SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Linux Programming Tools

Digital forensics practitioners, incident responders and *nix system administrators should be aware of programming tools that can aid attackers. It is simple for an attacker to load code when compilers or other tools are installed on a system. In this event, the attacker can simply add any tools that are desired by compiling them on the host. Source code can be uploaded over ASCII connections such as telnet, so even a console can be used to load one's favorite tools when compilers are installed.

In many cases, compilers and other similar tools have been restricted or (ideally) not installed on production systems. Where this is the case, it is still common to discover many related tools (including disassemblers) on a host. Some of these tools are covered in this section. These may allow an attacker to create and load code on a system, so when analysing a compromised host, you need to think beyond gcc and the common compilers.

In many instances, systems

... Continue reading Linux Programming Tools

Forensic 4cast Award Results

Lee Whitfield of Forensic 4cast presented the 2nd annual Forensic 4cast awards last night at the SANS Forensics and Incident Response Summit. You can find the SANS webcast of the awards here. The actual awards were provided by the fine people at Disklabs. Thanks very much to Lee Whitfield and Disklabs for everything they did to bring the awards together!

Outstanding Contribution to Digital Forensics - Individual
Rob Lee

Outstanding Contribution to Digital Forensics - Company

Best Digital Forensics


Digital Forensics Case Leads: Spies, Social Networking Experiments, Live CDs & More

This "007" edition of Case Leads (20100708) features Russian spies, a mini-write blocker that would make Q proud, an experiment in social networking, Live CDs for Windows and Linux and an online journal on small digital device forensics.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


People Searches

In the course of assisting corporations with their incident response activities, we are occasionally asked to help find information about employees that might reside on the internet. During a computer exam for an employee threats case, we found activity on Facebook, Twitter, and two different webmail accounts. We captured the public facing social media pages and included them as part of our exam report.

While this is nowhere near new territory, it may be useful to compile a quick hit list of websites to quickly and efficiently build a profile of an individual's social media and internet use. In our case, if the person of interest made public threats outside the business as well as the private threats that occurred inside the business, we needed to find them as quickly as possible and make sure we had them documented.

Here are some good places to start your search:

Social Media

OPEN TO ALL - Digital Forensics Awards Night - 8 July 2010

  • Looking for new technology to help stop the advanced persistent threat?
  • Want to share in a drink with Harlan Carvey, Jesse Kornblum, Lee Whitfield, or Andrew Hay?
  • Need to know who is going to win the Apple iPad for the Forensic Challenge?
  • Waiting to see Lee Whitfield present those outstanding Forensic 4Cast Awards

Stop by 8 July 2010for a drink and a knowledge bomb, courtesy of SANS and the Vendors of the 2010 Forensics and Incident Response Summit.

The two awards ceremonies at the 2010 Digital Forensics and Incident Response Summit are free to the public. . You do not have to be a summit attendee to participate in any of the evening events listed below.

And, if you can't make it in person, listen in live via the FREE webcast.

The festivities begin at 4:20 p.m.