SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics Case Leads: The Community Needs You

I don't know. I don't know. I don't know.

That little phrase, more than most others in the English language, has an amazing potential to be either mindbogglingly empowering or cripplingly demoralizing. A great deal of the difference depends on emphasis. Do you dwell on the fact that you don't have the knowledge and don't have "the time" to find the answer? Or do you focus on the opportunity to gain knowledge and make new discoveries? Do you hesitate or hold back because there are things you don't know? Or do you have a good grip on the fact that none of us know everything (or even most things)?

The answers to those questions have a lot to do with how and whether you decide to contribute to the digital forensics community (or any community). So I've focussed this week on using the various links I've compiled to illustrate how people can begin contributing to the community in ways that don't

... Continue reading Digital Forensics Case Leads: The Community Needs You

How to Get Started With Malware Analysis

Knowing how to analyze malware has become a critical skill for security incident responders and digital forensic investigators. Lenny Zeltser recommends articles, webcasts and books for getting started with malware analysis. Lenny teaches this topic as part of SANS course FOR610: Reverse-Engineering Malware. Continue reading How to Get Started With Malware Analysis

Paraben Forensic Conference Report: iPhone Forensics - Tools and Tips From The Trenches

One of the training classes with high attendance at the Paraben Forensic Innovations Conference this week in Park City, Utah, was the Apple iOS Forensics Bootcamp. Apple's iOS is the operating system that powers the Apple iPhone, iPod Touch, the iPad, and the Apple iTV device. With the exploding popularity of these devices (well, except for the iTV), Law Enforcement, corporate investigators, and other forensic professionals are looking to learn more about this platform.

The iOS Forensics Bootcamp was instructed by Ben Lemere of Basis Technologies. Lemere has worked in forensics for The Feds, and the private sector. The focus of the bootcamp was mostly on iPhone forensics, although many of the principals apply to the other devices. Ben uses an excellent tool for conducting iOS forensic analysis, and provided


Digital Forensics How-To: Memory Analysis with Mandiant Memoryze

Mandiant's Memoryze tool is without question one of the best forensic tools available. It is an incredibly powerful memory analysis suite that should be part of every incident responder's toolkit. It's free, but requires some patience to traverse the learning curve. Memoryze was built by Jamie Butler and Peter Silberman, a couple of hardcore memory / malware analysts that operate on a completely different level than most of us mere mortals. In this post I'll cover how to get started with Memoryze, because if you haven't added memory analysis to your intrusion investigations, there is a whole lot of evil out there that you are missing.

Getting Started

The first step is to go out and download the tool. An important thing to keep in mind is that Memoryze actually consists of two components: Memoryze and Audit Viewer. Each must be downloaded individually from the free tools section of the Mandiant

Digital Forensics Case Leads: Carving processes from Win7 mem dumps, timeline analysis

Timelines, time stamps and related analysis have been a popular subject of late in the community. You'll find a little more of that in this week's Case Leads, including a very nice walk-through of using Excel to analyze timeline data. It's really a great tool for this, especially when dealing with large datasets.

There's also news of progress on the steganalysis front, or at least news of a leading researching getting some credit and loads of other good stuff.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Richard McQuown has released an Enscript that can carve Windows 7 processes from memory images. The script is beta, but worth checking out, especially if you're fortunate enough to work in an enterprise that's replaced XP with