SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics Case Leads: Passwords in Wills, Google Chrome a Virus, Cybercrime Unit Saving Money and Updates for Sleuthkit and SSDeep.

In this version we have Microsoft classifying Google Chrome as a virus, passwords being added to wills and the Metropolitan Police Cybercrime unit saving money for the citizens of the UK. Several tools have been updated and some good reads along with a little levity and training/conferences as well as call for papers. If you … Continue reading Digital Forensics Case Leads: Passwords in Wills, Google Chrome a Virus, Cybercrime Unit Saving Money and Updates for Sleuthkit and SSDeep.


Free laptop with SANS FOR508 Advanced Forensics and IR vLive!

Just in time for Christmas, get a quad core Dell 15" laptop when you sign up for SANS vLive. If you have end of year funds left, vLive is a fantastic way to take a SANS class. Chad Tilbury will be teaching SANS Forensics 508: Advanced Forensics and Incident Response for 6 weeks starting … Continue reading Free laptop with SANS FOR508 Advanced Forensics and IR vLive!


OSX Lion User Interface Preservation Analysis

Recently I've updated to OS X Lion (10.7) and started testing my incident response scripts on the system. I started looking through new default folders created for users and ran across a folder called "Saved Application State." I began researching this folder and determined that it's used to store settings for a new feature called … Continue reading OSX Lion User Interface Preservation Analysis


High Tech Crime Investigators Conference 2011 Report, Anonymous Promises Retaliation, DigiNotar Dies

The 25th High Technology Investigators Conference was held last week near Palm Springs California last week. Your SANS Forensic blogger attended the event, along with over 500 fellow lethal, and aspiring lethal, forensicators. Information security events like BlackHat, DefCon and RSA drawing thousands. It's more difficult to really get to know one's colleagues at those … Continue reading High Tech Crime Investigators Conference 2011 Report, Anonymous Promises Retaliation, DigiNotar Dies


NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files

Daunting as it may seem, one of the most wonderful aspects of Windows forensics is its complexity. One of the fascinating aspects of digital forensics is how we often leverage conventional operating system features to provide information peripheral to their original design. One such feature is the Windows NTFS Index Attribute, also known as the … Continue reading NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files