SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Internet Evidence Finder (IEF): interview with Jad Saliba of

Editor's note: Brad Garnett recently had an opportunity to interview Jad Saliba, of JADSoftware about how he got started in computer forensics and about some of his company's products. Please note that JADSoftware has offered a discount to readers, see the details below.

Q: Jad, Take a minute to introduce yourself and give us some insight into your background. How did you get involved in computer forensics and software development?

I've been involved in software programming on and off for a long time, going back to my teenage years. I've always had an interest in system tools and figuring out what's going on behind the scenes in a computer. I went to college and studied computer networking and programming, and worked in the industry for a short while before getting into law enforcement, which is another passion of mine. I didn't want anyone to know about my computer skills when I first got hired!


Uncident Response

Awhile ago, I was asked to assist in responding to a security problem on a client's network. A major vulnerability was reported on a website that involved failure of the primary authentication and access control mechanism. So severe was the vulnerability that not only could one user view another's PII, but complete authentication circumvention was itself trivial! I was tasked with assessing what, if any, impact had resulted from this exposure. This probably sounds familiar to many security analysts: a vulnerability was discovered, what compromise resulted from it?

These cases turn classic incident response on its head. We are trained, and often work, on issues where a compromise is discovered, from which analysis reveals a vulnerability. Here, we have the opposite. One immediate difference is clear: when there is a compromise, some vulnerability was necessarily exploited. However, the result of a vulnerability investigation is not so clear. Our normal incident

... Continue reading Uncident Response

Twitter Weekly Updates for 2010-02-06

Digital Forensic Case Leads: Introductions

Recently, the forensicator-in-chief, Rob Lee, put out the call for a new series of posts here at the SANS Computer Forensics Blog. Rob wanted to present a few short "case leads" that may interest practitioners. A small group of volunteers took on the task of formulating a weekly "Digital Forensic Case Leads" post each Friday to include coverage of tools both new and old, interesting reads, news items and more.

And so in the spirit of Kevin Riggins and his "Interesting Information Security Bits" or Dave Lewis, James Arlen (et al) and their "Liquid Matrix Security Briefings", we present "Case Leads: 20100205-001:"


  • Andreas Shuster released an update of his Vista event log parser,

  • Examining Windows Mobile Devices Using File System Forensic Tools

    Windows Mobile file systems have similarities with other Microsoft operating systems that make for an easy transition into mobile device forensics for anyone who has performed forensic examinations of Windows computer systems. As with a desktop or laptop computer, Windows Mobile devices retain substantial information about user activities that can be relevant in a digital investigation involving Web browsing, user created files, and Windows registry entries.

    Windows Mobile uses a variation of the FAT file system called the Transaction-safe FAT (TFAT) file system, which has some recovery features in the event of a sudden device shutdown. Here is the volume information of a memory dump from a Windows Mobile device, showing that it is FAT.

    $ fsstat SamsungBlackjack.bin

    File System Type: FAT16
    OEM Name:

    ... Continue reading Examining Windows Mobile Devices Using File System Forensic Tools