SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

The Chain of Custody for 2010-02-14 - Weekly Tweets

The Chain of Custody for 2010-02-14 - Weekly Tweets

Prefetch Parser v1.4 released

I have updated Prefetch Parser. The program was mentioned in Chad Tilbury's blog entry De-mystifying Defrag Identifying When Defrag Has Been Used For Anti-Forensics (Part 1 Windows XP). The main updates to the program are as follows:

  1. Add the Windows 7 option to the drop down box.
  2. GPL all the code ( and prefetch_parser_gui.au3)
  3. Make the program parse_prefetch_info callable from the command line (send flag -h or no arguments to get the syntax).
  4. Added reading the Layout.ini file and reporting on all programs/prefetch files that are in the Layout.ini file.
  5. Added a new report that will list the distinct devices/volumes/directories with hyperlinks to


Digital Forensics Case Leads: Carrier updates The Sleuth Kit

Welcome to the second installment of Digital Forensics Case Leads! This edition includes recently released updates to the popular Open Source digital forensics tools, Autopsy and The Sleuth Kit, an article by a lawyer-turned-computer-forensic-examiner and tips for uncovering Linux USB artifacts.


  • Brian Carrier released an updated version of The Sleuth Kit (TSK 3.1.0) and its graphical browser based front-end, Autopsy (Version 2.22.) TSK includes HFS+ support and handles sectors that are not 512-bytes each. The current version of TSK also includes NTFS SID data, improved support for GPT partitions, AFFLIB formats and other new features.

Good Reads:

FreeBSD Computer Forensic Tips & Tricks

Hal Pomeranz, Deer Run Associates

While Linux seems to have captured much of the mind-share for Unix-like operating systems, the fact is that there are an awful lot of BSD machines out there, particularly in web-hosting and other Internet-facing environments. So you're likely to run into one of these systems during an incident response or digital forensics investigation at some point. If you've only ever analyzed Linux systems, you may encounter a few bumps in the road when you start looking at your first BSD system. In an effort to smooth out some of those potholes, I'm going to demo a few useful techniques using a sample FreeBSD image I created.

BSD Disk Labels

Let's suppose somebody just handed you a raw disk image that they took from a FreeBSD machine. Not being Unix savvy, all they can do is