SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Trusting Your Tools

"A trusted tool is one that you understand what it does"- Chris Pogue

I recently heard Chris make that statement during his "Sniper Forensics" presentation at the 2010 SANS Forensics & Incident Response Summit. It was that statement that inspired me to put together this post. As digital forensic examiners, we rely on various applications/programs (tools) to aid us during our investigations. I want to take Chris' statement and flesh it out a bit''

"A trusted tool is one that you understand what it does, where it came from, what flaws it has and what results it gives you."

This post is aimed at those that are new to digital forensics, but will also help those that may not have been given a push in the right direction or those that are experienced who might have lost their way. So let's get started.

There may be a tool you are interested in using that you heard about somewhere. Let's face it, forensic examiners need tools to assist them with their

... Continue reading Trusting Your Tools


Windows MBR and Advanced Format Drives (e512)

Advanced Format Drives (e512)

Advanced format drives are now on the market in full force. These drives are also known as e512 drives. They include the new Long Data Sector standards recommended by International Disk Drive Equipment and Materials Association (IDEMA). These are also known as the 4k - or 4096 - byte sector drives. Fortunately for legacy reasons, the drives are handling the sectors with drive controllers and electronics by emulating 512 byte sectors (hence the term e512). The various OSes and applications out there are going to see sector sizes as 512 bytes. It turns out this is not a major game changer for forensic examiners - unless you're really getting into rebuilding a drive physically.

That said, there is an area of change that should be noted. Some legacy artifacts have changed with the way these drives are now formatted. Specifically, the Master Boot Record (MBR) method of partitioning a drive has changed with Windows 7. Until

... Continue reading Windows MBR and Advanced Format Drives (e512)


I'm here! Now what?

Working for a small police department in a rural area, my opportunities to do digital forensic work on real cases are much fewer and farther between than those who work in large departments or in the private sector. Once I had completed computer forensics training and acquired the necessary software, I was ready to go. Now what? There was no existing forensics unit in my department, so there was no caseload to jump into and no one there to work with. How to stay current and confident with my knowledge and skills, as well as my chosen tools?

Staying sharp can be tough. There are many high quality blogs and forums that are fantastic resources for learning and exchanging information, but I'm the type of person who learns by doing, not just reading. However, you can only image your own hard drive and examine it for practice so many times before you're bored to death with it. Fortunately, in addition to the free and low cost tools out on the net, there are also a number of

... Continue reading I'm here! Now what?


Digital Forensics Case Leads: SQLite changes may impact your processes

I don't know if it's the time of year, the heat or what, but there's been so much going on over the last couple weeks that this post almost didn't make it out. Gasp! Thanks to the efforts of Ira Victor and Mark McKinnon (yay crowd-sourcing), we pulled it off. Speaking of crowd-sourcing, this post is meant to be a weekly round-up of things we've found that may be of interest to digital forensics and incident response practitioners, as such, please drop us a line at caseleads@sans.org if you have an item that you feel should be included in the weekly post. We appreciate it.

Tools:

  • Paraben's P2 Explorer is a great little free tool that mounts a variety of popular disk image formats, allowing the investigator to easily run a variety of tools against the mounted file system (e.g. anti-virus/malware scans).
  • Digital

...


Stop, Children, What's That Sound?

Making Use of a Super Timeline

I won't go over how to create a Super Timeline since Rob has already covered that as a high level in on the SANS Digital Forensics Blog. What I've been working on recently is how to best make use of the resulting timeline. I have also discovered some interesting artifacts that never occurred to me to consider as part of a timeline.

What I've learned is that creating a Super Timeline is only the beginning of timeline analysis. Because the Super Timeline method captures so many time stamps, it islikely that a SuperTimeline will contain too many entries to manually review line by line especially if an examiner creates a timeline for an entire drive image.The challenge is to be able to pin down what portions of that timeline are relevant to the examination at hand.

What I recommend

...