SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Computer Forensics: Armor For Your Feet

Hal Pomeranz, Deer Run Associates

As forensic professionals we take a great deal of care when acquiring and analyzing evidence. Write blockers, checksumming, working copies- these are part of everybody's standard policies and help to prevent corruption of our digital evidence. However, beyond spoiling your original evidence, there are still various mistakes that you can make that won't ruin your case but will cost you time and increase your frustration level. In this article I'm going to demo a couple of different ways you can shoot yourself in the foot when doing forensics on the Unix command-line (e.g., in the SIFT workstation) and some easy ways to prevent these mistakes.

Output Redirection is Your Friend... Until It Isn't

Let's say you

...


Getting Started in Digital Forensics: Do You Have What It Takes?

Those of you who have been following our weekly Case Leads articles may have noticed that we've made several mentions of the new issue (#4) of Digital Forensics Magazine.SANS has developed a relationship with the good people over at DFM that we hope will prove beneficial to the Forensics and Incident Response community, and we're trying to highlight some of the interesting elements that have arisen from that relationship.

As of Issue 4, our own forensicator-in-chief, Rob Lee, has become a Contributing Author for Digital Forensics Magazine. I have been in contact with the publisher, Tony Campbell, who has generously given us permission to re-print Rob's first article here. So, in a fairly egregious form of hijacking, I am also using Rob's article as a launch pad for a series of posts I've begun writing under the series name "Getting Started in Digital Forensics." Thanks to both Rob and

...


Digital Forensics Case Leads: Intel to Buy McAfee

Intel to by McAfee for U.S. $7+ billion, Facebook login information leakage, Android gaming app hides a Trojan lead the stories this week. A new SANs course is going to be offered that looks to be outstanding along with some good reads from David Nides, Matt Churchill, Joe Garcia and Nick Harbour.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org. We would love to hear from all of you.

New Sans Course Being Offered:

There is a new 2-day CombatingMalware in the Enterprise course that Lenny Zeltser andJason Fossen have co-authored. Its major focus is on discovering, responding to, and remediating malware incidents in an enterprise setting. You can find more information out about it here:

http://CombatingMalware.com

The course will debut at the Network Security

...


Digital Forensics Reporting: CaseNotes Walkthrough/Review

One important aspect of Digital Forensics is reporting. There are many reasons for this. One is to keep track of work that you have done during analysis. Another is if you are working on a case and it ends up getting reassigned to another examiner, they can look over your notes and will know what you've done, how you've done it, when you've done it and what the results were up to that point of transfer. The most important reason though, is for your appearance in court to testify on a case. Now as most of us know, there are many cases that never make it to trial or end up getting settled out of court. That is no excuse to be lax in your reporting. Each case should be treated like it will go the distance.

With that said, I, like most, have taken my notes by hand. I find that handwritten notes tend to become sloppy in the long run. While taking notes, if you run out of room and don't have another clean sheet of paper handy to continue you may end up writing in

... Continue reading Digital Forensics Reporting: CaseNotes Walkthrough/Review


Benefits of using multiple timestamps during timeline analysis in digital forensics

Timeline analysis is a highly valuable tool. However, like everything else in computer forensics, it requires a skilled investigator to examine all the data available in order to find the evidence and provide an accurate account of the events. When analyzing Windows systems, it is common to use key timestamps in forensics such as Creation Date, Last Modified Date, Last Accessed Date, and the Last Modified Date for the file's Master File Table (MFT) entry. A key factor in using these timestamps is to not rely solely on a single timestamp, but use the combination of these timestamps in digital forensics. The combination of these timestamps can prove to be far more powerful and revealing than any single timestamp on its own. I will use an example to illustrate.

A forensic investigator was reviewing volatile evidence collected during an investigation into

...