SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Context-Specific Signatures for Computer Security Incident Response

Despite the limitations of signatures in generic situations, context-specific signatures can help when responding to a computer security incident. The process starts with the identification of the attributes that act as signs of the incident. The next step involves codifying these signs as custom signatures to help the organization assess the scope of the incident and later contain it. Continue reading Context-Specific Signatures for Computer Security Incident Response


Understanding EXT4 (Part 4): Demolition Derby

Hal Pomeranz, Deer Run Associates In Part 3 of this series we looked at the EXT4 extent tree structure for dealing with very large or very fragmented files- basically any situation where you need more than the four extent structures available in the inode. Go back and read that part now if you haven't already, … Continue reading Understanding EXT4 (Part 4): Demolition Derby


Digital Forensics Case Leads: Visualization Tools, Information Security in Law Firms, Hack Attacks, another Stuxnet Analysis and more

This week's edition of Case Leads features two Twitter visualization tools, a new RegRipper plug-in, a podcast with Rob Lee and details on attacks against Oracle and EMC. We also have another Stuxnet analysis, news on the acquisition of NetWitness, and a study on a new Black Market currency. As always, if you have an … Continue reading Digital Forensics Case Leads: Visualization Tools, Information Security in Law Firms, Hack Attacks, another Stuxnet Analysis and more


Digital Forensics Case Leads: Free Tools, Fancy Toys, Snipers, Manipulated Photos, and no PI licenses required in VA

A variety of forensical tidbits this week, from new tools to a history of photo manipulation, and a relaxation of the PI requirement in VA. If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org. Tools: Mandiant has released an update … Continue reading Digital Forensics Case Leads: Free Tools, Fancy Toys, Snipers, Manipulated Photos, and no PI licenses required in VA


Understanding EXT4 (Part 3): Extent Trees

Hal Pomeranz, Deer Run Associates There's one more big concept we need to cover before you can really start decoding EXT4 file systems. As I mentioned in Part 1 of this series, you can only have a maximum of 4 extent structures per inode. Furthermore, there are only 16 bits in each extent structure for … Continue reading Understanding EXT4 (Part 3): Extent Trees