SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics: Introducing ForensicArtifacts.com

??There always seems to be common questions asked on forensic mailing lists, forums, and blogs. One of the common questions is, "Does anyone have contact information for ABC company?" Another question commonly seen is, "Has anyone dealt with ABC program or have a whitepaper for it?" The first question is solved by the ISP list at Search.org. The second question didn't have a unified source of information - until now.

The website ForensicArtifacts.com was recently launched to provide a reference database for forensic examiners looking for specific information on artifacts of operating systems, programs, and user activity. The website was set up in blog format allowing examiners to subscribe to the RSS feed or simply visit the site and use the global search functions. There is also a


Computer Forensics: Using Evidence Cleaners to Find Artifacts

I have used CCleaner for years and it is one of the first programs I put on new computers. It has handy functions to clean up temporary files, logs, and even the Registry. While many can argue that such a program may help erase digital evidence, it can also shed light on where to look for important items of interest.

CCleaner used to store settings in the Registry, but has now opted to use an .INI file to assist in application portability. This is a great asset to forensic examiners who like to research new artifacts. The default installation has the necessary .INI files embedded within the executable, but they are usually available for download in this

...


Digital Forensics Case Leads: Does Forensicator Pro include a Hex Editor? and other tool tales

Well, it's been a quiet week at Lake DataBeGone, where all the forensicators are above average, or at least aspire to that. Nothing as exciting as DefCon/BlackHat this week, but we do have a few things....

Good Reads:

  • The new issue of Digital Forensics Magazine is out, and includes not only an article by Rob Lee on what it takes to become a computer forensics pro, as mentioned last week, but also an article on real time network forensics, and a nice survey of law enforcement practices around the world, written by Christa Miller. If you don't subscribe already, you should - go to http://www.digitalforensicsmagazine.com/ and sign up!
  • Selena Ley has a brief overview article on Safari artifacts that should be consideredin

...


Computer Forensics: Identifying Disk Differences — Broken Mirrors

One Friday afternoon I was greeted by a large package from FedEx. Inside the giant box was supposed to be a hard disk drive on which I was to conduct digital forensic analysis. Opening the box and removing a few handfuls of packing peanuts revealed a bubble-wrapped Dell Tower. Obviously, the clients, like most non-computer folks, didn't know they could remove the actual hard disk drive from the tower and send those my way.

After grabbing the paperwork for this job, filling out my own chain-of-custody documentation and evidence receipt, I cracked open the tower and saw the following inside:

Image 1: Double SATA, double fun



Digital Forensics Recertification (Beyond the Cert)

It was that time again, GCFA recertification. This was going to be my third SANS GCFA recertification attempt. This year I had an option, exam or CMUs (Certification Maintenance Units). I had the CMUs necessary for submission. The problem was, I could apply them to my G7799 Certification or my GCFA certification. I chose the exam option for my GCFA.

I consider the exam and the provided materials an outstanding way to get the least expensive SANS course available. It is one of the real benefits to a certified SANS alum. Anyone who is certified and has used the materials would agree in the value. The newest materials, updated tools provided

...