SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Images and dm-crypt and LVM2... Oh my!

Hal Pomeranz, Deer Run Associates

Disk layouts using the Linux Logical Volume Manager (LVM2) are increasingly becoming the norm for new Linux installs. And very often the physical volume used by LVM2 has been encrypted via dm-crypt. A recent email from a Sec508 student asking for a procedure for mounting these images prompted me to codify this information into a blog posting.

Investigating the Image

When initially presented with the image, you may not know whether LVM2 or dm-crypt has been employed. So let's start from scratch:

# md5sum sda.dd
f4c7a8d54b9b0b0b73ec03ef4cf52f42 sda.dd
# mmls -t dos sda.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description
00: Meta

...


How To - Digital Forensic Imaging In VMware ESXi

Paul A. Henry Forensics and Recovery.com Follow me on Twitter

As a follow up to my recent SANS Forensic Blog post "How To - Digital Forensics Copying A VMware VMDK" that provided insight in to making a "GUI tool" based copy of a VMware VMDK, I have put together a How To that addresses creating a forensically sound image of a VMware VMDK on the ESXi console, that is able to provide the "chain of custody" needed in a digital forensics investigation.

Important note: In the simplest of terms a VMDK is an abstraction of a physical disk for a VM contained within a file (VMDK-flat). We are making a bit by bit

...


Digital Forensics Case Leads: Make it go away, the Stuxnet extended remix

Life is busy in the digital forensics and incident response world, so this week's Case Leads is short and sweet. Here are my favorite items from the last few days, enjoy!

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

Tools:

  • Harris Corporation introduces BlackJack a USB device that looks very useful for situations where one must rapidly triage systems for the presence of interesting data. According to the press release, the device boots in less than three seconds and "automatically scans and copies data by prioritizing search criteria and securely partitions search results for analysis." The device has two LEDs, one red and one green that indicate the presence or absence of items of interest.

Good Reads:


6 Hex Editors for Malware Analysis

Hex editors allow examining and modifying a file at the low-level of bytes and bits, usually representing the file's contents in hexadecimal form. Some editors distinguish themselves at helping the user derive meaning from the examined file, extracting ASCII and Unicode contents, searching for patterns, recognizing common structures, and so on. There are lots of hex editors out there; I want to mention a few that I find particularly useful for analyzing malware and examining malicious document files.

FileInsight

FileInsight is a free hex editor from McAfee Labs that runs on Microsoft Windows (download zip file). As expected, it can perform

...


SANS Reverse Engineering Malware in London (Forensics 610)

One of the our most popular classes is returning to London in December. Forensics 610: Reverse Engineering Malware has been selling out in the United States and is in high demand. As organizations grow the need to analyze and reverse complex malware is extremely important.

Many organizations in the United States are using fulltime malware analysts as a core part of their teams helping identify compromised systems by specifying exactly what type of traffic or what digital forensic footprint a piece of malware leaves on a machine. No longer will an organization have to "guess" where to look. With a malware analyst on their team, it makes it much easier to use actionable intelligence in order to find the hackers on your

...