SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Prefetch Parser v1.4 released

I have updated Prefetch Parser. The program was mentioned in Chad Tilbury's blog entry De-mystifying Defrag Identifying When Defrag Has Been Used For Anti-Forensics (Part 1 Windows XP). The main updates to the program are as follows:

  1. Add the Windows 7 option to the drop down box.
  2. GPL all the code ( and prefetch_parser_gui.au3)
  3. Make the program parse_prefetch_info callable from the command line (send flag -h or no arguments to get the syntax).
  4. Added reading the Layout.ini file and reporting on all programs/prefetch files that are in the Layout.ini file.
  5. Added a new report that will list the distinct devices/volumes/directories with hyperlinks to


Digital Forensics Case Leads: Carrier updates The Sleuth Kit

Welcome to the second installment of Digital Forensics Case Leads! This edition includes recently released updates to the popular Open Source digital forensics tools, Autopsy and The Sleuth Kit, an article by a lawyer-turned-computer-forensic-examiner and tips for uncovering Linux USB artifacts.


  • Brian Carrier released an updated version of The Sleuth Kit (TSK 3.1.0) and its graphical browser based front-end, Autopsy (Version 2.22.) TSK includes HFS+ support and handles sectors that are not 512-bytes each. The current version of TSK also includes NTFS SID data, improved support for GPT partitions, AFFLIB formats and other new features.

Good Reads:

FreeBSD Computer Forensic Tips & Tricks

Hal Pomeranz, Deer Run Associates

While Linux seems to have captured much of the mind-share for Unix-like operating systems, the fact is that there are an awful lot of BSD machines out there, particularly in web-hosting and other Internet-facing environments. So you're likely to run into one of these systems during an incident response or digital forensics investigation at some point. If you've only ever analyzed Linux systems, you may encounter a few bumps in the road when you start looking at your first BSD system. In an effort to smooth out some of those potholes, I'm going to demo a few useful techniques using a sample FreeBSD image I created.

BSD Disk Labels

Let's suppose somebody just handed you a raw disk image that they took from a FreeBSD machine. Not being Unix savvy, all they can do is


Top 7 reasons why Boston's SANS Digital Forensics is going to rock

Computer Forensic Investigations and Incident Response (FOR508)

7. Dave has more than 15 years of experience in IT and info sec, including 12 years working in a large research university network at a time when firewalls were frowned upon and compromise was commonplace. In addition to corporate and public sector work, Dave has been consulting on digital forensics cases for five years and teaches from that experience. Follow Dave on Twitter:

6. Regardless of experience level, students will take away a deeper understanding of digital forensics. This class will make you a better analyst.

5. Community SANS courses have a smaller class size. Smaller classes mean more time one-on-one with the instructor. It is like having your personal Digital Forensics Sensei


Digital Forensics - Careers Tips from Rob Lee of the SANS Institute

Digital Forensics - Careers Tips from Rob Lee of SANS Institute

February 5, 2010

Increasingly, digital forensics is an important element of an information security program for organizations of all types and sizes.But where can security leaders find qualified forensics professionals? How can these professionals obtain the skills and expertise they need to be successful?

Rob Lee of Mandiant and SANS Institute discusses forensics careers, focusing on:

  • Hot trends of