SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

exFAT File System Time Zone Concerns

exFAT Time Zone Concerns

The exFAT file system tracks the time zone offset of all MAC time's stored for the respective file. The file system uses 32-bit time stamps (and another byte tracking 10ms increments). Additionally, all time stamps are recorded to the file system as local machine time while applying a time zone offset that is also stored when a file is changed/modified/accessed. The implications of this include being able to track removable media across several time zones without the need for the system they were used in. (For a more detailed look at the exFAT file system, see Robert Shullich's paper on SANS Computer Forensics Resources).

exFAT stores time zone offsets in a one byte value. Vista SP1 (the first desktop release of exFAT) did NOT utilize the time zone byte. In this case, the time zone bytes will be 0x00. Since the OS

...


SANS Digital Forensics Training in Portland, Oregon (Aug 23-28)

Our instructor Mike Murr is one of our best Digital Forensic Instructors! The wonderful thing about smaller classrooms is you get better training than when you are competing with 40 people to get help from the instructor. SANS uses these smaller events for individuals who are seeking more personalized training and really want to get the most out of their training dollars.

The Top 6 Reasons You Should Take SANS Computer Forensics and Incident Response (FOR508) Training in Portland, OR - August 23 - 28, 2010.

  1. Mike has a deep knowledge of Windows systems, from the bit and the bytes to the files and the artifacts. He has written several forensic tools for his clients, and you can find his open source digital forensics framework at

Digital Forensics Case Leads: Ann's Aurora Edition

We won! We won! We WON! Okay. Breathe. Now that I've gotten than out...

On behalf of all of the contributors to theSANS Computer Forensic Investigations and Incident Response Blog, I want to thank everyonewho voted for us asBest Digital Forensics Blog in this year's Forensic 4cast awards. We are all deeply grateful to know that our work is recognized and appreciated by our peers in the Security and Forensics professions. And we are also grateful for the community that continues to grow around this blog. The amount of feedback we've received from readers has increased in the past few months, and we thank you for helping to make this a lively and thought-provoking site to visit.

In keeping with that spirit,if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, please

...


Linux Programming Tools

Digital forensics practitioners, incident responders and *nix system administrators should be aware of programming tools that can aid attackers. It is simple for an attacker to load code when compilers or other tools are installed on a system. In this event, the attacker can simply add any tools that are desired by compiling them on the host. Source code can be uploaded over ASCII connections such as telnet, so even a console can be used to load one's favorite tools when compilers are installed.

In many cases, compilers and other similar tools have been restricted or (ideally) not installed on production systems. Where this is the case, it is still common to discover many related tools (including disassemblers) on a host. Some of these tools are covered in this section. These may allow an attacker to create and load code on a system, so when analysing a compromised host, you need to think beyond gcc and the common compilers.

In many instances, systems

... Continue reading Linux Programming Tools


Forensic 4cast Award Results

Lee Whitfield of Forensic 4cast presented the 2nd annual Forensic 4cast awards last night at the SANS Forensics and Incident Response Summit. You can find the SANS webcast of the awards here. The actual awards were provided by the fine people at Disklabs. Thanks very much to Lee Whitfield and Disklabs for everything they did to bring the awards together!

Outstanding Contribution to Digital Forensics - Individual
Rob Lee

Outstanding Contribution to Digital Forensics - Company
SANS

Best Digital Forensics

...