SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics Case Leads: New Year brings DEFT and DFF updates, interesting reads and upcoming events

This week we have updates to two great tools, a variety of interesting reads, including one to come soon, and some events to fill your calendar for the 1st quarter of the new year. Tools: Arxsys has released V0.9 of the open source Digital Forensics Framework (DFF), which has some cool new features. You can … Continue reading Digital Forensics Case Leads: New Year brings DEFT and DFF updates, interesting reads and upcoming events


A Quick Look at Volatility 1.4 RC1 - What's New?

Volatility is a popular framework for memory forensics. The upcoming 1.4 release introduces a number of changes, including support for Windows 7 and enhanced plugins for malware analysis. Continue reading A Quick Look at Volatility 1.4 RC1 - What's New?


Digital Forensics on a (less than) shoestring budget-Part 1

It has often been said that the best things in life are free. Could it be that that old saying can be applied to digital forensics? In many cases, the answer is a resounding yes! But first, a little history on just how I know the above to be true. I am a police officer … Continue reading Digital Forensics on a (less than) shoestring budget-Part 1


Digital Forensics: Finding Encoded Evidence

Recently I was asked to recover images from a suspect machine. Numerous tools have the ability to categorize files based on type. Students of SANS 508 get a look under the hood at how this is done using the "magic numbers" found at or near the start of files with well-known formats. Fortunately, most of … Continue reading Digital Forensics: Finding Encoded Evidence


Digital Forensics Case Leads: Ready, Forensicate, Aim

Ready. Forensicate. Aim. Okay, seriously, don't do that. You know the correct order, right? If not, Chris Pogue spent part of last year presenting on the Sniper Forensics methodology, developed by the incident response team at TrustWave's SpiderLabs, and has what you need. Even if you already know the proper order is Ready, Aim, Forensicate, … Continue reading Digital Forensics Case Leads: Ready, Forensicate, Aim