SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensic Case Leads: Forensic 4Cast Voting is Open

Short post this week, as yours truly is under the weather. I hate colds, but they are far more miserable in the summer when the weather is beautiful.

It's con season. Last week was SANSFire, and this week started off with the Pen Test Summit, and FIRST and in the coming weeks we'll see the Forensics Summit (details below), Black Hat and Defcon. I love this time of year and can't wait to see what great tools and discoveries will be released in the coming months.

Tools:

  • For anyone who has ever had to dig through the registry piecing together information about various USB devices that have been plugged into a system, here's a useful tool that will do the heavy lifting for you. That link will take you to a post that discusses the various registry artifacts in play and includes a link to the tool.
  • Mandiant has

...


Forensic 4cast Awards Voting Has Opened

The voting has opened for the Forensic 4cast awards. You can castyour votes here.

The voting will close on July 6th and the winners will be announced atthe SANS Forensics and Incident Response Summit which will be held onJuly 8th and 9th in Washington, DC.

The nominees are as follows:

Outstanding Contribution to Digital Forensics - Individual
Lee Whitfield
Rob Lee
Kristinn Gudjonsson
Matt Shannon

Outstanding Contribution to Digital Forensics - Company
Guidance Software
SANS
F-Response (Agile Risk Management)

Digital Forensics Blog
Windows Incident Response
SANS
Happy as a

...


First forensics work - Part 2: Sure it's big enough ... but look at the location.

So you've managed to calm your nerves some. As we discussed in Part 1 of this series, you managed to collect memory and disk images from computers you could walk up too and touch using Helix. You haveexternal hard drivesfilling up with images to be looked at. You have been going down the list of systems that you need to image and things are going smoothly.

Until now.

You have discovered, things are slightly more complex for the next system. One of the computers you have to take an image of is located in Seattle.

Nice city. Space Needle webcam is cool. OK weather, if you're aduck. They do call it the Rain City for a reason.

Butthere isjust one small problem.

You are in Cleavland.

...


Turning RegRipper into WindowsRipper

Harlan Carvey has given us a great tool inRegRipper andit's undeniable that many examiners have found it to be a useful addition to their toolbox. RegRipper has a very specific purpose - parse the Windows registry. With some modification, we can turn RegRipper into WindowsRipper, an extremely powerful Windows triage tool. Using WindowsRipper we can parse much more than just the registry.

Adam James, a coworker who did the coding for this project, and I took a look at RegRipper and decided it could be morphed nicely into an amazing triage tool. The first thing Adam did wasmodify RegRipper to work against a mounted drive. You can read his explanation in the previous post or simply know that his code allows RegRipper to look at a mounted drive, find the Windows

...


Digital Forensics Case Leads: ATT/Apple Rushes in The Forensics and Incident Response Team

A web application flaw was announced late Wednesday that appears to impact users of the 3G Apple iPad. According to press reports, AT&T is rushing in a forensic team in an attempt to determine the damage the flaw may have inflicted.

Gadget blog Gizmodo reports that a flaw in web application used to sign onto to an Apple/AT&T 3G iPad account allows an attacker to get into the account by incrementing the serial numbers on the SIM card on 3G iPads. It is not unusual for a web development team to not focus on using secure methods like using random numbers in generating web sessions. If there is no web application security team in place, these flaws can live on for years in web applications and sites.

AT&T claims that the team that discovered the flaw did not use responsible disclosure to alert AT&T and Apple about the flaw before going public. AT&T said that they closed this

...