SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Custodians of Digital Evidence

Let's think like a system administrator for a moment....

Here is the scenario:

You're the corporate incident handler/digital forensics person and you've just finished your latest case. The finished forensics report has been handed off to your boss, human resources, and the legal team. You are looking at your raid 5 volume with all of the data the case generated. With 500 gigabyte drives and terabyte drives almost a standard now, the case data might be nearly that big. So you back up your data and tools you used on the case to your DLT tape drive or another hard drive, wipe your drives, and pack the media away for storage.

Now it is four and half years later, legal counsel calls you into their office to tell you that the ex-employee has decided the sue. Not a problem, you've got your all of the case data backed up. It is just a matter of restoring it and providing copies to counsel as required.

But here is the problem, the DLT drive you have been using,

... Continue reading Custodians of Digital Evidence


Digital Forensic Sampling

Robert-Jan Mora and Bas Kloet have released an interesting paper called DigitalForensicSampling.pdf and it's about applying statistical sampling to digital forensics. Digital forensic practitioners are frequently faced with extremely large amounts of data to analyze, a situation that looks to get worse as storage capacities continue to increase. Mora and Kloet propose the use of random sampling for certain types of cases as a means of alleviating this problem.

Here's a quote from the paper's introduction:

In this paper we would like to address a few problems that we encounter in the digital forensic field,in general, which probably will get worse if our methods do not get smarter soon. A few problemsthat the digital forensic community has to deal with are:

  • The amount of data that needs to be investigated in cases increases every year;

The Chain of Custody for 2010-03-28 - Weekly Tweets


Case Leads: On the horizon — SIFT 2, Volume Shadows

I started this week traveling home from teaching SANS Forensics 508 to a great group of people in the Boston area. This week's Case Leads is my effort to catch up on the latest goings on and some older items.

Tools:

...


Unix System Accounting and Process Accounting

Accounting reports created by the system accounting service present the *NIX administrator with the information to assess current resource assignments, set resource limits and quotas, and predict future resource requirements. This information is also valuable to the forensic analyst and allows for the monitoring of system resourcing. This data can be a means of finding what processes and resources have been used and by which user.

When the system accounting has been enabled on a *NIX system, the collection of statistical data will begin when the system starts or a least from the moment that the accounting service is initiated. The standard data collected by system accounting will include the following categories:

  • Connect session statistics
  • Disk space utilization
  • Printer use
  • Process use

The accounting system process starts with the collection of statistical data from which summary reports

... Continue reading Unix System Accounting and Process Accounting