SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

SANS Digital Forensics and IR Summit 2010: Advanced Persistent Threat Panel Questions Released!

The 2010 Digital Forensics and Incident Response Summit's focus this year is examining and advancing the digital forensic professional to deal with advanced threats such as the APT and organized crime. Understanding how many of these crimes take place is crucial to creating lethal forensicators armed with the knowledge and skills to analyze complex cases. REGISTER NOW!!

These questions are selected initially by the panelists to kick the panel off. Each panelist will choose one question initially and answer it. Once the initial questions are completed, additional questions will be taken from the attendees at the event.

Advanced Persistent Threat Panel Discussion

Panelists will discuss the Advanced Persistent Threat.

...


Digital Forensics Case Leads: Certs and Books and Meetings - Oh My!

Tools

Good Reads:

  • Dominik Weber of Guidance Software has a very interesting writeup regarding acquisition of flash drives. The wear-leveling technology that is incorporated to extend the lifetime of flash devices can cause apparently random changes in hash values between acquisitions of the device, so it's important to take this into account. With the increasing popularity of SSD drives in computers, this will likely become increasingly important.

News:

  • Not to be outdone by Guidance Software's acquisition of Tableau, Access Data announced

...


NDIFF for incident detection

A good way to see changes to the network is with a tool called ndiff.

Ndiff is a tool that utilizes nmap output to identify the differences, or changes that have occurred in your environment. Ndiff can be downloaded from http://www.vinecorp.com/ndiff/. The application requires that perl is installed in addition to nmap. The fundamental use of ndiff entails combining ndiff with a baseline file. This is achieved by using the "-b" option to select the file that is the baseline with the file to be tested using the "-o" option. The "-fmt" option selects the reporting format.

Ndiff can query the system's port states or even test for types of hosts and Operating Systems using the "-output-ports" or "-output-hosts" options.

The options offered in ndiff include:

ndiff [-b|-baseline ] [-o|-observed ]

[-op|-output-ports ] [-of|-output-hosts ]

... Continue reading NDIFF for incident detection


Digital SANS Forensics and IR Summit 2010: Network Forensics Panel Questions Released!

The 2010 Digital Forensics and Incident Response Summit's focus this year is examining and advancing the digital forensic professional to deal with advanced threats such as the APT and organized crime. Understanding how many of these crimes take place is crucial to creating lethal forensicators armed with the knowledge and skills to analyze complex cases. REGISTER NOW!!

Network Forensics Panel

Panelists will tell you the challenges faced by properly collecting and analyzing network based evidence. It is critical in investigations. Data collected from intrusion detection systems, firewalls, routers, proxies, and access points all end up telling unique stories that could be critical to solving your case. Learn the

...


SANS Digital Forensics Summit Challenge 2010 - FINAL CONTEST WEEK!!

FINAL WEEK - SUBMISSIONS Due 27 June 2010

The 2010 Digital Forensics and Incident Response Summit's focus this year is examining and advancing the digital forensic professional to deal with advanced threats such as the APT and organized crime. Understanding how many of these crimes take place is crucial to creating lethal forensicators armed with the knowledge and skills to analyze complex cases. I asked Jonathan Ham and Sherri Davidoff (who co-authored the sell-out Forensics 558: Network Forensics course and created many successful contests at - forensicscontest.com) to create a contest based partially on how the APT might try and trigger a

...