SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Cryptome Spying guides as a Digital Forensic Resource

Since December 2009, Cryptome.org has been publishing the legal spying guides from a variety of services and Service Providers. Therewas publicitythis past week when the Microsoft Legal Spying Guide was posted and a DMCA takedown notice was placed againstCryptome domain and its owner John Young. The DMCA restraint has since been lifted. This blog entry is not intended to defend or decry the DMCA notice. It is intended to provide Digital Forensic investigators a resource for appropriate contact and process logic contained in the Legal Spy guides published.

These documents were created to assist Law enforcement and appropriate investigators of what can be provided and the methodology for request. The guideswere generally considered confidential in nature when distributed. It is not my intent to break confidentiality of the source or creator. It is intended to assist in digital forensic discovery. Many of these documents are strictly intended for Law Enforcement and not

... Continue reading Cryptome Spying guides as a Digital Forensic Resource


Open Source Android Digital Forensics Application

For some time now, I've spent most of my R&D time on Android Forensics. Gartner predicts that Android will be the #2 smart phone platform by 2012, exceeding the iPhone and leaving only Nokia/Symbia in front. With an estimated 95 million devices on the market by that time, forensic examiners will inevitably begin to run across them (if you have not already).

The techniques we've developed will provide a full forensic image of supported Android devices. With the introduction of a new file system (YAFFS2) and a host of other new challenges, our community has considerable work to do to more deeply understand the device.

In an effort to give back to the community, we have released our logical Android Forensic application as open source. You can download it on Google Code and


The Chain of Custody for 2010-02-28 - Weekly Tweets


Digital Forensics Case Leads: Mobile Device Digital Forensics

Due to the increasing number of identity theftincidents that occur in the corporate setting by disgruntled employees (e.g. stealing information via USB or mobile devices) orsimply by the lack of proper security awareness training (encrypting sensitive information and/or what mobile devices can or can't be used), it's imperative for organizations to become better equipped and skilled in dealing with digitalforensics on mobile devices.

So where do you start and what are the best tools to use?

Tools:

  • Eoghan Caseywrites about using file system tools such as the Sleuthkit to examine Windows Mobile Devices.
  • Lance Mueller gives an excellent breakdown of different Windows Mobile Device forensics tools at his blog

Extracting Known Bad Hash Set From NSRL

Hash filtering is a time-saving technique for a computer forensics examiner when working on a huge disk image. In a nutshell, this technique can filter out all those files in your image that belong to the operating system or well-known software packages. This will let the examiner focus on unknown files, reducing the scope of the investigation. After all, there's no point in spending time checking files we already know.

This filtering operation is based on hashes. Usually, we calculate the hash for every file in the image and check it against a list of hashes previously calculated over known good files. We call this list the known good hash set. All files with hashes matching the list are filtered out.

On the other hand, we would like to know if there are malicious files in our computer forensics case image. Again, the technique works by calculating the hash for every file in the image, looking for matches in a list containing pre-calculated hashes for known malicious

... Continue reading Extracting Known Bad Hash Set From NSRL