SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Quick Look - Cellebrite UFED Using Extract Phone Data & File System Dump

It is not the intent of this blog post to be an all-encompassing guide to the forensic analysis of an iPhone. Rather it is a look at some of the tools I use in my practice and how they can be applied to iPhone forensic analysis. That being said lets get to it.

Why would you use the Cellebrite File System Dump instead of the traditional Extract Phone Data ?

If the subject of your forensic analysis is collecting information regarding the telephone such as call logs, phone book, SMS, pictures, video and audio/music then you will find what you need using the standard Cellebrite processing found under "Extract Phone Data". However if you want to do a deep dive in to the file structure, Internet usage or look deep in to the applications that are being used on the device and perhaps run some of your "favorite forensic tools" against it, I highly recommend complimenting your traditional

...


You're a tool, a digital forensics tool.

A common question I am asked or see posted on forums, user groups and social media sites is: "What is the best computer forensic tool?" It is usually posed by someone getting started in the field and is an understandable query for an individual who is unfamiliar with some of the granular technical details of the field and looking for direction on how to get their feet wet. In addition there are considerable marketing efforts by product developers to set their solution apart from the rest claiming to be the best, fastest, most reliable or somehow "court approved." (Chris Pogue recently touched upon the "court-approved" tool fallacy on his blog http://thedigitalstandard.blogspot.com/2010/08/court-approved.html.)

When this question is posed I try impress upon the person asking it that there are no forensic tools. There are only

...


Dealing with Split Raw Images in Digital Forensics

Hal Pomeranz, Deer Run Associates

Lately I've been working with images from a client whose policy is to create their dd type images as a series of 2GB chunks- the so-called split raw format. While commercial forensic tools will typically handle this format easily, split raw images can present challenges for examiners using Open Source utilities and Linux command-line tools. With image sizes constantly increasing, recombining the individual chunks of a split raw image into a single, monolithic image file is not really practical either in terms of analyst time or disk space. Happily, there are some Open Source utilities that can make dealing with split raw images considerably easier.

The Sleuth Kit

The Sleuth Kit utilities have actually supported split raw format since v2. The trick is to use the "-i split" option

...


Digital Forensics: Too Much Porn, Too Little Time

I recently had a case where one of the requirements was to determine if the PC had been used to view and or download pornographic images from the Internet. First let me say that in my view the only party that can ultimately determine if an image is pornographic is the court. That being said we agreed in the onset of the investigation that any image that clearly showed sexual organs would be the definition we would use in determining if a particular image met the client's definition of a pornographic image.

Processing the case with FTK 3.12 and both collecting images in allocated space as well as carving for images in unallocated space revealed well over 60,000 images. The client needed and answer quickly hence manually reviewing and classifying the large number of images was not an option. If you simply did a quick view of each image for just 5 seconds you would burn about 2 weeks of labor. The process needed to be automated and sooner than later. I had heard AccessData had

... Continue reading Digital Forensics: Too Much Porn, Too Little Time


Digital Forensics Case Leads: Using VMWare for Forensic Analysis

I have a lot of students ask me about different options for case management/forensic analysis tools besides commercial based products. As we know,VMWare Desktop is not free, you can download a free trial copy for 30 days and utilize the SIFT Workstation (for example). I also recommend the bootable Knoppix-like CDs for live analysis and contain case management as well. Here is a great tutorial from Forensic Focus on using VMWare as a forensic tool.

Tools:

  • VMWare and SANS Sift Workstation. The SANS SIFT Workstation is a VMware Appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format

...