SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

SANS Digital Forensics Training in Portland, Oregon (Aug 23-28)

Our instructor Mike Murr is one of our best Digital Forensic Instructors! The wonderful thing about smaller classrooms is you get better training than when you are competing with 40 people to get help from the instructor. SANS uses these smaller events for individuals who are seeking more personalized training and really want to get the most out of their training dollars.

The Top 6 Reasons You Should Take SANS Computer Forensics and Incident Response (FOR508) Training in Portland, OR - August 23 - 28, 2010.

  1. Mike has a deep knowledge of Windows systems, from the bit and the bytes to the files and the artifacts. He has written several forensic tools for his clients, and you can find his open source digital forensics framework at

Digital Forensics Case Leads: Ann's Aurora Edition

We won! We won! We WON! Okay. Breathe. Now that I've gotten than out...

On behalf of all of the contributors to theSANS Computer Forensic Investigations and Incident Response Blog, I want to thank everyonewho voted for us asBest Digital Forensics Blog in this year's Forensic 4cast awards. We are all deeply grateful to know that our work is recognized and appreciated by our peers in the Security and Forensics professions. And we are also grateful for the community that continues to grow around this blog. The amount of feedback we've received from readers has increased in the past few months, and we thank you for helping to make this a lively and thought-provoking site to visit.

In keeping with that spirit,if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, please


Linux Programming Tools

Digital forensics practitioners, incident responders and *nix system administrators should be aware of programming tools that can aid attackers. It is simple for an attacker to load code when compilers or other tools are installed on a system. In this event, the attacker can simply add any tools that are desired by compiling them on the host. Source code can be uploaded over ASCII connections such as telnet, so even a console can be used to load one's favorite tools when compilers are installed.

In many cases, compilers and other similar tools have been restricted or (ideally) not installed on production systems. Where this is the case, it is still common to discover many related tools (including disassemblers) on a host. Some of these tools are covered in this section. These may allow an attacker to create and load code on a system, so when analysing a compromised host, you need to think beyond gcc and the common compilers.

In many instances, systems

... Continue reading Linux Programming Tools

Forensic 4cast Award Results

Lee Whitfield of Forensic 4cast presented the 2nd annual Forensic 4cast awards last night at the SANS Forensics and Incident Response Summit. You can find the SANS webcast of the awards here. The actual awards were provided by the fine people at Disklabs. Thanks very much to Lee Whitfield and Disklabs for everything they did to bring the awards together!

Outstanding Contribution to Digital Forensics - Individual
Rob Lee

Outstanding Contribution to Digital Forensics - Company

Best Digital Forensics


Digital Forensics Case Leads: Spies, Social Networking Experiments, Live CDs & More

This "007" edition of Case Leads (20100708) features Russian spies, a mini-write blocker that would make Q proud, an experiment in social networking, Live CDs for Windows and Linux and an online journal on small digital device forensics.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to