SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics Case Leads Aug 5, 2010: Decon 18 and more

The DefCon conference ended on Sunday, and this year's edition of the "World's Largest Hacker Conference" (as many call it) didn't disappoint. We have news and coverage from a forensic and incident response viewpoint, including news about the Wikileaks incident you might not have seen elsewhere. Blackberry is getting hammered on security, well that's what many headlines read. We have a different take. Web tracking and privacy is getting a higher profile, what are the forensic implications? Many home and business networks are "protected" by popular router/firewalls for sale at big box electronics stores. New research reveals breach mechanisms that have forensic and incident response implications. The truth slowly is revealed, along with peoples' private parts, about images from the Whole Body Scanners. And, in the Levity Section: DefCon18 Social engineering contest a hit at DefCon.

Good Reads / Good Audio:

  • "I know what happened with

... Continue reading Digital Forensics Case Leads Aug 5, 2010: Decon 18 and more


Keep on Moving

I know nothing. That's the only conclusion I can draw from my four years in the field thus far. Every time I work on a new case I learn something. Most of the time these are little morsels of forensicating goodness but occasionally these things are so immense that I believe that my findings are worthy of sharing with the world. Of course, then I log on to the SANS Digialt Forensics Blog and find that someone else has typically beaten me to it.

As many of you may already know I have spent some months investigating and analysing volume shadow copies (difference files) in Windows 7 and Vista. The result of this is that I have found how these files are structured and can manuallydissect these files to find valuable data. I have shared these findings on both my website and in several presentations. Now my question to you is this:What would have happened if I hadn't shared my findings? Stretching further, in what state would digital forensics be if people like Rob Lee, Harlan

... Continue reading Keep on Moving


Internet Evidence Finder Part II: Intro to IEF v3.3

I had an opportunity earlier this year to interview Jad Saliba of JadSoftware.com discussing his Internet Evidence Finder tool. You can view that interview here. Hopefully, SANS Computer Forensic Blog readers enjoyed the 15% discount that Jad offered exclusively to SANS CF blog readers and have taken the time to implement this tool into your forensic toolkit. This post is part of a series and will introduce functionality of IEF v3.3. You can download the most recent version (v3.5.1 at time of this article) from JadSoftware.com.Just a brief recap of what IEF will search for on a mounted drive/folder. Facebook chat, Yahoo! chat (IEF must have chat username to decode), Windows Live Messenger chat, Google Talk chat, AIM logs, hotmail webmail fragments, yahoo! webmail fragments, etc. For a full listing of supported artifacts and limitations visit

...


Trusting Your Tools

"A trusted tool is one that you understand what it does"- Chris Pogue

I recently heard Chris make that statement during his "Sniper Forensics" presentation at the 2010 SANS Forensics & Incident Response Summit. It was that statement that inspired me to put together this post. As digital forensic examiners, we rely on various applications/programs (tools) to aid us during our investigations. I want to take Chris' statement and flesh it out a bit''

"A trusted tool is one that you understand what it does, where it came from, what flaws it has and what results it gives you."

This post is aimed at those that are new to digital forensics, but will also help those that may not have been given a push in the right direction or those that are experienced who might have lost their way. So let's get started.

There may be a tool you are interested in using that you heard about somewhere. Let's face it, forensic examiners need tools to assist them with their

... Continue reading Trusting Your Tools


Windows MBR and Advanced Format Drives (e512)

Advanced Format Drives (e512)

Advanced format drives are now on the market in full force. These drives are also known as e512 drives. They include the new Long Data Sector standards recommended by International Disk Drive Equipment and Materials Association (IDEMA). These are also known as the 4k - or 4096 - byte sector drives. Fortunately for legacy reasons, the drives are handling the sectors with drive controllers and electronics by emulating 512 byte sectors (hence the term e512). The various OSes and applications out there are going to see sector sizes as 512 bytes. It turns out this is not a major game changer for forensic examiners - unless you're really getting into rebuilding a drive physically.

That said, there is an area of change that should be noted. Some legacy artifacts have changed with the way these drives are now formatted. Specifically, the Master Boot Record (MBR) method of partitioning a drive has changed with Windows 7. Until

... Continue reading Windows MBR and Advanced Format Drives (e512)