SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Intro to Report Writing for Digital Forensics

So you've just completed your forensic examination and found that forensic gem or smoking gun in your case, so how do you proceed? Depending on where you fall as a forensicator (e.g., law enforcement, intelligence, criminal defense work, incident response, e-discovery) you will have to report your findings. Foremost, find out what type of work product you are going to be required to produce to the client, attorney, etc. This will be your guide for completing your report. While the report writing part of the digital forensic examination process is not as fun as the forensic analysis, it is a very important link in the chain as Dave Hull summed it up here in a tweet.

As digital forensic examiners/analysts, we must report and present our findings on a very technical discipline in a simplistic manner. That may be to a supervisor, client, attorney, etc. or even to a judge and jury who will read and interpret your

...


Computer Forensics: Armor For Your Feet

Hal Pomeranz, Deer Run Associates

As forensic professionals we take a great deal of care when acquiring and analyzing evidence. Write blockers, checksumming, working copies- these are part of everybody's standard policies and help to prevent corruption of our digital evidence. However, beyond spoiling your original evidence, there are still various mistakes that you can make that won't ruin your case but will cost you time and increase your frustration level. In this article I'm going to demo a couple of different ways you can shoot yourself in the foot when doing forensics on the Unix command-line (e.g., in the SIFT workstation) and some easy ways to prevent these mistakes.

Output Redirection is Your Friend... Until It Isn't

Let's say you

...


Getting Started in Digital Forensics: Do You Have What It Takes?

Those of you who have been following our weekly Case Leads articles may have noticed that we've made several mentions of the new issue (#4) of Digital Forensics Magazine.SANS has developed a relationship with the good people over at DFM that we hope will prove beneficial to the Forensics and Incident Response community, and we're trying to highlight some of the interesting elements that have arisen from that relationship.

As of Issue 4, our own forensicator-in-chief, Rob Lee, has become a Contributing Author for Digital Forensics Magazine. I have been in contact with the publisher, Tony Campbell, who has generously given us permission to re-print Rob's first article here. So, in a fairly egregious form of hijacking, I am also using Rob's article as a launch pad for a series of posts I've begun writing under the series name "Getting Started in Digital Forensics." Thanks to both Rob and

...


Digital Forensics Case Leads: Intel to Buy McAfee

Intel to by McAfee for U.S. $7+ billion, Facebook login information leakage, Android gaming app hides a Trojan lead the stories this week. A new SANs course is going to be offered that looks to be outstanding along with some good reads from David Nides, Matt Churchill, Joe Garcia and Nick Harbour.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org. We would love to hear from all of you.

New Sans Course Being Offered:

There is a new 2-day CombatingMalware in the Enterprise course that Lenny Zeltser andJason Fossen have co-authored. Its major focus is on discovering, responding to, and remediating malware incidents in an enterprise setting. You can find more information out about it here:

http://CombatingMalware.com

The course will debut at the Network Security

...


Digital Forensics Reporting: CaseNotes Walkthrough/Review

One important aspect of Digital Forensics is reporting. There are many reasons for this. One is to keep track of work that you have done during analysis. Another is if you are working on a case and it ends up getting reassigned to another examiner, they can look over your notes and will know what you've done, how you've done it, when you've done it and what the results were up to that point of transfer. The most important reason though, is for your appearance in court to testify on a case. Now as most of us know, there are many cases that never make it to trial or end up getting settled out of court. That is no excuse to be lax in your reporting. Each case should be treated like it will go the distance.

With that said, I, like most, have taken my notes by hand. I find that handwritten notes tend to become sloppy in the long run. While taking notes, if you run out of room and don't have another clean sheet of paper handy to continue you may end up writing in

... Continue reading Digital Forensics Reporting: CaseNotes Walkthrough/Review