SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Keep on Moving

I know nothing. That's the only conclusion I can draw from my four years in the field thus far. Every time I work on a new case I learn something. Most of the time these are little morsels of forensicating goodness but occasionally these things are so immense that I believe that my findings are worthy of sharing with the world. Of course, then I log on to the SANS Digialt Forensics Blog and find that someone else has typically beaten me to it.

As many of you may already know I have spent some months investigating and analysing volume shadow copies (difference files) in Windows 7 and Vista. The result of this is that I have found how these files are structured and can manuallydissect these files to find valuable data. I have shared these findings on both my website and in several presentations. Now my question to you is this:What would have happened if I hadn't shared my findings? Stretching further, in what state would digital forensics be if people like Rob Lee, Harlan

... Continue reading Keep on Moving


Internet Evidence Finder Part II: Intro to IEF v3.3

I had an opportunity earlier this year to interview Jad Saliba of JadSoftware.com discussing his Internet Evidence Finder tool. You can view that interview here. Hopefully, SANS Computer Forensic Blog readers enjoyed the 15% discount that Jad offered exclusively to SANS CF blog readers and have taken the time to implement this tool into your forensic toolkit. This post is part of a series and will introduce functionality of IEF v3.3. You can download the most recent version (v3.5.1 at time of this article) from JadSoftware.com.Just a brief recap of what IEF will search for on a mounted drive/folder. Facebook chat, Yahoo! chat (IEF must have chat username to decode), Windows Live Messenger chat, Google Talk chat, AIM logs, hotmail webmail fragments, yahoo! webmail fragments, etc. For a full listing of supported artifacts and limitations visit

...


Trusting Your Tools

"A trusted tool is one that you understand what it does"- Chris Pogue

I recently heard Chris make that statement during his "Sniper Forensics" presentation at the 2010 SANS Forensics & Incident Response Summit. It was that statement that inspired me to put together this post. As digital forensic examiners, we rely on various applications/programs (tools) to aid us during our investigations. I want to take Chris' statement and flesh it out a bit''

"A trusted tool is one that you understand what it does, where it came from, what flaws it has and what results it gives you."

This post is aimed at those that are new to digital forensics, but will also help those that may not have been given a push in the right direction or those that are experienced who might have lost their way. So let's get started.

There may be a tool you are interested in using that you heard about somewhere. Let's face it, forensic examiners need tools to assist them with their

... Continue reading Trusting Your Tools


Windows MBR and Advanced Format Drives (e512)

Advanced Format Drives (e512)

Advanced format drives are now on the market in full force. These drives are also known as e512 drives. They include the new Long Data Sector standards recommended by International Disk Drive Equipment and Materials Association (IDEMA). These are also known as the 4k - or 4096 - byte sector drives. Fortunately for legacy reasons, the drives are handling the sectors with drive controllers and electronics by emulating 512 byte sectors (hence the term e512). The various OSes and applications out there are going to see sector sizes as 512 bytes. It turns out this is not a major game changer for forensic examiners - unless you're really getting into rebuilding a drive physically.

That said, there is an area of change that should be noted. Some legacy artifacts have changed with the way these drives are now formatted. Specifically, the Master Boot Record (MBR) method of partitioning a drive has changed with Windows 7. Until

... Continue reading Windows MBR and Advanced Format Drives (e512)


I'm here! Now what?

Working for a small police department in a rural area, my opportunities to do digital forensic work on real cases are much fewer and farther between than those who work in large departments or in the private sector. Once I had completed computer forensics training and acquired the necessary software, I was ready to go. Now what? There was no existing forensics unit in my department, so there was no caseload to jump into and no one there to work with. How to stay current and confident with my knowledge and skills, as well as my chosen tools?

Staying sharp can be tough. There are many high quality blogs and forums that are fantastic resources for learning and exchanging information, but I'm the type of person who learns by doing, not just reading. However, you can only image your own hard drive and examine it for practice so many times before you're bored to death with it. Fortunately, in addition to the free and low cost tools out on the net, there are also a number of

... Continue reading I'm here! Now what?