SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

First forensics work - Part 1: Organized chaos and panic

You've taken the plunge. You want to work in digital forensics. Congratulations. You've told your boss of this interest, managed to get some forensics training (SANS FOR508of course! ) and hyped upthe type of things you would be able to accomplish. You feel good about yourself.

Until now.

Two months after your course.

And you haven't had time to practice anything, let alone review the material.

The situation: You were called in and asked to use all of thesenew skills to help solve a problem. And the pressure is on, as they want someanswers by the end of the day. Now you are wondering why did I tell them I wanted to do this again?

Don't panic.

You can do this. We`ve all been there. All you need is a little help from your friends.

The goal of this seriesis to help guide you through a case, and provide suggestions on how

...


Digital Forensics Case Leads: The Gauntlet Edition

Greetings Forensicators, Incident Responders and other cool people. I've called this week's article The Gauntlet Edition because a number of organizations have recently thrown down the gauntlet and introduced some cool forensics challenges.Sometimes, the best tool in our arsenal is neither software, nor hardware, nor even our wetware. In many cases, the best tool we can have is a challenge.More than anything else I can think of, it's the process of working a case and rising to a new challenge that really causes us to sharpen our skills. Whether the problem is new to the community, or just new to us, working it through to a solution or an answer is what really causes us to upgrade our wetware.

In that spirit, I've provided a list of recently announced and upcoming challenges, along with our usual assortment of cool tools, good reads and other forensic fun. I encourage you all to pick up The Gauntlet and try your hand at one or more of the challenges listed below.

... Continue reading Digital Forensics Case Leads: The Gauntlet Edition


Book Review: Windows Forensic Analysis

Title: Windows Forensic Analysis - DVD Toolkit 2nd Edition
Author: Harlan Carvey
Publisher: Syngress
Date of Publication: 2009
Price: $69.95 (USA)
ISBN: 978-1597494229
Reviewer: Peter Sheffield
Review

This second edition of Harlan Carvey's excellent book on Windows Forensic Analysis is a fantastic uplift to what I'd classify as the best book I owned on Windows forensics, especially from a practitioners' perspective. This 2nd edition works on multiple levels; with practical advice and guidance for live Windows forensic analysis as well as more in depth discovery guidelines for back your work back in the lab, all augmented by real scripts and utilities that will help you retrieve valuable forensic evidence from a target machine. Chapter 4 on registry analysis is particularly strong with details on audit policy and event log analysis, wireless SSID discovery, understanding autostart, and one of my favorites, the section on how to track USB

... Continue reading Book Review: Windows Forensic Analysis


2010 Digital Foreniscs and Incident Response Summit - Final Agenda Released

"There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that."

Matt Olney (SourceFire) said that when describing the Advanced Persistent Threat attacks earlier this year. He was not joking. The results over the past year clearly indicate that hacking groups are racking up success after success. Over 30 companies have been compromised by the Advanced Persistent Threat. Organized crime utilizing botnets are exploiting ACH fraud daily. Similar groups are penetrating banks and merchants stealing credit card data daily. Fortune 500 companies are beginning to detail data breaches and hacks in their annual stockholders reports.

The enemy is getting better, more bold, and their success rate is impressive. Are we?

We can do better. We need to field a more sophisticated incident responders and forensic investigators. We need lethal forensicators that can detect and eradicate advanced threats immediately.

... Continue reading 2010 Digital Foreniscs and Incident Response Summit - Final Agenda Released


Digital Forensics Case Leads: New RegRipper Feature, An Open Letter to Judges, the DFRWS Challenge and How Not to Seize Smart Phones

This week's installment of Digital Forensics Case Leads features a couple of tools useful for reviewing Window's systems. There is an announcement about a new feature of RegRipper and we have an open letter to the court on the use of neutral digital forensic examiners. The 2010 DFRWS Challenge is underway and law enforcement experiences the remote wiping feature of smart phones.

Keep those suggestions and topics for Digital Forensics Case Leads coming to caseleads at sans.org!

Tools:

  • Miss Identify is a cross-platform tool developed by Jesse Kornblum that identifies mislabeled Window's executables. A mislabeled executable is any executable without an executable extension of exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb.
  • If you've ever lost a software application key, (or need to audit installed software) the