SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Cloud Storage Acquisition from Endpoint Devices

Over the past several years, multiple tools have been released to enable API-based collection of cloud storage data. While this is an important capability, it has the often fatal liability that API-based collections require valid user credentials (and multi-factor authentication). An often overlooked area of cloud forensics is data and metadata stored on the local … Continue reading Cloud Storage Acquisition from Endpoint Devices


The State of Malware Analysis: Advice from the Trenches

What malware analysis approaches work well? Which don't? How are the tools and methodologies evolving? The following discussion-captured as anMP3 audio file-offers friendly advice from 5 malware analysts. These are some of the practitioners who teach thereverse-engineering malware course(FOR610) at SANS Institute: Jim Clausing: Security Architect at AT&T and Internet Storm Center Handler(Panelist) Evan Dygert:Senior … Continue reading The State of Malware Analysis: Advice from the Trenches


Mass Triage Part 5: Processing Returned Files - Amcache


Mass Triage Part 4: Processing Returned Files - AppCache/Shimcache


iOS Location Mapping with APOLLO Part 2: Cellular and Wi-Fi Data (locationd)

Myprevious articleshowed a new capability ofAPOLLOwith KMZ location file support. It worked great''for routined data, but there was something missing. What about the cellular and Wi-Fi locations that are stored in databases? Well, turns out I need to test better. I fixed the locationd modules to have the activity as "Location" versus "LOCATION". Case sensitivity is apparently thing in Python''my bad. '''''

I should also mention with the fixes, my total location data points for a iOS 12.1.1 device jumped to ~57,000! I should note this is not inclusive of workout locations. Those are a bit different as they are stored as separate records, one for latitude and one for longitude. In the future I might attempt to pair these up for KMZ support.