SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows

Creating Digital Forensic Filesystem Timelines From Multiple Windows Volume Shadow Copies

Introduction to Shadow Timelines:

This past weekend I was upgrading the SIFT Workstation to the new version and I realized I had not used the Windows version of the Sleuthkit tools in awhile. I usually demonstrate in class that many of the sleuthkit tools can work directly against the logical partitions of a Physical Hard Drive (e.g. \\.\\C:, \\.\\D:). It occurred to me that I had never tried to use the filesystem parser and timeline generator fls on a Windows Vista, Windows 7, or Windows 2008 Server ShadowCopyVolume.

We have known for some time now that you can image a Shadow Volume. I wrote a

...


Advanced Forensic Training in Asia Pacific

If you are in the Asia Pacific region, don't miss Singapore SOS October 10-18, 2011! We are bringing two of our most advanced forensics courses to the island nation. Forensics 508: Advanced Computer Forensic Analysis and Incident Response with Chad Tilbury Master advanced incident response and computer forensics tools and techniques to investigate data breach … Continue reading Advanced Forensic Training in Asia Pacific


Digital Forensics Case Leads: Registry and Malware Analysis Tools, Preparing to Testify, and Virtual Machine Technology on Mobile Devices

This week's edition of Case Leads features a number of new tools and updates for a few of the old standbys. We have a collection of tools designed for studying malware found on Windows or Android platforms and a couple of new applications for registry analysis. Virtual machine technology is heading for Android based devices … Continue reading Digital Forensics Case Leads: Registry and Malware Analysis Tools, Preparing to Testify, and Virtual Machine Technology on Mobile Devices


UPDATED DigiNotarSSL Incident Response Report: No Logging, Weak Password, No Protected Network

On Monday evening, as the host of CyberJungleRadio, I received a copy of the then just published report that appears to be from the security firm Fox-IT, the company hired by DigiNotar to investigate the massive SSL breach. On page nine of the thirteen page report, a shocking series of security omissions are revealed: No … Continue reading UPDATED DigiNotarSSL Incident Response Report: No Logging, Weak Password, No Protected Network


Digital Forensics Case Leads: The Feds sue, Google users scammed, China and US tag team against porn sites

The Federal Government sues to block AT&T and T-Mobile, Google users in Iran arescammedand China and the US tag team on child porn sites. Check out the good reads on Jump Lists, Sticky Notes and Quicken. On the lighter side see what Dilbert is up to and also don't pick up any wooden iPads from … Continue reading Digital Forensics Case Leads: The Feds sue, Google users scammed, China and US tag team against porn sites