SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

The Chain of Custody for 2010-02-21 - Weekly Tweets


Digital Forensics Case Leads: Volatility and RegRipper, Better Together

This week in Digital Forensics Case Leads brings us an update to macrobber, a guide to combining the power of Volatility and RegRipper, some thoughts on presenting digital forensic evidence, and an easy way for you to become an Advanced Persistent Threat.

Tools:

  • Mark Morgan posted a User Manual for Volatility and RegRipper (PDF) that details combining those tools to perform registry analysis against physical memory images. Note that some of this only works under Linux.
  • Brian Carrier released macrobber v1.02 over at Sleuthkit.org. This version utilizes the new mactime body format.
  • Geoff Black released

Local Shared Objects, aka Flash Cookies

The Adobe Flash player can store various information regarding user settings to "remember" things like the preferred volume a user likes in a video player, saved game settings, whether or not the user allows the flash player to connect to the web camera, etc. With the introduction of various ad blocking software and privacy settings in the browsers, web developers and advertisers have increasingly started to use these files to store other information as well (see the paper "Flash Cookies and Privacy"). These files are now more often used to store the same information as can be found inside traditional browser cookies. The notion of flash cookies has been discussed previously on SANS blogs, both in the Digital Forensics Blog

...


Tableau Imager: First Look

I haven't paid much attention to write blocking technology for the last few years. As long as I was able to validate that the device worked as expected and it had a high speed connection (Firewire 800 / eSATA), I was happy. But I spent some time with Tableau's founder, Robert Botchek at the end of last year and he impressed upon me how much room for innovation still exists in the write-blocker market. We are up against some major hurdles in the digital forensics world that are rapidly changing the way we do business. With 2TB drives on the shelves, the decision to take a full forensic image is no longer obvious. If a user has to be without their computer or a server has to be down for 2 days, that significantly changes the equation. That's why I was excited to see Tableau enter the imaging software space with Tableau Imager (TIM).

Michael Cloppert recently made an excellent plea for innovation in the IDS industry in his post,


Identity Theft Coming to a Mobile Device Near You

The increasing use of mobile devices for banking, money transfer, and payment is increasing the risk that criminals will target these devices for financial gain.

More banks are providing customers with the ability to access their accounts using mobile devices. In a number of cases, criminals have gained access to bank accounts by tricking cell phone providers into issuing SIM cards associated with the customer's account.

December 2009: Duplicate SIM card was issued to an imposter with the driver license of the victim

In addition, fraudulent mobile banking applications have emerged for Android devices that attempt to steal personal financial information.

December 2009: USAA Thwarts Mobile App

...