SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics Case Leads: New RegRipper Feature, An Open Letter to Judges, the DFRWS Challenge and How Not to Seize Smart Phones

This week's installment of Digital Forensics Case Leads features a couple of tools useful for reviewing Window's systems. There is an announcement about a new feature of RegRipper and we have an open letter to the court on the use of neutral digital forensic examiners. The 2010 DFRWS Challenge is underway and law enforcement experiences the remote wiping feature of smart phones.

Keep those suggestions and topics for Digital Forensics Case Leads coming to caseleads at sans.org!

Tools:

  • Miss Identify is a cross-platform tool developed by Jesse Kornblum that identifies mislabeled Window's executables. A mislabeled executable is any executable without an executable extension of exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb.
  • If you've ever lost a software application key, (or need to audit installed software) the

Digital Forensics Case Leads: Guidance Busy this week.

This week big news from Guidance Software, maker of Encase. The U.S. Secret Service will now add more data to the Verizon Breach Report. Microsoft release Office 2010 and several new/updated tools and virtual pit bulls are now protected.

Tools:

Good Reads:

...


Digital Forensics Case Leads: Good reads and coming events

It's been a very busy week this week, so this week's Case Leads post is all about brevity. There were a bunch of great articles put out this week and I'm sure I've missed a few. At the end of this week's post there's an email address for the Case Leads series. If you have written or read something you think should be included in the weekly round up, please let us know.

Last week I posted a few sites that regularly publish lists of domains that are known to be serving malware. I'm working on a project that's scraping some of these sites and building lists of IPs for use in a network security monitoring program. What I didn't know at the time was that malwaredomains.com has a text file that they regularly update with new domain names. This makes my task much easier.

For fun this week, I took the text file and extracted the hostnames from all the uncommented lines in

...


Timestamped Registry & NTFS Artifacts from Unallocated Space

Frequently, while following up a Windows investigation, I will add certain filenames or other string values to my case wordlist and subsequently find these strings embedded in binary data of one type or another in unallocated space. Close examination of the surrounding data structures has shown that these are often old MFT entries, INDX structures, or registry keys or values. The thing that makes these things very interesting from a forensic perspective is that all of them but registry values incorporate Windows timestamps. (All timestamps referenced in this article are 64bit Windows filetime values.) Even registry values often follow closely after their parent keys in the registry, which do have associated timestamps. Once I'd noticed these key facts, it occurred to me that it would be useful to use the timestamp values to work backward to other associated data, and hence the genesis of this

...


Digital Forensic Case Leads: Malware hunting

Incident responders and digital forensics investigators are on the front-lines in the battle against malware. We need good intelligence for tracking its origins and command and control structures. This intelligence can help us limit malware's access to our networks and help us find it. When we do find it, we need good tools for eradicating it. For this week's Case Leads, I've been looking into some resources and tools that can aid in these efforts.
Tools:

  • First up, a new, to me, malware removal tool called Malwarebytes. As I said, it's new to me, and I've only done a little playing around in the lab, but I've been told by others that it works great. I'm blocking out some time to delve into the tool more extensively and will have more to say about it then.
  • Two sites that provide lists of sites known to be distributing malware, http://www.malwaredomains.com/

...