SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics Case Leads: Free Tools, Fancy Toys, Snipers, Manipulated Photos, and no PI licenses required in VA

A variety of forensical tidbits this week, from new tools to a history of photo manipulation, and a relaxation of the PI requirement in VA. If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org. Tools: Mandiant has released an update … Continue reading Digital Forensics Case Leads: Free Tools, Fancy Toys, Snipers, Manipulated Photos, and no PI licenses required in VA


Understanding EXT4 (Part 3): Extent Trees

Hal Pomeranz, Deer Run Associates There's one more big concept we need to cover before you can really start decoding EXT4 file systems. As I mentioned in Part 1 of this series, you can only have a maximum of 4 extent structures per inode. Furthermore, there are only 16 bits in each extent structure for … Continue reading Understanding EXT4 (Part 3): Extent Trees


Why Stuxnet Isn't APT

Stuxnet has become so buzz-worthy that I almost feel like an article relating it to "APT" is the epitome of anecdotal industry naval-gazing. Making a qualitative assessment of each can be a useful exercise in classifying and understanding the threat landscape, however. This in turn helps clarify risk, driving resource allocation, investment, and R&D. Even more important than the conclusions presented herein, I want to elucidate some of the analysis that goes into threat assessments so that others might be empowered to do the same. Continue reading Why Stuxnet Isn't APT


Digital Forensics Case Leads: File Systems, Memory Forensics, and a Pedophile Ring Dismantled

This week, we have a wealth of File System information, new and old, updates to the popular and versatile RegRipper program, and some very promising research in the area of memory forensics. But the best news, by far, is the success of Operation Rescue in taking down a substantial world-wild child exploitation ring. We applaud … Continue reading Digital Forensics Case Leads: File Systems, Memory Forensics, and a Pedophile Ring Dismantled


Understanding EXT4 (Part 2): Timestamps

Hal Pomeranz, Deer Run Associates Well I certainly didn't plan on three months elapsing between my last post on EXT4 and this follow-up, but time marches on. That was supposed to be a clever segue into the topic for this installment- the new timestamp format in the EXT4 inode. OK, I know what you all … Continue reading Understanding EXT4 (Part 2): Timestamps