SANS Digital Forensics and Incident Response Blog: Category - Digital Forensic Law

Digital Forensics Case Leads: Industrial Controls Forensics, Cracking Crackberries, Mobile Forensics

While most technical and non-technical types focus on servers, desktop, and mobile phones/pads when thinking about security and forensics, an area of growing concern is industrial controls security. This was brought to light in the wake of the Stuxnet worm. The accusations continue to fly, via arm-chair forensics. Was it an attack on Iran? Or maybe an attack against India, since it seems Stuxnet may have knocked out a TV Satellite. Security honcho Bruce Schnier says we may never know.

What is certain is a growing concern over industrial controls security. According to a San Francisco Chronicle story that ran on this week: "... Liam O Murchu, a researcher with the computer security firm Symantec, used a

...


Affidavit as Support for an Investigation

An affidavit can be a vital tool in any type of investigation, whether the investigation be forensic, internal, criminal, regulatory, incident response or otherwise. As an investigator gathers facts, he will often interview witnesses, and obviously the investigator is wise to make records of the interviews (written notes or even audio/video records). But sometimes it is prudent to take an additional step in securing what a witness has to say.

I recently advised an investigation where numerous witnesses had much to say. But as I assessed all that was being said, a particular statement of one certain witness stood out as crucial to the outcome of the case. I recommended that witness record her statement in an affidavit.

An affidavit is a formal, written document that memorializes a declaration of facts by a witness. The preparation and execution of an affidavit can help to lock down a complete and careful statement of what the witness has to say. An affidavit

... Continue reading Affidavit as Support for an Investigation


Digital Forensics Case Leads: Make it go away, the Stuxnet extended remix

Life is busy in the digital forensics and incident response world, so this week's Case Leads is short and sweet. Here are my favorite items from the last few days, enjoy!

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

Tools:

  • Harris Corporation introduces BlackJack a USB device that looks very useful for situations where one must rapidly triage systems for the presence of interesting data. According to the press release, the device boots in less than three seconds and "automatically scans and copies data by prioritizing search criteria and securely partitions search results for analysis." The device has two LEDs, one red and one green that indicate the presence or absence of items of interest.

Good Reads:


Did Las Vegas Police Fumble Critical Digital Forensics in High Profile Shooting Case?

While in a re-certification class at SANS Network Security, a local news story catches my attention. It's a coroner's inquest into the death of Erik Scott, who was shot here in July outside a Costco store by officers of the Las Vegas Metropolitan Police (LVMP) after a store employee spotted Scott's firearm, which he had a permit to carry.

There's limited time while we drink from the SANS fire hose to absorb the day's news events. But I picked up the following from an op-ed piece by Scott's father in the Las Vegas Sun. The dead man's family is harshly critical the investigative process, and not without justification, if William Scott's account is accurate.

The elder Scott says the investigation has been entirely internal, conducted by LVMP. Scott is an aerospace journalist who notes that if an airline pilot has an accident that results in a

...


Digital Forensics Case Leads Aug 5, 2010: Decon 18 and more

The DefCon conference ended on Sunday, and this year's edition of the "World's Largest Hacker Conference" (as many call it) didn't disappoint. We have news and coverage from a forensic and incident response viewpoint, including news about the Wikileaks incident you might not have seen elsewhere. Blackberry is getting hammered on security, well that's what many headlines read. We have a different take. Web tracking and privacy is getting a higher profile, what are the forensic implications? Many home and business networks are "protected" by popular router/firewalls for sale at big box electronics stores. New research reveals breach mechanisms that have forensic and incident response implications. The truth slowly is revealed, along with peoples' private parts, about images from the Whole Body Scanners. And, in the Levity Section: DefCon18 Social engineering contest a hit at DefCon.

Good Reads / Good Audio:

  • "I know what happened with

... Continue reading Digital Forensics Case Leads Aug 5, 2010: Decon 18 and more