SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensic Sampling

Robert-Jan Mora and Bas Kloet have released an interesting paper called DigitalForensicSampling.pdf and it's about applying statistical sampling to digital forensics. Digital forensic practitioners are frequently faced with extremely large amounts of data to analyze, a situation that looks to get worse as storage capacities continue to increase. Mora and Kloet propose the use of random sampling for certain types of cases as a means of alleviating this problem.

Here's a quote from the paper's introduction:

In this paper we would like to address a few problems that we encounter in the digital forensic field,in general, which probably will get worse if our methods do not get smarter soon. A few problemsthat the digital forensic community has to deal with are:

  • The amount of data that needs to be investigated in cases increases every year;

The Chain of Custody for 2010-03-28 - Weekly Tweets


Case Leads: On the horizon — SIFT 2, Volume Shadows

I started this week traveling home from teaching SANS Forensics 508 to a great group of people in the Boston area. This week's Case Leads is my effort to catch up on the latest goings on and some older items.

Tools:

...


Unix System Accounting and Process Accounting

Accounting reports created by the system accounting service present the *NIX administrator with the information to assess current resource assignments, set resource limits and quotas, and predict future resource requirements. This information is also valuable to the forensic analyst and allows for the monitoring of system resourcing. This data can be a means of finding what processes and resources have been used and by which user.

When the system accounting has been enabled on a *NIX system, the collection of statistical data will begin when the system starts or a least from the moment that the accounting service is initiated. The standard data collected by system accounting will include the following categories:

  • Connect session statistics
  • Disk space utilization
  • Printer use
  • Process use

The accounting system process starts with the collection of statistical data from which summary reports

... Continue reading Unix System Accounting and Process Accounting


Client-side Web Application Attacks

Over the past few years, attacks against web applications have become more prevalent and sophisticated. There are several methods of attacking web applications, SQL injection being one of the more well-known. In this article, we are going to discuss a different class of attacks and a few examples of how an incident responder or computer forensic investigator might spot them.

All web forms contain fields that are used to grab input from a user and post it to the server for processing. Form fields are commonly used to collect information, from transaction details on e commerce sites to authentication credentials for restricted content. While form fields are used to collect data legitimately from users, they can also be used maliciously.

An example of this is a client side attack commonly known as form field injection. In this type of attack, malware interacting in a web browser adds additional form fields to

...