SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

I'm here! Now what?

Working for a small police department in a rural area, my opportunities to do digital forensic work on real cases are much fewer and farther between than those who work in large departments or in the private sector. Once I had completed computer forensics training and acquired the necessary software, I was ready to go. Now what? There was no existing forensics unit in my department, so there was no caseload to jump into and no one there to work with. How to stay current and confident with my knowledge and skills, as well as my chosen tools?

Staying sharp can be tough. There are many high quality blogs and forums that are fantastic resources for learning and exchanging information, but I'm the type of person who learns by doing, not just reading. However, you can only image your own hard drive and examine it for practice so many times before you're bored to death with it. Fortunately, in addition to the free and low cost tools out on the net, there are also a number of

... Continue reading I'm here! Now what?


Digital Forensics Case Leads: SQLite changes may impact your processes

I don't know if it's the time of year, the heat or what, but there's been so much going on over the last couple weeks that this post almost didn't make it out. Gasp! Thanks to the efforts of Ira Victor and Mark McKinnon (yay crowd-sourcing), we pulled it off. Speaking of crowd-sourcing, this post is meant to be a weekly round-up of things we've found that may be of interest to digital forensics and incident response practitioners, as such, please drop us a line at caseleads@sans.org if you have an item that you feel should be included in the weekly post. We appreciate it.

Tools:

  • Paraben's P2 Explorer is a great little free tool that mounts a variety of popular disk image formats, allowing the investigator to easily run a variety of tools against the mounted file system (e.g. anti-virus/malware scans).
  • Digital

...


Stop, Children, What's That Sound?

Making Use of a Super Timeline

I won't go over how to create a Super Timeline since Rob has already covered that as a high level in on the SANS Digital Forensics Blog. What I've been working on recently is how to best make use of the resulting timeline. I have also discovered some interesting artifacts that never occurred to me to consider as part of a timeline.

What I've learned is that creating a Super Timeline is only the beginning of timeline analysis. Because the Super Timeline method captures so many time stamps, it islikely that a SuperTimeline will contain too many entries to manually review line by line especially if an examiner creates a timeline for an entire drive image.The challenge is to be able to pin down what portions of that timeline are relevant to the examination at hand.

What I recommend

...


exFAT File System Time Zone Concerns

exFAT Time Zone Concerns

The exFAT file system tracks the time zone offset of all MAC time's stored for the respective file. The file system uses 32-bit time stamps (and another byte tracking 10ms increments). Additionally, all time stamps are recorded to the file system as local machine time while applying a time zone offset that is also stored when a file is changed/modified/accessed. The implications of this include being able to track removable media across several time zones without the need for the system they were used in. (For a more detailed look at the exFAT file system, see Robert Shullich's paper on SANS Computer Forensics Resources).

exFAT stores time zone offsets in a one byte value. Vista SP1 (the first desktop release of exFAT) did NOT utilize the time zone byte. In this case, the time zone bytes will be 0x00. Since the OS

...


SANS Digital Forensics Training in Portland, Oregon (Aug 23-28)

Our instructor Mike Murr is one of our best Digital Forensic Instructors! The wonderful thing about smaller classrooms is you get better training than when you are competing with 40 people to get help from the instructor. SANS uses these smaller events for individuals who are seeking more personalized training and really want to get the most out of their training dollars.

The Top 6 Reasons You Should Take SANS Computer Forensics and Incident Response (FOR508) Training in Portland, OR - August 23 - 28, 2010.

  1. Mike has a deep knowledge of Windows systems, from the bit and the bytes to the files and the artifacts. He has written several forensic tools for his clients, and you can find his open source digital forensics framework at