SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Protecting Admin Passwords During Remote Response and Forensics

PsExec

PsExec has been a great tool for remotely executing processes on a Windows machine. It has been around for years and is one of many useful tools from Mark Russinovich (formerly of SysInternals, now with Microsoft). As described on PsExec's webpage, "PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software."

That said, there is a significant drawback to PsExec's default behavior, as described in the last sentence of the description on PsExec's webpage: "Note that the password is transmitted in clear text to the remote system."

This is something that needs to be seriously considered and accounted for when using PsExec. Corporate incident responders typically have domain administrator rights for response purposes. The idea of

...


First forensics work - Part 1: Organized chaos and panic

You've taken the plunge. You want to work in digital forensics. Congratulations. You've told your boss of this interest, managed to get some forensics training (SANS FOR508of course! ) and hyped upthe type of things you would be able to accomplish. You feel good about yourself.

Until now.

Two months after your course.

And you haven't had time to practice anything, let alone review the material.

The situation: You were called in and asked to use all of thesenew skills to help solve a problem. And the pressure is on, as they want someanswers by the end of the day. Now you are wondering why did I tell them I wanted to do this again?

Don't panic.

You can do this. We`ve all been there. All you need is a little help from your friends.

The goal of this seriesis to help guide you through a case, and provide suggestions on how

...


Digital Forensics Case Leads: The Gauntlet Edition

Greetings Forensicators, Incident Responders and other cool people. I've called this week's article The Gauntlet Edition because a number of organizations have recently thrown down the gauntlet and introduced some cool forensics challenges.Sometimes, the best tool in our arsenal is neither software, nor hardware, nor even our wetware. In many cases, the best tool we can have is a challenge.More than anything else I can think of, it's the process of working a case and rising to a new challenge that really causes us to sharpen our skills. Whether the problem is new to the community, or just new to us, working it through to a solution or an answer is what really causes us to upgrade our wetware.

In that spirit, I've provided a list of recently announced and upcoming challenges, along with our usual assortment of cool tools, good reads and other forensic fun. I encourage you all to pick up The Gauntlet and try your hand at one or more of the challenges listed below.

... Continue reading Digital Forensics Case Leads: The Gauntlet Edition


Book Review: Windows Forensic Analysis

Title: Windows Forensic Analysis - DVD Toolkit 2nd Edition
Author: Harlan Carvey
Publisher: Syngress
Date of Publication: 2009
Price: $69.95 (USA)
ISBN: 978-1597494229
Reviewer: Peter Sheffield
Review

This second edition of Harlan Carvey's excellent book on Windows Forensic Analysis is a fantastic uplift to what I'd classify as the best book I owned on Windows forensics, especially from a practitioners' perspective. This 2nd edition works on multiple levels; with practical advice and guidance for live Windows forensic analysis as well as more in depth discovery guidelines for back your work back in the lab, all augmented by real scripts and utilities that will help you retrieve valuable forensic evidence from a target machine. Chapter 4 on registry analysis is particularly strong with details on audit policy and event log analysis, wireless SSID discovery, understanding autostart, and one of my favorites, the section on how to track USB

... Continue reading Book Review: Windows Forensic Analysis


2010 Digital Foreniscs and Incident Response Summit - Final Agenda Released

"There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that."

Matt Olney (SourceFire) said that when describing the Advanced Persistent Threat attacks earlier this year. He was not joking. The results over the past year clearly indicate that hacking groups are racking up success after success. Over 30 companies have been compromised by the Advanced Persistent Threat. Organized crime utilizing botnets are exploiting ACH fraud daily. Similar groups are penetrating banks and merchants stealing credit card data daily. Fortune 500 companies are beginning to detail data breaches and hacks in their annual stockholders reports.

The enemy is getting better, more bold, and their success rate is impressive. Are we?

We can do better. We need to field a more sophisticated incident responders and forensic investigators. We need lethal forensicators that can detect and eradicate advanced threats immediately.

... Continue reading 2010 Digital Foreniscs and Incident Response Summit - Final Agenda Released