SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

The Chain of Custody for 2010-03-07 - Weekly Tweets

  • The Chain of Custody for 2010-02-28 - Weekly Tweets #
  • Organiser of Darkmarket fraud website jailed- A man who created a website trading in stolen financial information l... #
  • EviGator Digital Forensics release iPhorensic- EviGator Digital Forensics have released Version 1.0.0 of iPhorensic... #
  • Open Source Android Digital Forensics Application

Computer Forensics Tool Testing (CFTT) Survey

The Computer Forensics Tool Testing (CFTT) team at NIST and NW3C want to know what digital forensics tools you are using and what digital forensics tools you want NIST to test. Please take a few minutes to complete the below linked survey and share with us your valuable feedback.

To learn more about CFTT and the NW3C visit and

This survey is very important to state and local law enforcement as it is your voice and input, directly to NIST, for testing of the forensic hardware and software you use every day. A NIST evaluation of the tools you use has many benefits to you, your agency, and the cases you work. The survey itself is all multiple choice with an


Digital Forensics Case Leads: Herding botnet herders

It's been a busy week, with RSA and BSides conferences both taking place in San Francisco. Ira Victor will have a wrap up of news from RSA tomorrow so look for that. Be sure to check out Robert Shullich's paper on exFAT (see below) as we're sure to encounter this more and more in our digital forensics work.



Cryptome Spying guides as a Digital Forensic Resource

Since December 2009, has been publishing the legal spying guides from a variety of services and Service Providers. Therewas publicitythis past week when the Microsoft Legal Spying Guide was posted and a DMCA takedown notice was placed againstCryptome domain and its owner John Young. The DMCA restraint has since been lifted. This blog entry is not intended to defend or decry the DMCA notice. It is intended to provide Digital Forensic investigators a resource for appropriate contact and process logic contained in the Legal Spy guides published.

These documents were created to assist Law enforcement and appropriate investigators of what can be provided and the methodology for request. The guideswere generally considered confidential in nature when distributed. It is not my intent to break confidentiality of the source or creator. It is intended to assist in digital forensic discovery. Many of these documents are strictly intended for Law Enforcement and not

... Continue reading Cryptome Spying guides as a Digital Forensic Resource

Open Source Android Digital Forensics Application

For some time now, I've spent most of my R&D time on Android Forensics. Gartner predicts that Android will be the #2 smart phone platform by 2012, exceeding the iPhone and leaving only Nokia/Symbia in front. With an estimated 95 million devices on the market by that time, forensic examiners will inevitably begin to run across them (if you have not already).

The techniques we've developed will provide a full forensic image of supported Android devices. With the introduction of a new file system (YAFFS2) and a host of other new challenges, our community has considerable work to do to more deeply understand the device.

In an effort to give back to the community, we have released our logical Android Forensic application as open source. You can download it on Google Code and