SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics Case Leads: Triage, Live Incident Response, and Memory Forensics

Our focus this week is on live response, memory forensics, and triage. New tools from Mandiant (Redline) and HBGary (Responder Community Edition) jump into the live response and memory forensics arena and appear to hold some promise for those who need to delegate first response activities to IT support staff who don't have prior Incident … Continue reading Digital Forensics Case Leads: Triage, Live Incident Response, and Memory Forensics


Digital Forensics Case Leads: Tracking Takes Center Stage - Photos, Vehicles, and Phones

Photo forensics tops the news in this edition of Digital Case Leads. Valdimir Katalov, CEO of ElcomSoft is interviewed about his team's discovery that the implementation of many of the digital signature systems used by Canon and Nikon are faulty. His team demonstrated that they could forge "authentic" digital photos. How many courts rely upon … Continue reading Digital Forensics Case Leads: Tracking Takes Center Stage - Photos, Vehicles, and Phones


Cloud Investigation

Narrated Screencast Assures Investigator's Personal Accountability The collection of cloud evidence vexes investigators, whether they be police, auditors or consumer watchdogs. As more and more social and commercial interactions occur in the Internet cloud, new methods are needed for proving what happened. Traditional digital forensics emphasizes an investigator gaining access to data stored on a … Continue reading Cloud Investigation


Digital Forensics Case Leads: Oracle is on the Warpath, Anonymous accused of PlayStation hack.

Oracle is on the warpath with a subpoena for Apache, Anonymous is accused of hacking the PlayStation network. The Forensic 4Cast nominees are out, interviews with several SANS Instructors, FireFox browser forensics and what skeletons are in your ESI closet. If you have an item you'd like to contribute to Digital Forensics Case Leads, please … Continue reading Digital Forensics Case Leads: Oracle is on the Warpath, Anonymous accused of PlayStation hack.


How to Extract Flash Objects from Malicious PDF Files

Authors of malicious PDF documents have often relied on JavaScript embedded in the PDF file to produce more reliable Adobe Reader exploits. The attackers now also embed Flash programs, which incorporate ActionScript, in a similar manner. This note demonstrates several steps for extracting malicious Flash from PDF files, so you can analyze it for malware artifacts. We will take a brief look at using pdf-parser, PDF Stream Dumper and SWFDump for this purpose. Continue reading How to Extract Flash Objects from Malicious PDF Files