SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics Case Leads: Androids, Breaches, & Clouds All Around

Welcome to this week's edition of Case Leads! Data breaches continue this week and Apple announces the iCloud while others speculate on the impact of the Cloud to Digital Forensics. We have a data recovery USB "stick" for Android phones, a book on Android forensics, and a fragmented photo carving utility. As this week's edition … Continue reading Digital Forensics Case Leads: Androids, Breaches, & Clouds All Around


Professional Development in Digital Forensics and Incident Response

Professionals looking to enter and grow in the field of digital forensics and incident response (DFIR) face many challenges. Organizations often focus their recruitment efforts on experienced forensicators, rather than investing into personnel who could mature as part of the group. Individuals who found a way to enter this field often struggle to identify mentors … Continue reading Professional Development in Digital Forensics and Incident Response


How to Mount Dirty EXT4 File Systems

Hal Pomeranz, Deer Run Associates As some of you may remember, I've previously written about a technique for mounting EXT3 file system images with the read-only option, even when power was abruptly removed from the system- as is typical during forensic seizure- and the file system is still "dirty". In these cases, my technique involves … Continue reading How to Mount Dirty EXT4 File Systems


Digital Forensics Case Leads: Apple v Weiner on Tweeter, SANs DFIR Summit videos available and a new version of Log2Timeline

There were several data breaches announced and/or confirmed this week. Log2timeline and Windows Event log parser were released and Weiner admits to wrongful tweeting. The SANs Digital Forensic and Incident Response summit videos can now be viewed and a new section labeled Call for Papers has been added. If you have an item you'd like … Continue reading Digital Forensics Case Leads: Apple v Weiner on Tweeter, SANs DFIR Summit videos available and a new version of Log2Timeline


Volume Shadow Copies and LogParser

Volume Shadow Copies (VSCs) can contain a treasure trove of information - so much information that if not treated correctly, they can become too cumbersome for many investigators. (Note: if you are unfamiliar with VSCs, Rob Lee has a great write-up about the subject.) One way to make the examination of VSCs a little less … Continue reading Volume Shadow Copies and LogParser