SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Solaris Digital Forensics: Part2

This series of articles is a primer on Solaris forensics. As such each article will build upon the last and should be read from start to finish for those new to Unix. Part 1 is available at https://blogs.sans.org/computer-forensics/2010/10/15/solaris-forensics-part-1/.

Reading ls output

Being able to correctly read the ls command's output is critical for moving around the OS and to looking for signs of compromise. As you go through the filesystem, keep in mind you may not be truly seeing an accurate picture of the filesystem. If the machine has a rootkit installed on it, some of the files and directories may be hidden.

In the UNIX filesytem we have some basically defined file types:

  • Regular files
  • Directories
  • Symbolic Links (hard and soft)
  • Device

...


Investigators: How to Write a Report and Store Digital Evidence

A wise investigator assumes an attitude of professionally skepticism. She recognizes that any piece of evidence may not be what it seems to be, and might in the future be interpreted in a different way or be refuted by other evidence.

Consider for example one of the most famous and thorough investigations in American history. The official investigation of the 1970 shooting of Kent State students by national guardsmen concluded that a certain Terry Norman (paid FBI informant) played no role in the shooting. However, forty years later a previously-unknown tape recording of the events has surfaced, and a forensic analysis of the recording shows that someone fired a .38-caliber pistol four times, shortly before the guardsmen opened fire. Norman was known to have brandished such a pistol at that place and time. It appears that

...


Digital Forensics Case Leads: Industrial Controls Forensics, Cracking Crackberries, Mobile Forensics

While most technical and non-technical types focus on servers, desktop, and mobile phones/pads when thinking about security and forensics, an area of growing concern is industrial controls security. This was brought to light in the wake of the Stuxnet worm. The accusations continue to fly, via arm-chair forensics. Was it an attack on Iran? Or maybe an attack against India, since it seems Stuxnet may have knocked out a TV Satellite. Security honcho Bruce Schnier says we may never know.

What is certain is a growing concern over industrial controls security. According to a San Francisco Chronicle story that ran on this week: "... Liam O Murchu, a researcher with the computer security firm Symantec, used a

...


Digital Forensics: Persistence Registry keys

Some have called us log monkeys and claim our work is boring. Others recognize that what we do is a form of hunting. Computer Incident Response Team members watch security information event monitors (SIEMs) for indicators of compromise (IOCs). IOCs are like lycanthropes, they may be IDS/IPS alerts or blocks, or a system trying to connect to a resource it shouldn't be connecting to, or a user complaining of odd system behavior, or heaven forbid, a call from the Feds in the middle of the night.

Incident handlers may look for secondary IOCs to confirm an incident has occurred so they don't unnecessarily cause alarm or disrupt the organization. In the case of unsophisticated malware these secondary indicators can often be found by taking a quick look at the Windows Registry's run key. In many environments, this can be done remotely via:

reg query \\\\suspect.system.ip.address\\HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

What comes back

... Continue reading Digital Forensics: Persistence Registry keys


WACCI Digital Forensics (Part 2)

After the great opening day of the Wisconsin Association of Computer Crime Investigators (WACCI) conference, I arrived at the Alliant Energy Center exhibition hall for day two of the four-day conference feeling optimistic about the chances for another exciting day. Once again, I was not disappointed.

The day began with a light breakfast followed by a few conference announcements. There were to be no keynote speeches that day, so next up were the breakout sessions. I chose to attend one entitled Browser Artifact Forensics, taught by Charles Giglia of Digital Intelligence. My partner in crime, Brad Garnett went to a session taught by Fergus Toolan entitled Perl

...