Federal IT Security … Continue reading New Incident Response and Digital Forensic Techniques - Countering the Advanced Persistent Threat


Digital Forensics: UID and GID distributions

On Unix and Linux systems each file has a user id and a group id, uid and gid respectively, showing the file's owner and group. On most *nix systems files in system directories are uid and gid root, which is represented by the numeric uid and gid value of 0, see the sample listing below: … Continue reading Digital Forensics: UID and GID distributions


Digital Forensic SIFTing: String Searching and File Carving using srch_strings_wrap

The latest version of the SIFT 2.12contains a few scripts I wrote, and Rob asked me to write a post for the blog going over their functionality. The scripts add on to the functionality provided by The Sleuth Kit's srch_strings to provide additional information on string matches and automatically carve out matching files or blocks. … Continue reading Digital Forensic SIFTing: String Searching and File Carving using srch_strings_wrap