SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Tableau Imager: First Look

I haven't paid much attention to write blocking technology for the last few years. As long as I was able to validate that the device worked as expected and it had a high speed connection (Firewire 800 / eSATA), I was happy. But I spent some time with Tableau's founder, Robert Botchek at the end of last year and he impressed upon me how much room for innovation still exists in the write-blocker market. We are up against some major hurdles in the digital forensics world that are rapidly changing the way we do business. With 2TB drives on the shelves, the decision to take a full forensic image is no longer obvious. If a user has to be without their computer or a server has to be down for 2 days, that significantly changes the equation. That's why I was excited to see Tableau enter the imaging software space with Tableau Imager (TIM).

Michael Cloppert recently made an excellent plea for innovation in the IDS industry in his post,

Identity Theft Coming to a Mobile Device Near You

The increasing use of mobile devices for banking, money transfer, and payment is increasing the risk that criminals will target these devices for financial gain.

More banks are providing customers with the ability to access their accounts using mobile devices. In a number of cases, criminals have gained access to bank accounts by tricking cell phone providers into issuing SIM cards associated with the customer's account.

December 2009: Duplicate SIM card was issued to an imposter with the driver license of the victim

In addition, fraudulent mobile banking applications have emerged for Android devices that attempt to steal personal financial information.

December 2009: USAA Thwarts Mobile App


The Chain of Custody for 2010-02-14 - Weekly Tweets

The Chain of Custody for 2010-02-14 - Weekly Tweets

Prefetch Parser v1.4 released

I have updated Prefetch Parser. The program was mentioned in Chad Tilbury's blog entry De-mystifying Defrag Identifying When Defrag Has Been Used For Anti-Forensics (Part 1 Windows XP). The main updates to the program are as follows:

  1. Add the Windows 7 option to the drop down box.
  2. GPL all the code ( and prefetch_parser_gui.au3)
  3. Make the program parse_prefetch_info callable from the command line (send flag -h or no arguments to get the syntax).
  4. Added reading the Layout.ini file and reporting on all programs/prefetch files that are in the Layout.ini file.
  5. Added a new report that will list the distinct devices/volumes/directories with hyperlinks to