SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Least frequently occurring strings?

My phone rang. It was a small business owner looking for some help. He had a system he wanted me to take a look at, but was light on specifics. I asked to speak to his IT person. He laughed and said he was the IT person and that he knew next to nothing about … Continue reading Least frequently occurring strings?


Digital Forensics Case Leads: ACLU, Michigan State Police, and Cellebrite

This week, the dispute between the ACLU of Michigan and the Michigan State Police engages most of my attention here. But there are a lot of other interesting items this week, including Verizon's 2011 Data Breach Investigations Report, one person's stab at what to do about Chinese espionage, and new information about the location data … Continue reading Digital Forensics Case Leads: ACLU, Michigan State Police, and Cellebrite


Using Investigator Video as Evidence in Court

On this blog I previously published ideas for capturing cyber investigation evidence, such as evidence showing what a hyperlink on the web does at a particular point in time or evidence showing what a dynamic web page displayed at a given moment. I demonstrated a split-screen video, where the investigator records his words and … Continue reading Using Investigator Video as Evidence in Court


Case Leads: The Digital Forensics Case of the Decade? Digital Forensics at US Border Crossings; Serious Flaw in Enterprise Firewalls? The Feds Re-examine DFIR As Data Shifts To The Cloud

The digital forensic and ediscovery case of the decade could describe the litigation between Facebook and a man that claims he has a contract and emails from Harvard Student Mark Zukerberg for 50% ownership of "The Face Book" as an early-stage investor. There are more questions than answers in this case right now, among them: … Continue reading Case Leads: The Digital Forensics Case of the Decade? Digital Forensics at US Border Crossings; Serious Flaw in Enterprise Firewalls? The Feds Re-examine DFIR As Data Shifts To The Cloud


Context-Specific Signatures for Computer Security Incident Response

Despite the limitations of signatures in generic situations, context-specific signatures can help when responding to a computer security incident. The process starts with the identification of the attributes that act as signs of the incident. The next step involves codifying these signs as custom signatures to help the organization assess the scope of the incident and later contain it. Continue reading Context-Specific Signatures for Computer Security Incident Response