SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

OPEN TO ALL - Digital Forensics Awards Night - 8 July 2010

  • Looking for new technology to help stop the advanced persistent threat?
  • Want to share in a drink with Harlan Carvey, Jesse Kornblum, Lee Whitfield, or Andrew Hay?
  • Need to know who is going to win the Apple iPad for the Forensic Challenge?
  • Waiting to see Lee Whitfield present those outstanding Forensic 4Cast Awards

Stop by 8 July 2010for a drink and a knowledge bomb, courtesy of SANS and the Vendors of the 2010 Forensics and Incident Response Summit.

The two awards ceremonies at the 2010 Digital Forensics and Incident Response Summit are free to the public. . You do not have to be a summit attendee to participate in any of the evening events listed below.

And, if you can't make it in person, listen in live via the FREE webcast.

The festivities begin at 4:20 p.m.


The SANS Institute's Digital Forensics Lethal Forensicator Coin (RMO)

Next week at the 2010 Digital Forensics and Incident Response Summit, we will unveil and award for the first time the SANS Institute's Digital Forensics "Lethal Forensicator" Coin (or RMO - for "Round Metal Object"). The members of this elite unit will encompass the best in the digital forensics field and those that have demonstrated talent or leadership deserving special recognition.

Digital Forensics Case Leads: Data Exposed, Movie Piracy Sites shutdown and a 0day exploit hits more the 10,000 Computers

This week in Case Leads we have another round of data exposed at WellPoint. The Feds shutdown movie piracy sites, and Microsoft reports more than 10,000 Windows XP computers hit with a 0day exploit. Some great reads on memory analysis and pagefiles, Safari Forensics and getting alternate timestamps from $MFT. Don't forget to cast your vote for the 2010 Forensic 4Cast awards, make your vote count.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Mount Raw images as VMDK virtual disks usingraw2vdmk

Good Reads:


Sanitizing Media (The Linux Method)

Hal Pomeranz, Deer Run Associates

I've been wiping a lot of media lately. Mostly these are USB devices that we've used to share evidence and other data during an investigation. I want to be sure that I don't accidentally disclose any data from my cases, and I also want to know when I reach into my bag for a USB stick that it's not going to be polluted with other data. And when I get new media (from a vendor, trade show, or whatever) I always have a strict policy of wiping the drive completely from my Linux box (which is specifically configured not to automount new media) before it gets near any Windows machines that might have autoruns enabled.

Happily, Linux makes this whole process quite straightforward with just a few simple command-line tools.


Autoruns and Dead Computer Forensics

Autoruns from Sysinternals is one of my favorite (free) tools. It has a myriad of uses, from optimizing the boot process to rooting out persistence mechanisms commonly used by malware. It is essentially a targeted registry dump, peering into at least a hundred different Windows Registry keys that the boot and logon processes rely upon. It very quickly shows what executables are set to run during boot or login, as well as enumerating many other interesting locations like Explorer shell extensions, browser helper objects, and toolbars. Over the years it has added some very useful features, including digital signature checks and the ability to ignore signed (and verified) Microsoft executables.

Until recently Autoruns had one big limitation: it had to be run on a live system. This is perfectly fine in a live response scenario when you are primarily working with systems that are up and running. However, in a dead computer forensics environment, its usefulness was hampered

... Continue reading Autoruns and Dead Computer Forensics