SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics Case Leads: ZeusTracker; Legal Hold Software; Port Control as a Forensic Tool

The Zeus banking Trojan continues to siphon cash from businesses' bank accounts. Attackers compromise networks and computers then lie in wait until accounts are accessed, at which point authentication may be hijacked allowing attackers to submit transactions. The credentials match, even two-factor systems are being defeated. At last count, attackers made over $120 million in unauthorized transactions in Q3 2009 (source: FDIC).

Multi-factor and out-of-band authentication will not cure the ill if the customers' machines are owned by the attackers. Per transaction authentication is needed (probably digitally signed and with MAC). If you are working as an incident responder, it may be helpful to know some of the currently active command and control systems connected to Zeus. Here is a handy list, provided by ZeusTracker (note: SSL certificate errors may pop-up,


An anti-forensics dd primer

dd is the swiss army knife of file tools - with /dev/tcp it can also be a network tool (but nc is simpler).

First we need the basics for dd. For this we have the man page and some definitions. I have taken (blatantly paraphrased) the man file info for dd and included this below (which is simple to obtain - "man dd").

For the purpose of a task such as reversing files and swapping them, we need to concentrate on the following options:

  • bs - This is block size. Setting "bs=1" means that we can use dd as a bit level (instead of a block level tool). Although it does slow down the process from a block copy, we are not looking at how fast we can copy here.
  • skip - this tells us to skip "n" blocks. In our case, we want "n" bits.

What we are going to do is start at the value of "n" set to our last bit in the file. We will loop the dd function to next copy bit "n - 1", then "n - 2", ... to

... Continue reading An anti-forensics dd primer

Windows 7 MFT Entry Timestamp Properties

Windows 7 MFT Entry Times

I have been doing some research on and off for the past week or so on what updates an MFT Entries time value properties in $STDINFO and $FILENAME. I am hoping for someone to provide me feedback if you get similar results. Also, what are the results for XP and VISTA. Both should be checked.

To get started, here is my breakdown of what I have observed. I wouldn't go use this in official reports yet, but this is a first stab at generating discussion and sharing on what you see on your systems. Please email me at rlee at if you find anything to update as a result of this graph. Id like to create a separate one for XP and VISTA too.

Understanding *NIX File Linking (ln)

The "ln" command is an important tool in any Unix admin's arsenal and attackers use it too, so it is essential that forensics analysts understand it. It is used to either:

  1. Create a link to a target file with a selected name.
  2. Create a link to a target file in the current directory.
  3. Create links to each target in a directory.

The "ln" command will by default produce hard links. Symbolic links are created with the "-symbolic" option set (or "-s"). In order to create a hard link; the target file has to exist. The primary formats of the commands are:

  • ln [OPTION]... [-T]
  • ln [OPTION]...
  • ln [OPTION]... -t

Some malicious uses of ln are in hiding files, though perhaps not very well, and creating subterfuge by wrapping legitimate programs. The "ln" command need not

... Continue reading Understanding *NIX File Linking (ln)

Digital Forensics Case Leads: The SIFT Workstation 2.0 Edition

Rob Lee recently brought us version 2.0 of the SANS Investigative Forensics Toolkit (SIFT), Into the Boxes Issue 0x1 was released, along with some interesting new tools by Harlan Carvey, and the New Jersey Supreme Court makes a ruling that could have significant impact on employer policies and employee expectations of privacy. Those in or near the Toronto area should also check out SANS Computer Forensic Essentials taught by SANS Computer Forensics blog contributor Chad Tilbury. There's a lot of good stuff linked below, so explore and enjoy. And, as always, thanks to all who make such excellent information and tools available to the community.