SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

The Chain of Custody for 2010-03-21 - Weekly Tweets

  • The Chain of Custody for 2010-03-14 - Weekly Tweets #
  • Digital Forensics Magazine Promote Global Survey Into Forensics Tools- Digital Forensics Magazine is urging its rea... #
  • Police launch new high-tech mobile phone unit in Kent, UK- Sim card specialists will aid the technological tussle w... #
  • Finding out about other users on a Linux system

Digital Forensics Case Leads: Tools and Lists, Bugs, and Web 2.0 for Packet Ninjas

A variety of items this week, including news of the first successful prosecution using memory forensics, several tool updates, a Web 2.0 site for packet ninjas, bugs (the tiny biological kind) for forensics, and even forensics for mortgage refinancing. I've included Twitter handles in the form (@TwitterHandle) where applicable.


  • Tableau (@tableauforensic), maker of write-blocker and duplicating hardware and software, has initiated a video series to update viewers on info about their products and items of general interest. The first entry concerns their firmware update tool. The Tableau T35e write blocker is provided as part of the

Nokia n900 mobile forensic cheat sheet

Nokia N900
Shadowed by coverage of all things Nexus and iPad, Nokia's new n900 is the unsung hero of the smart phone world. That's just fine for folks like DT and HD and anyone else looking for a *phone* that runs nmap, aircrack, metasploit and wireshark. Future functionality includes backtrack itself packaged as neopwn v2!

Cutting to the chase then this is a quickie cheat sheet about forensic artifacts on the n900 and where to find


Finding out about other users on a Linux system

These commands are used to find out about other users on a *NIX host. When testing the security of a system covertly (such as when engaged in a penetration test) it is best to stop running commands when the system administrator is watching. These commands may also be useful for digital forensics investigators and incident response personnel.


The ''w' command displays any user logged into the host and their activity. This is used to determine if a user is ''idle' or if they are actively monitoring the system.


The ''who' command is used to find both which users are logged into the host as well as to display their source address and how they are accessing the host. The command will display if a user is logged into a local tty (more on this later) or is connecting over a remote network connection.


The ''finger' command is rarely used these days (but does come up from

... Continue reading Finding out about other users on a Linux system

The Chain of Custody for 2010-03-14 - Weekly Tweets