SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Review: Access Data Forensic Toolkit (FTK) Version 3 — Part 1

When it comes to computer forensic tools, I consider myself to be somewhat of a late adopter. I love to play with the latest tool release, but when it comes to what I'm actually going to use in my lab, I prefer to have a mature product. It takes too much time to test and validate tools to waste time on buggy or incomplete versions. So, I finally made the jump (back) to Access Data's Forensic Toolkit (FTK) in its 3.1 version. Like many forensic professionals I know, I sat out the "lost generation" of FTK v2. However, if you haven't taken a look recently, version 3 will likely surprise you.

I don't expect tool suites to solve all of my forensic problems, but I do appreciate the breadth of capabilities they can provide in one package. FTK v3 excels at facilitating keyword searches, graphics review, email archive parsing, compound file extraction, and has an excellent

...


Digital Forensics Case Leads Aug 5, 2010: Decon 18 and more

The DefCon conference ended on Sunday, and this year's edition of the "World's Largest Hacker Conference" (as many call it) didn't disappoint. We have news and coverage from a forensic and incident response viewpoint, including news about the Wikileaks incident you might not have seen elsewhere. Blackberry is getting hammered on security, well that's what many headlines read. We have a different take. Web tracking and privacy is getting a higher profile, what are the forensic implications? Many home and business networks are "protected" by popular router/firewalls for sale at big box electronics stores. New research reveals breach mechanisms that have forensic and incident response implications. The truth slowly is revealed, along with peoples' private parts, about images from the Whole Body Scanners. And, in the Levity Section: DefCon18 Social engineering contest a hit at DefCon.

Good Reads / Good Audio:

  • "I know what happened with

... Continue reading Digital Forensics Case Leads Aug 5, 2010: Decon 18 and more


Keep on Moving

I know nothing. That's the only conclusion I can draw from my four years in the field thus far. Every time I work on a new case I learn something. Most of the time these are little morsels of forensicating goodness but occasionally these things are so immense that I believe that my findings are worthy of sharing with the world. Of course, then I log on to the SANS Digialt Forensics Blog and find that someone else has typically beaten me to it.

As many of you may already know I have spent some months investigating and analysing volume shadow copies (difference files) in Windows 7 and Vista. The result of this is that I have found how these files are structured and can manuallydissect these files to find valuable data. I have shared these findings on both my website and in several presentations. Now my question to you is this:What would have happened if I hadn't shared my findings? Stretching further, in what state would digital forensics be if people like Rob Lee, Harlan

... Continue reading Keep on Moving


Internet Evidence Finder Part II: Intro to IEF v3.3

I had an opportunity earlier this year to interview Jad Saliba of JadSoftware.com discussing his Internet Evidence Finder tool. You can view that interview here. Hopefully, SANS Computer Forensic Blog readers enjoyed the 15% discount that Jad offered exclusively to SANS CF blog readers and have taken the time to implement this tool into your forensic toolkit. This post is part of a series and will introduce functionality of IEF v3.3. You can download the most recent version (v3.5.1 at time of this article) from JadSoftware.com.Just a brief recap of what IEF will search for on a mounted drive/folder. Facebook chat, Yahoo! chat (IEF must have chat username to decode), Windows Live Messenger chat, Google Talk chat, AIM logs, hotmail webmail fragments, yahoo! webmail fragments, etc. For a full listing of supported artifacts and limitations visit

...


Trusting Your Tools

"A trusted tool is one that you understand what it does"- Chris Pogue

I recently heard Chris make that statement during his "Sniper Forensics" presentation at the 2010 SANS Forensics & Incident Response Summit. It was that statement that inspired me to put together this post. As digital forensic examiners, we rely on various applications/programs (tools) to aid us during our investigations. I want to take Chris' statement and flesh it out a bit''

"A trusted tool is one that you understand what it does, where it came from, what flaws it has and what results it gives you."

This post is aimed at those that are new to digital forensics, but will also help those that may not have been given a push in the right direction or those that are experienced who might have lost their way. So let's get started.

There may be a tool you are interested in using that you heard about somewhere. Let's face it, forensic examiners need tools to assist them with their

... Continue reading Trusting Your Tools