SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Dealing with Split Raw Images in Digital Forensics

Hal Pomeranz, Deer Run Associates

Lately I've been working with images from a client whose policy is to create their dd type images as a series of 2GB chunks- the so-called split raw format. While commercial forensic tools will typically handle this format easily, split raw images can present challenges for examiners using Open Source utilities and Linux command-line tools. With image sizes constantly increasing, recombining the individual chunks of a split raw image into a single, monolithic image file is not really practical either in terms of analyst time or disk space. Happily, there are some Open Source utilities that can make dealing with split raw images considerably easier.

The Sleuth Kit

The Sleuth Kit utilities have actually supported split raw format since v2. The trick is to use the "-i split" option

...


Digital Forensics: Too Much Porn, Too Little Time

I recently had a case where one of the requirements was to determine if the PC had been used to view and or download pornographic images from the Internet. First let me say that in my view the only party that can ultimately determine if an image is pornographic is the court. That being said we agreed in the onset of the investigation that any image that clearly showed sexual organs would be the definition we would use in determining if a particular image met the client's definition of a pornographic image.

Processing the case with FTK 3.12 and both collecting images in allocated space as well as carving for images in unallocated space revealed well over 60,000 images. The client needed and answer quickly hence manually reviewing and classifying the large number of images was not an option. If you simply did a quick view of each image for just 5 seconds you would burn about 2 weeks of labor. The process needed to be automated and sooner than later. I had heard AccessData had

... Continue reading Digital Forensics: Too Much Porn, Too Little Time


Digital Forensics Case Leads: Using VMWare for Forensic Analysis

I have a lot of students ask me about different options for case management/forensic analysis tools besides commercial based products. As we know,VMWare Desktop is not free, you can download a free trial copy for 30 days and utilize the SIFT Workstation (for example). I also recommend the bootable Knoppix-like CDs for live analysis and contain case management as well. Here is a great tutorial from Forensic Focus on using VMWare as a forensic tool.

Tools:

  • VMWare and SANS Sift Workstation. The SANS SIFT Workstation is a VMware Appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format

...


Digital Forensics Practitioners Take Note: MS DLL Hijacking

DLL Hijacking Issue Gets Out Of Band Fix / Work Around From Microsoft

Though not as simple to pull-off for the bad guys as today's drive-by hacking exploits; successful exploitation requires a user first be tricked into visiting an untrusted WebDAV server in the Internet Zone and then double-click on any type of file, this enables attackers to cause a malicious file to be executed on the user's PC.

Because this is not an enabler of traditional drive-by hacking, many dismissed the severity of this vulnerability. However, given the recent publication of a Microsoft Advisory, Insecure Library Loading Could Allow Remote Code Execution, an initial work around published last week and a new tool released

...


Digital Forensics Case Leads: Reverse Engineer Malware, Analyze Timelines and Report Findings

This week, we have a wealth of information about REMnux, Lenny Zeltser's Linux distribution for analyzing malware, Kristinn Gudjonsson's paper on Super Timeline Analysis, and some interesting report-writing posts that I wanted to recall attention to. There's a lot of interesting reading ahead, so without further ado...

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

Reverse Engineering Malware:

Since he released his REMnux distribution for analyzing malware, our friend Lenny Zeltser has gotten quite a bit of attention for his distribution and for his SANS class, Reverse Engineering Malware.

...