SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Understanding EXT4 (Part 4): Demolition Derby

Hal Pomeranz, Deer Run Associates In Part 3 of this series we looked at the EXT4 extent tree structure for dealing with very large or very fragmented files- basically any situation where you need more than the four extent structures available in the inode. Go back and read that part now if you haven't already, … Continue reading Understanding EXT4 (Part 4): Demolition Derby


Digital Forensics Case Leads: Visualization Tools, Information Security in Law Firms, Hack Attacks, another Stuxnet Analysis and more

This week's edition of Case Leads features two Twitter visualization tools, a new RegRipper plug-in, a podcast with Rob Lee and details on attacks against Oracle and EMC. We also have another Stuxnet analysis, news on the acquisition of NetWitness, and a study on a new Black Market currency. As always, if you have an … Continue reading Digital Forensics Case Leads: Visualization Tools, Information Security in Law Firms, Hack Attacks, another Stuxnet Analysis and more


Digital Forensics Case Leads: Free Tools, Fancy Toys, Snipers, Manipulated Photos, and no PI licenses required in VA

A variety of forensical tidbits this week, from new tools to a history of photo manipulation, and a relaxation of the PI requirement in VA. If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org. Tools: Mandiant has released an update … Continue reading Digital Forensics Case Leads: Free Tools, Fancy Toys, Snipers, Manipulated Photos, and no PI licenses required in VA


Understanding EXT4 (Part 3): Extent Trees

Hal Pomeranz, Deer Run Associates There's one more big concept we need to cover before you can really start decoding EXT4 file systems. As I mentioned in Part 1 of this series, you can only have a maximum of 4 extent structures per inode. Furthermore, there are only 16 bits in each extent structure for … Continue reading Understanding EXT4 (Part 3): Extent Trees


Why Stuxnet Isn't APT

Stuxnet has become so buzz-worthy that I almost feel like an article relating it to "APT" is the epitome of anecdotal industry naval-gazing. Making a qualitative assessment of each can be a useful exercise in classifying and understanding the threat landscape, however. This in turn helps clarify risk, driving resource allocation, investment, and R&D. Even more important than the conclusions presented herein, I want to elucidate some of the analysis that goes into threat assessments so that others might be empowered to do the same. Continue reading Why Stuxnet Isn't APT