SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics Case Leads: Carving processes from Win7 mem dumps, timeline analysis

Timelines, time stamps and related analysis have been a popular subject of late in the community. You'll find a little more of that in this week's Case Leads, including a very nice walk-through of using Excel to analyze timeline data. It's really a great tool for this, especially when dealing with large datasets.

There's also news of progress on the steganalysis front, or at least news of a leading researching getting some credit and loads of other good stuff.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Richard McQuown has released an Enscript that can carve Windows 7 processes from memory images. The script is beta, but worth checking out, especially if you're fortunate enough to work in an enterprise that's replaced XP with


Digital Forensics: Detecting time stamp manipulation

At approximately 22:50 CDT on 20101029 I responded to an event involving a user who had received an email from a friend with a link to some kid's games. The user said he tried to play the games, but that nothing happened. A few minutes later, the user saw a strange pop up message asking to send an error report about regwin.exe to Microsoft.

I opened a command prompt on the system, ran netstat and saw an established connection to a host on a different network on port 443. The process id belonged to a process named kids_games.exe.

I grabbed a copy of Mandiant's Memoryze and collected a memory image from the system and copied it to my laptop for offline analysis using Audit Viewer.

Audit Viewer gave the kids_games.exe process a very high Malware Rating Index (see Figure 1), so I decided there was probably more


SANS Digital Forensics Blog Reader's Survey Results

Thank you to all of our readers that took the time to complete our blog reader's survey. Your participation was very much appreciated and we will use this information to better serve our our readers and the forensic community. Our blog has been successful because of you and it is important that we share the results with you. Not every question was answered by everyone that took the survey, so we had a tangible 111 responses (thank you).

Here are the results:

Solaris Digital Forensics: Part2

This series of articles is a primer on Solaris forensics. As such each article will build upon the last and should be read from start to finish for those new to Unix. Part 1 is available at

Reading ls output

Being able to correctly read the ls command's output is critical for moving around the OS and to looking for signs of compromise. As you go through the filesystem, keep in mind you may not be truly seeing an accurate picture of the filesystem. If the machine has a rootkit installed on it, some of the files and directories may be hidden.

In the UNIX filesytem we have some basically defined file types:

  • Regular files
  • Directories
  • Symbolic Links (hard and soft)
  • Device


Investigators: How to Write a Report and Store Digital Evidence

A wise investigator assumes an attitude of professionally skepticism. She recognizes that any piece of evidence may not be what it seems to be, and might in the future be interpreted in a different way or be refuted by other evidence.

Consider for example one of the most famous and thorough investigations in American history. The official investigation of the 1970 shooting of Kent State students by national guardsmen concluded that a certain Terry Norman (paid FBI informant) played no role in the shooting. However, forty years later a previously-unknown tape recording of the events has surfaced, and a forensic analysis of the recording shows that someone fired a .38-caliber pistol four times, shortly before the guardsmen opened fire. Norman was known to have brandished such a pistol at that place and time. It appears that