SANS Digital Forensics and Incident Response Blog: Category - eDiscovery

Digital Forensic Sampling

Robert-Jan Mora and Bas Kloet have released an interesting paper called DigitalForensicSampling.pdf and it's about applying statistical sampling to digital forensics. Digital forensic practitioners are frequently faced with extremely large amounts of data to analyze, a situation that looks to get worse as storage capacities continue to increase. Mora and Kloet propose the use of random sampling for certain types of cases as a means of alleviating this problem.

Here's a quote from the paper's introduction:

In this paper we would like to address a few problems that we encounter in the digital forensic field,in general, which probably will get worse if our methods do not get smarter soon. A few problemsthat the digital forensic community has to deal with are:

  • The amount of data that needs to be investigated in cases increases every year;

Digital Forensics Case Leads: Tools and Lists, Bugs, and Web 2.0 for Packet Ninjas

A variety of items this week, including news of the first successful prosecution using memory forensics, several tool updates, a Web 2.0 site for packet ninjas, bugs (the tiny biological kind) for forensics, and even forensics for mortgage refinancing. I've included Twitter handles in the form (@TwitterHandle) where applicable.

Tools:

  • Tableau (@tableauforensic), maker of write-blocker and duplicating hardware and software, has initiated a video series to update viewers on info about their products and items of general interest. The first entry concerns their firmware update tool. The Tableau T35e write blocker is provided as part of the

RSA 2010 - Digital Forensic Analyst Notebook

The RSA Security Conference was held this week in San Francisco. The conference is jammed packed with sessions, whiteboarding events, demonstrations, and more. Here are my observations and interview sound bites. I was covering RSA San Francisco 2010 as a forensic analyst and co-host of The CyberJungle, a weekly live news and talk program on security, privacy, and the law.

Digital forensics is still the non-sexy topic at RSA Security. There were no dedicated forensics tracks for this conference. But computer forensics were mentioned now and then in session talks, although many times by the audience more than the speakers.

Smart Grid Forensics
For example, there was an industry panel on electric smart grid security standards. The panelists in this session did not have forensics on their agenda, but a member of the audience did. Gerry Brown is an independent forensics consultant.

...


Cryptome Spying guides as a Digital Forensic Resource

Since December 2009, Cryptome.org has been publishing the legal spying guides from a variety of services and Service Providers. Therewas publicitythis past week when the Microsoft Legal Spying Guide was posted and a DMCA takedown notice was placed againstCryptome domain and its owner John Young. The DMCA restraint has since been lifted. This blog entry is not intended to defend or decry the DMCA notice. It is intended to provide Digital Forensic investigators a resource for appropriate contact and process logic contained in the Legal Spy guides published.

These documents were created to assist Law enforcement and appropriate investigators of what can be provided and the methodology for request. The guideswere generally considered confidential in nature when distributed. It is not my intent to break confidentiality of the source or creator. It is intended to assist in digital forensic discovery. Many of these documents are strictly intended for Law Enforcement and not

... Continue reading Cryptome Spying guides as a Digital Forensic Resource


Public Communications Are Critical to Computer Security Incident Response

Law, Forensics and Public Relations

Historically IT security and incident response programs did not include much of a public communications component. Enterprises spoke little about attacks or breaches of security; they quietly focused on defense, investigation and remediation.

Law and politics have changed the game. Since 2003 many laws such as California's Senate Bill 1386 have required data holders to notify constituents and sometimes government authorities when private data have been compromised. For many private and government organizations, their data security posture has become a subject of keen public import. Lawsuits and government investigations are becoming more common.

Today when security incident happens, public communications can be critical to an effective response.

A high profile example is Google's announcement that it was the target of an attack allegedly from China. Google views the incident as much more than just a

... Continue reading Public Communications Are Critical to Computer Security Incident Response