SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics: Stuck on Stickies

Raise your hand if you've responded to a crime scene and had a suspect computer possibly involved in the crime. How many of you have responded to an incident where a victim's computer may have been compromised and needs to be analyzed but the victim is not available for questioning regarding user account information and passwords? How many of you have been taught, told or learned through experience to look for sticky notes attached to a monitor, on a computer tower case or even taped to the bottom of a keyboard?

The answer is probably most of you reading this. How many of you actually thought to look for the sticky notes of the digital variety? If you are organized, a neat freak or OCD like me, you hate a cluttered desk space. If that is the case, you have probably gone paperless. You scan your desk for whatever little bits of tree pulp may cross your gaze, sticky notes included. I (and many others) don't use physical sticky notes anymore, having switched to computer

... Continue reading Digital Forensics: Stuck on Stickies

Long Beach, CA hosts SANS Computer Forensics Essentials, December 6 - 11

SANS is pleased to announce our most popular new course of 2010, Forensics 408:
Computer Forensics Essentials, in Long Beach, CA, from December 6 - 11. The course
will be taught by certified SANS instructor and co-author of this course, Chad Tilbury.
For complete course information and to register, please visit (

Save $400 on tuition fees when you register for this course by October 27.

Forensics 408: Computer Forensic Essentials focuses on the critical knowledge that a
computer forensic investigator must know to investigate computer crime incidents successfully.
You will learn how computer forensic analysts focus on collecting and analyzing data from
computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

Course Details:
Dates: December 6 - 11
Course: SANS Forensics 408: Computer Forensics Essentials

... Continue reading Long Beach, CA hosts SANS Computer Forensics Essentials, December 6 - 11

Solaris Forensics: Part 1


Welcome to the first set of a series of articles on doing forensics on Solaris systems. Initially, I am going to go over the basics of Solaris from the forensics point of view. That is to say that I will not be going over Solaris administration, but rather how things work in Solaris. Our first few steps involves:

  • How the filesystem is laid out (i.e. what kinds of files are in the main directories),
  • A brief discussion on reading ls output as this sets up for:
    • How permissions work
    • What users and groups are
    • Soft and hard links
    • Link counts
    • Basic file types (regular files, directories, links, character devices, and block devices)
  • Breakdown on Solaris slices (partitions)
  • Imaging Solaris drives remotely
  • More stuff to follow :)

I think it is important to understand the basics of how Solaris functions, or any OS for that

... Continue reading Solaris Forensics: Part 1

Review: Mandiant's Incident Response Conference (MIRCon) Day 2

The first Mandiant Incident Response Conference (MIRCon) is now in the bag, so to speak. It was an impressively valuable and fun-filled two days, and I have to thank Mandiant once again for throwing down on an excellent shindig. As with my review of Day 1, I'll recap some highlights from the various presentations. Those of you who weren't able to attend may also be interested in the recap webinar that Mandiant is presenting next week (Oct. 19): State of the Hack: The Hangover - What REALLY happened at MIRCon.

The Day 2 keynote was delivered by Gordon Snow, Assistant Director of the FBI's Cyber Division, who spoke about the


WACCI Digital Forensics (Part 1)

This week, I had the pleasure of attending the Wisconsin Association of Computer Crime Investigators (WACCI) conference in Madison, WI. I was fortunate to be accompanied by good friend and fellow SANS Computer Forensics blog author Brad Garnett. The following is a recap of our time at the conference.

When I first learned about the WACCI conference, I was immediately interested in attending. The biggest draw was the speaker lineup, which included such forensics luminaries as Ovie Carroll, Harlan Carvey, Rob Lee, Brian Carrier and Mark McKinnon. That's quite a list of talent. I was amazed that such a great conference could be given while still keeping the registration price incredibly low. Finally, I was attracted by the conference location. Given that I live in a rural area, it was great to see a high quality forensics conference taking place within realistic driving distance. Once I was certain