SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

SANS Reverse Engineering Malware in London (Forensics 610)

One of the our most popular classes is returning to London in December. Forensics 610: Reverse Engineering Malware has been selling out in the United States and is in high demand. As organizations grow the need to analyze and reverse complex malware is extremely important.

Many organizations in the United States are using fulltime malware analysts as a core part of their teams helping identify compromised systems by specifying exactly what type of traffic or what digital forensic footprint a piece of malware leaves on a machine. No longer will an organization have to "guess" where to look. With a malware analyst on their team, it makes it much easier to use actionable intelligence in order to find the hackers on your

...


How To - Digital Forensics Copying A VMware VMDK

Having recently seen a number of requests on the security and forensic list servers that I participate in requesting recommendations / procedures for copying the disk (VMDK) for a specific Virtual Machine (VM) within a VMware environment for analysis in an incident response, I put together a quick How To in effort to provide some insight in to a few of the methods that I have used.

The Game Has Clearly Changed With Virtualization

Most often the files associated with a given VM are not stored locally on the physical server running ESX or ESXi and the respective VM. It is important to understand that in order to use many of the more powerful features of VMware such as vMotion and DRS the files for the VM's must reside on shared storage that is reachable from each ESX or ESXi server that needs to interact with it. Hence, when

...


SANS Digital Forensics Blog Reader's Survey

The contributors to the SANS Digital Forensics Blog want to say "thank you," and to get some feedback from you on the future direction of the blog. Please take a few minutes to complete our reader survey.

The blog has seen a 606% increase in traffic over the last year (Thank You!!), logging over 255,000 unique visits, and 67% of those being new visitors! Those are some great numbers that we are very proud of and we continue to strive to be a leading contributor to the digital forensics community. Our blog authors and contributors come from all walks of life in the digital forensics profession and are leading practitioners in their organizations.

Some of our most viewed articles include:

Recovering Deleted Text Messages from Windows Mobile Devices by

...


Did Las Vegas Police Fumble Critical Digital Forensics in High Profile Shooting Case?

While in a re-certification class at SANS Network Security, a local news story catches my attention. It's a coroner's inquest into the death of Erik Scott, who was shot here in July outside a Costco store by officers of the Las Vegas Metropolitan Police (LVMP) after a store employee spotted Scott's firearm, which he had a permit to carry.

There's limited time while we drink from the SANS fire hose to absorb the day's news events. But I picked up the following from an op-ed piece by Scott's father in the Las Vegas Sun. The dead man's family is harshly critical the investigative process, and not without justification, if William Scott's account is accurate.

The elder Scott says the investigation has been entirely internal, conducted by LVMP. Scott is an aerospace journalist who notes that if an airline pilot has an accident that results in a

...


Digital Forensics Case Leads: Stuxnet, Cyber Weapons and Incident Response

Our focus this week, albeit loosely, is on Incident Response. There has been much news of late regarding the Stuxnet malware, and a couple of the more interesting perspectives are linked in the "Good Reads" section below. As forensicators and incident responders, the advent of such "weapons-grade" malware raises the stakes significantly, and we have to step up our game to match. Memory forensics becomes far more crucial when dealing with advanced threats, and Mandiant offers some help in this area with an update to their Memoryze tool. But our ability to learn from the incidents we investigate and share that information also becomes vastly more important. To help us in this area, Verizon has provided their VERIS Framework, which is a tool for gathering metrics from incident investigations so that we can begin to share and learn from the breaches that inevitably occur. The VERIS Framework isn't all that new, but deserves more attention. So read on for these and other interesting

... Continue reading Digital Forensics Case Leads: Stuxnet, Cyber Weapons and Incident Response