SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics Case Leads: Industrial Controls Forensics, Cracking Crackberries, Mobile Forensics

While most technical and non-technical types focus on servers, desktop, and mobile phones/pads when thinking about security and forensics, an area of growing concern is industrial controls security. This was brought to light in the wake of the Stuxnet worm. The accusations continue to fly, via arm-chair forensics. Was it an attack on Iran? Or maybe an attack against India, since it seems Stuxnet may have knocked out a TV Satellite. Security honcho Bruce Schnier says we may never know.

What is certain is a growing concern over industrial controls security. According to a San Francisco Chronicle story that ran on this week: "... Liam O Murchu, a researcher with the computer security firm Symantec, used a

...


Digital Forensics: Persistence Registry keys

Some have called us log monkeys and claim our work is boring. Others recognize that what we do is a form of hunting. Computer Incident Response Team members watch security information event monitors (SIEMs) for indicators of compromise (IOCs). IOCs are like lycanthropes, they may be IDS/IPS alerts or blocks, or a system trying to connect to a resource it shouldn't be connecting to, or a user complaining of odd system behavior, or heaven forbid, a call from the Feds in the middle of the night.

Incident handlers may look for secondary IOCs to confirm an incident has occurred so they don't unnecessarily cause alarm or disrupt the organization. In the case of unsophisticated malware these secondary indicators can often be found by taking a quick look at the Windows Registry's run key. In many environments, this can be done remotely via:

reg query \\\\suspect.system.ip.address\\HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

What comes back

... Continue reading Digital Forensics: Persistence Registry keys


WACCI Digital Forensics (Part 2)

After the great opening day of the Wisconsin Association of Computer Crime Investigators (WACCI) conference, I arrived at the Alliant Energy Center exhibition hall for day two of the four-day conference feeling optimistic about the chances for another exciting day. Once again, I was not disappointed.

The day began with a light breakfast followed by a few conference announcements. There were to be no keynote speeches that day, so next up were the breakout sessions. I chose to attend one entitled Browser Artifact Forensics, taught by Charles Giglia of Digital Intelligence. My partner in crime, Brad Garnett went to a session taught by Fergus Toolan entitled Perl

...


Digital Forensics: Stuck on Stickies

Raise your hand if you've responded to a crime scene and had a suspect computer possibly involved in the crime. How many of you have responded to an incident where a victim's computer may have been compromised and needs to be analyzed but the victim is not available for questioning regarding user account information and passwords? How many of you have been taught, told or learned through experience to look for sticky notes attached to a monitor, on a computer tower case or even taped to the bottom of a keyboard?

The answer is probably most of you reading this. How many of you actually thought to look for the sticky notes of the digital variety? If you are organized, a neat freak or OCD like me, you hate a cluttered desk space. If that is the case, you have probably gone paperless. You scan your desk for whatever little bits of tree pulp may cross your gaze, sticky notes included. I (and many others) don't use physical sticky notes anymore, having switched to computer

... Continue reading Digital Forensics: Stuck on Stickies


Long Beach, CA hosts SANS Computer Forensics Essentials, December 6 - 11

SANS is pleased to announce our most popular new course of 2010, Forensics 408:
Computer Forensics Essentials, in Long Beach, CA, from December 6 - 11. The course
will be taught by certified SANS instructor and co-author of this course, Chad Tilbury.
For complete course information and to register, please visit (https://www.sans.org/longbeach-2010).

Save $400 on tuition fees when you register for this course by October 27.

Forensics 408: Computer Forensic Essentials focuses on the critical knowledge that a
computer forensic investigator must know to investigate computer crime incidents successfully.
You will learn how computer forensic analysts focus on collecting and analyzing data from
computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

Course Details:
Dates: December 6 - 11
Course: SANS Forensics 408: Computer Forensics Essentials

... Continue reading Long Beach, CA hosts SANS Computer Forensics Essentials, December 6 - 11