SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

WACCI Digital Forensics (Part 2)

After the great opening day of the Wisconsin Association of Computer Crime Investigators (WACCI) conference, I arrived at the Alliant Energy Center exhibition hall for day two of the four-day conference feeling optimistic about the chances for another exciting day. Once again, I was not disappointed.

The day began with a light breakfast followed by a few conference announcements. There were to be no keynote speeches that day, so next up were the breakout sessions. I chose to attend one entitled Browser Artifact Forensics, taught by Charles Giglia of Digital Intelligence. My partner in crime, Brad Garnett went to a session taught by Fergus Toolan entitled Perl

...


Digital Forensics: Stuck on Stickies

Raise your hand if you've responded to a crime scene and had a suspect computer possibly involved in the crime. How many of you have responded to an incident where a victim's computer may have been compromised and needs to be analyzed but the victim is not available for questioning regarding user account information and passwords? How many of you have been taught, told or learned through experience to look for sticky notes attached to a monitor, on a computer tower case or even taped to the bottom of a keyboard?

The answer is probably most of you reading this. How many of you actually thought to look for the sticky notes of the digital variety? If you are organized, a neat freak or OCD like me, you hate a cluttered desk space. If that is the case, you have probably gone paperless. You scan your desk for whatever little bits of tree pulp may cross your gaze, sticky notes included. I (and many others) don't use physical sticky notes anymore, having switched to computer

... Continue reading Digital Forensics: Stuck on Stickies


Long Beach, CA hosts SANS Computer Forensics Essentials, December 6 - 11

SANS is pleased to announce our most popular new course of 2010, Forensics 408:
Computer Forensics Essentials, in Long Beach, CA, from December 6 - 11. The course
will be taught by certified SANS instructor and co-author of this course, Chad Tilbury.
For complete course information and to register, please visit (https://www.sans.org/longbeach-2010).

Save $400 on tuition fees when you register for this course by October 27.

Forensics 408: Computer Forensic Essentials focuses on the critical knowledge that a
computer forensic investigator must know to investigate computer crime incidents successfully.
You will learn how computer forensic analysts focus on collecting and analyzing data from
computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

Course Details:
Dates: December 6 - 11
Course: SANS Forensics 408: Computer Forensics Essentials

... Continue reading Long Beach, CA hosts SANS Computer Forensics Essentials, December 6 - 11


Solaris Forensics: Part 1

Introduction

Welcome to the first set of a series of articles on doing forensics on Solaris systems. Initially, I am going to go over the basics of Solaris from the forensics point of view. That is to say that I will not be going over Solaris administration, but rather how things work in Solaris. Our first few steps involves:

  • How the filesystem is laid out (i.e. what kinds of files are in the main directories),
  • A brief discussion on reading ls output as this sets up for:
    • How permissions work
    • What users and groups are
    • Soft and hard links
    • Link counts
    • Basic file types (regular files, directories, links, character devices, and block devices)
  • Breakdown on Solaris slices (partitions)
  • Imaging Solaris drives remotely
  • More stuff to follow :)

I think it is important to understand the basics of how Solaris functions, or any OS for that

... Continue reading Solaris Forensics: Part 1


Review: Mandiant's Incident Response Conference (MIRCon) Day 2

The first Mandiant Incident Response Conference (MIRCon) is now in the bag, so to speak. It was an impressively valuable and fun-filled two days, and I have to thank Mandiant once again for throwing down on an excellent shindig. As with my review of Day 1, I'll recap some highlights from the various presentations. Those of you who weren't able to attend may also be interested in the recap webinar that Mandiant is presenting next week (Oct. 19): State of the Hack: The Hangover - What REALLY happened at MIRCon.

The Day 2 keynote was delivered by Gordon Snow, Assistant Director of the FBI's Cyber Division, who spoke about the

...