SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

The Chain of Custody for 2010-02-28 - Weekly Tweets

Digital Forensics Case Leads: Mobile Device Digital Forensics

Due to the increasing number of identity theftincidents that occur in the corporate setting by disgruntled employees (e.g. stealing information via USB or mobile devices) orsimply by the lack of proper security awareness training (encrypting sensitive information and/or what mobile devices can or can't be used), it's imperative for organizations to become better equipped and skilled in dealing with digitalforensics on mobile devices.

So where do you start and what are the best tools to use?


  • Eoghan Caseywrites about using file system tools such as the Sleuthkit to examine Windows Mobile Devices.
  • Lance Mueller gives an excellent breakdown of different Windows Mobile Device forensics tools at his blog

Extracting Known Bad Hash Set From NSRL

Hash filtering is a time-saving technique for a computer forensics examiner when working on a huge disk image. In a nutshell, this technique can filter out all those files in your image that belong to the operating system or well-known software packages. This will let the examiner focus on unknown files, reducing the scope of the investigation. After all, there's no point in spending time checking files we already know.

This filtering operation is based on hashes. Usually, we calculate the hash for every file in the image and check it against a list of hashes previously calculated over known good files. We call this list the known good hash set. All files with hashes matching the list are filtered out.

On the other hand, we would like to know if there are malicious files in our computer forensics case image. Again, the technique works by calculating the hash for every file in the image, looking for matches in a list containing pre-calculated hashes for known malicious

... Continue reading Extracting Known Bad Hash Set From NSRL

The Chain of Custody for 2010-02-21 - Weekly Tweets

Digital Forensics Case Leads: Volatility and RegRipper, Better Together

This week in Digital Forensics Case Leads brings us an update to macrobber, a guide to combining the power of Volatility and RegRipper, some thoughts on presenting digital forensic evidence, and an easy way for you to become an Advanced Persistent Threat.


  • Mark Morgan posted a User Manual for Volatility and RegRipper (PDF) that details combining those tools to perform registry analysis against physical memory images. Note that some of this only works under Linux.
  • Brian Carrier released macrobber v1.02 over at This version utilizes the new mactime body format.
  • Geoff Black released