SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

First forensics work - Part 2: Sure it's big enough ... but look at the location.

So you've managed to calm your nerves some. As we discussed in Part 1 of this series, you managed to collect memory and disk images from computers you could walk up too and touch using Helix. You haveexternal hard drivesfilling up with images to be looked at. You have been going down the list of systems that you need to image and things are going smoothly.

Until now.

You have discovered, things are slightly more complex for the next system. One of the computers you have to take an image of is located in Seattle.

Nice city. Space Needle webcam is cool. OK weather, if you're aduck. They do call it the Rain City for a reason.

Butthere isjust one small problem.

You are in Cleavland.

...


Turning RegRipper into WindowsRipper

Harlan Carvey has given us a great tool inRegRipper andit's undeniable that many examiners have found it to be a useful addition to their toolbox. RegRipper has a very specific purpose - parse the Windows registry. With some modification, we can turn RegRipper into WindowsRipper, an extremely powerful Windows triage tool. Using WindowsRipper we can parse much more than just the registry.

Adam James, a coworker who did the coding for this project, and I took a look at RegRipper and decided it could be morphed nicely into an amazing triage tool. The first thing Adam did wasmodify RegRipper to work against a mounted drive. You can read his explanation in the previous post or simply know that his code allows RegRipper to look at a mounted drive, find the Windows

...


Digital Forensics Case Leads: ATT/Apple Rushes in The Forensics and Incident Response Team

A web application flaw was announced late Wednesday that appears to impact users of the 3G Apple iPad. According to press reports, AT&T is rushing in a forensic team in an attempt to determine the damage the flaw may have inflicted.

Gadget blog Gizmodo reports that a flaw in web application used to sign onto to an Apple/AT&T 3G iPad account allows an attacker to get into the account by incrementing the serial numbers on the SIM card on 3G iPads. It is not unusual for a web development team to not focus on using secure methods like using random numbers in generating web sessions. If there is no web application security team in place, these flaws can live on for years in web applications and sites.

AT&T claims that the team that discovered the flaw did not use responsible disclosure to alert AT&T and Apple about the flaw before going public. AT&T said that they closed this

...


WMIC for incident response

Earlier this week, I posted about using psexec during incident response. I mentioned at the end of that post that I've been using WMIC in place of psexec and that I'd have more on that later. This post, is a follow up to the psexec post.

WMIC

Prompted by the excellent work of Ed Skoudis and his part in the Command Line Kung Fu blog, as well as a really nice webcast he did a few years ago titled Essential Windows Command-Line Kung Fu for Info Sec Pros and an Internet Storm Center article from the same year, I've come to rely on WMIC for a large number of IR tasks. It provides much of the functionality of PsExec, as well as a lot of

...


Digital Forensics Case Leads: FTK's updates

Whether you use FTK or Encase, commercial products have incredible functionality that can be utilized in conjunction with open source computer forensics tools.For this week's Digital Forensics Case Leads, I wanted to focus on the updates to FTK. With commercial based products, just like with open source, it is a matter of preference which tool you want to add to you forensic arsenal.

Tools:

  • Forensic Toolkit (FTK') version3.1.2 was released May 17th with a 'New and Improved'section including 'View This Item in a Different List' feature that allows the user to right click on a folder, then go to that folder in a Graphics tab and see the files inside as well asimproved identification of JavaScript Object Notation (JSON) files such as those found in programs like FaceBook.
  • For the Password Recovery Toolkit'(PRTK') version6.5.1,and Distributed

...