SANS Digital Forensics and Incident Response Blog: Category - Ethics

Keep on Moving

I know nothing. That's the only conclusion I can draw from my four years in the field thus far. Every time I work on a new case I learn something. Most of the time these are little morsels of forensicating goodness but occasionally these things are so immense that I believe that my findings are worthy of sharing with the world. Of course, then I log on to the SANS Digialt Forensics Blog and find that someone else has typically beaten me to it.

As many of you may already know I have spent some months investigating and analysing volume shadow copies (difference files) in Windows 7 and Vista. The result of this is that I have found how these files are structured and can manuallydissect these files to find valuable data. I have shared these findings on both my website and in several presentations. Now my question to you is this:What would have happened if I hadn't shared my findings? Stretching further, in what state would digital forensics be if people like Rob Lee, Harlan

... Continue reading Keep on Moving


Facebook Forensics

by Jeff Bryner

Like most, I recently read the story of the EMT who posted a grisly picture to Facebook via his mobile phone. This got me thinking about social network forensics. I just happened to have joined Facebook (am I the last one?) and being of forensic mind... this post.

The issue that brings forensics into the case? The claim is that his post is by accident and was unintentional.

Now Facebook has a long history of privacy misunderstandings, and being a brand new user I can attest that it's nearly impossible at first glance to determine the privacy of the items you post. Is

...


Block Pornography - The Bane of Computer Forensics

By J. Michael Butler

What is more important? Searching for porn on an organization owned asset, or looking for misuse of organization owned data? Not even a trick question. Too easy. So why do organization's computer forensic experts still find themselves searching for porn? Because it is there.

New problem? I think not. In T.h.e. Journal, there is an article written in 1997 addressing this same issue and suggesting a product called "Little Brother" to fix it.[1] Today there are a plethora of software products for home and office use, ranging from free to more than $100 per workstation. Some are more effective than others, but evaluation is outside the scope of this article. Just know that

...


No obligation higher than the truth

In a recent criminal case the defendant admitted he was under the influence at the time of arrest. However, the prosecutor overreached, charging the defendant with attempted kidnapping. According to the defendant, an officer took statements at the scene using mobile recording equipment. These recordings were said to contain exculpatory evidence.

photo courtesy of justinbaeder at flickr.com


photo courtesy of justinbaeder at flickr.com

The defense wanted to review the statements taken at the scene, but law enforcement could not produce them. Conflicting testimony was given about whether the recordings had ever been made so a judge agreed that an expert could investigate.

Given that the

...