SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Why Teaching Matters - A Letter About FORENSICS 508 - Computer Forensic Investigations and Incident Response

This is a really special letter that we thought we would share with the community. Thanks Bob and great work! Letter republished with permission from Bob Elder.

_______________________________________________________________________________________

Just wanted to pass along my accolades for the SANS 508 course. I have been taking this course via the on-demand method and had to stall the course due to a high profile case I was working on. The case involved online file sharing where the target was visited by police for items found in his publicly shared folder. When the search warrant took place, police members found out that the suspect had been discovered by his wife and had removed all the child pornography videos, including the ones that were documented in the investigation.

When I got the computer and imaged the drive, nothing was there except

...


Digital Forensics Case Leads: An OS X based Live CD, a Free Forensics App for Windows, Spying, and High Performance Password Cracking

This week's edition of Case Leads features an OS X based Live CD, a free tool for gathering evidence from HBGary, spying, and the threat video cards pose to passwords.

As always, if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

Tools:

  • Creating an OS X Incident Response CD for Live Response -Tom Webb has a write up that discusses the process for building a basic OS X based CD for live analysis. The how-to addresses a few unique features of OS X and includes a method for dealing with OS X's non-static binaries. Suggestions for binaries to include on the CD and commands useful for IR on OS X are covered. Tom has also included a starter script that will help with information gathering during the IR

...


Intro to Report Writing for Digital Forensics

So you've just completed your forensic examination and found that forensic gem or smoking gun in your case, so how do you proceed? Depending on where you fall as a forensicator (e.g., law enforcement, intelligence, criminal defense work, incident response, e-discovery) you will have to report your findings. Foremost, find out what type of work product you are going to be required to produce to the client, attorney, etc. This will be your guide for completing your report. While the report writing part of the digital forensic examination process is not as fun as the forensic analysis, it is a very important link in the chain as Dave Hull summed it up here in a tweet.

As digital forensic examiners/analysts, we must report and present our findings on a very technical discipline in a simplistic manner. That may be to a supervisor, client, attorney, etc. or even to a judge and jury who will read and interpret your

...


Computer Forensics: Armor For Your Feet

Hal Pomeranz, Deer Run Associates

As forensic professionals we take a great deal of care when acquiring and analyzing evidence. Write blockers, checksumming, working copies- these are part of everybody's standard policies and help to prevent corruption of our digital evidence. However, beyond spoiling your original evidence, there are still various mistakes that you can make that won't ruin your case but will cost you time and increase your frustration level. In this article I'm going to demo a couple of different ways you can shoot yourself in the foot when doing forensics on the Unix command-line (e.g., in the SIFT workstation) and some easy ways to prevent these mistakes.

Output Redirection is Your Friend... Until It Isn't

Let's say you

...


Getting Started in Digital Forensics: Do You Have What It Takes?

Those of you who have been following our weekly Case Leads articles may have noticed that we've made several mentions of the new issue (#4) of Digital Forensics Magazine.SANS has developed a relationship with the good people over at DFM that we hope will prove beneficial to the Forensics and Incident Response community, and we're trying to highlight some of the interesting elements that have arisen from that relationship.

As of Issue 4, our own forensicator-in-chief, Rob Lee, has become a Contributing Author for Digital Forensics Magazine. I have been in contact with the publisher, Tony Campbell, who has generously given us permission to re-print Rob's first article here. So, in a fairly egregious form of hijacking, I am also using Rob's article as a launch pad for a series of posts I've begun writing under the series name "Getting Started in Digital Forensics." Thanks to both Rob and

...