SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics Case Leads: Does Forensicator Pro include a Hex Editor? and other tool tales

Well, it's been a quiet week at Lake DataBeGone, where all the forensicators are above average, or at least aspire to that. Nothing as exciting as DefCon/BlackHat this week, but we do have a few things....

Good Reads:

  • The new issue of Digital Forensics Magazine is out, and includes not only an article by Rob Lee on what it takes to become a computer forensics pro, as mentioned last week, but also an article on real time network forensics, and a nice survey of law enforcement practices around the world, written by Christa Miller. If you don't subscribe already, you should - go to and sign up!
  • Selena Ley has a brief overview article on Safari artifacts that should be consideredin


Computer Forensics: Identifying Disk Differences — Broken Mirrors

One Friday afternoon I was greeted by a large package from FedEx. Inside the giant box was supposed to be a hard disk drive on which I was to conduct digital forensic analysis. Opening the box and removing a few handfuls of packing peanuts revealed a bubble-wrapped Dell Tower. Obviously, the clients, like most non-computer folks, didn't know they could remove the actual hard disk drive from the tower and send those my way.

After grabbing the paperwork for this job, filling out my own chain-of-custody documentation and evidence receipt, I cracked open the tower and saw the following inside:

Image 1: Double SATA, double fun

Digital Forensics Recertification (Beyond the Cert)

It was that time again, GCFA recertification. This was going to be my third SANS GCFA recertification attempt. This year I had an option, exam or CMUs (Certification Maintenance Units). I had the CMUs necessary for submission. The problem was, I could apply them to my G7799 Certification or my GCFA certification. I chose the exam option for my GCFA.

I consider the exam and the provided materials an outstanding way to get the least expensive SANS course available. It is one of the real benefits to a certified SANS alum. Anyone who is certified and has used the materials would agree in the value. The newest materials, updated tools provided


Review: Access Data Forensic Toolkit (FTK) Version 3 — Part 2

Welcome to part two of my FTK v3 review. If you have not read the first post, it can be found here. Forensic suites are notoriously difficult to review because of the sheer number of features they include. We are lucky within the computer forensic community to have multiple vendors operating in a highly competitive environment. As such, the core forensic suites continue to add functionality. I have chosen to highlight a few of the new(er) features within Access Data's Forensic Toolkit (FTK). I interact with a lot of folks who are building forensic capabilities within their organizations, often with a limited budget. With the new additions to FTK, I find myself recommending it more and more. For the typical forensic shop it really does have a lot of bang


Review: Access Data Forensic Toolkit (FTK) Version 3 — Part 1

When it comes to computer forensic tools, I consider myself to be somewhat of a late adopter. I love to play with the latest tool release, but when it comes to what I'm actually going to use in my lab, I prefer to have a mature product. It takes too much time to test and validate tools to waste time on buggy or incomplete versions. So, I finally made the jump (back) to Access Data's Forensic Toolkit (FTK) in its 3.1 version. Like many forensic professionals I know, I sat out the "lost generation" of FTK v2. However, if you haven't taken a look recently, version 3 will likely surprise you.

I don't expect tool suites to solve all of my forensic problems, but I do appreciate the breadth of capabilities they can provide in one package. FTK v3 excels at facilitating keyword searches, graphics review, email archive parsing, compound file extraction, and has an excellent