SANS Digital Forensics and Incident Response Blog: Category - Digital Forensic Law

How to Preserve Cyber Investigation Evidence | Screencast Tool

Witness Signature Commonly, a cyber investigation examines how a digital resource - like an app, a hyperlink or a web search box — works. Example: Investigator observes that when mouse clicks on hyperlink X, browser goes to web page containing content Y. As an investigator observes how a resource works, he wants to record … Continue reading How to Preserve Cyber Investigation Evidence | Screencast Tool


Digital Forensics Case Leads: New Year brings DEFT and DFF updates, interesting reads and upcoming events

This week we have updates to two great tools, a variety of interesting reads, including one to come soon, and some events to fill your calendar for the 1st quarter of the new year. Tools: Arxsys has released V0.9 of the open source Digital Forensics Framework (DFF), which has some cool new features. You can … Continue reading Digital Forensics Case Leads: New Year brings DEFT and DFF updates, interesting reads and upcoming events


Digital Forensics Case Leads: Incident Response Hits The Mainstream; Powerful Tech Fighting CP; Acquisition Errors Can Cost Case

Incident Response Lead Story: Why it pays to have incident response in a Wikileaks world. The Wikileaks story is having a ripple effect that shows no sign of abating. As of this writing, according to a spokesperson for PandaSecurity: the following web sites have been attacked in the name of defending the actions of Wikileaks: … Continue reading Digital Forensics Case Leads: Incident Response Hits The Mainstream; Powerful Tech Fighting CP; Acquisition Errors Can Cost Case


Touch Screen Voting Requires Forensic Foresight

There has been a ground swell of news reports in the past week about possible touch screen voting irregularities. Stories have been coming out of states like Nevada and North Carolina. I was rankled when Nevada election officials proclaimed it "technologically impossible" that voter's electronic ballot was "premarked" for a candidate when a voter inserted her ballot card into a touch screen voting machine. According to the voter, several people she knows experienced the same condition. The voter did not alert election officials, but appears to have alerted the media

Did it happen? I don't know, but I don't want to hear our election officials telling voters or the press that such

...


Investigators: How to Write a Report and Store Digital Evidence

A wise investigator assumes an attitude of professionally skepticism. She recognizes that any piece of evidence may not be what it seems to be, and might in the future be interpreted in a different way or be refuted by other evidence.

Consider for example one of the most famous and thorough investigations in American history. The official investigation of the 1970 shooting of Kent State students by national guardsmen concluded that a certain Terry Norman (paid FBI informant) played no role in the shooting. However, forty years later a previously-unknown tape recording of the events has surfaced, and a forensic analysis of the recording shows that someone fired a .38-caliber pistol four times, shortly before the guardsmen opened fire. Norman was known to have brandished such a pistol at that place and time. It appears that

...