SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

Did Las Vegas Police Fumble Critical Digital Forensics in High Profile Shooting Case?

While in a re-certification class at SANS Network Security, a local news story catches my attention. It's a coroner's inquest into the death of Erik Scott, who was shot here in July outside a Costco store by officers of the Las Vegas Metropolitan Police (LVMP) after a store employee spotted Scott's firearm, which he had a permit to carry.

There's limited time while we drink from the SANS fire hose to absorb the day's news events. But I picked up the following from an op-ed piece by Scott's father in the Las Vegas Sun. The dead man's family is harshly critical the investigative process, and not without justification, if William Scott's account is accurate.

The elder Scott says the investigation has been entirely internal, conducted by LVMP. Scott is an aerospace journalist who notes that if an airline pilot has an accident that results in a

...


Quick Look - Cellebrite UFED Using Extract Phone Data & File System Dump

It is not the intent of this blog post to be an all-encompassing guide to the forensic analysis of an iPhone. Rather it is a look at some of the tools I use in my practice and how they can be applied to iPhone forensic analysis. That being said lets get to it.

Why would you use the Cellebrite File System Dump instead of the traditional Extract Phone Data ?

If the subject of your forensic analysis is collecting information regarding the telephone such as call logs, phone book, SMS, pictures, video and audio/music then you will find what you need using the standard Cellebrite processing found under "Extract Phone Data". However if you want to do a deep dive in to the file structure, Internet usage or look deep in to the applications that are being used on the device and perhaps run some of your "favorite forensic tools" against it, I highly recommend complimenting your traditional

...


Digital Forensics Case Leads: An OS X based Live CD, a Free Forensics App for Windows, Spying, and High Performance Password Cracking

This week's edition of Case Leads features an OS X based Live CD, a free tool for gathering evidence from HBGary, spying, and the threat video cards pose to passwords.

As always, if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

Tools:

  • Creating an OS X Incident Response CD for Live Response -Tom Webb has a write up that discusses the process for building a basic OS X based CD for live analysis. The how-to addresses a few unique features of OS X and includes a method for dealing with OS X's non-static binaries. Suggestions for binaries to include on the CD and commands useful for IR on OS X are covered. Tom has also included a starter script that will help with information gathering during the IR

...


Computer Forensics: Using Evidence Cleaners to Find Artifacts

I have used CCleaner for years and it is one of the first programs I put on new computers. It has handy functions to clean up temporary files, logs, and even the Registry. While many can argue that such a program may help erase digital evidence, it can also shed light on where to look for important items of interest.

CCleaner used to store settings in the Registry, but has now opted to use an .INI file to assist in application portability. This is a great asset to forensic examiners who like to research new artifacts. The default installation has the necessary .INI files embedded within the executable, but they are usually available for download in this

...


Review: Access Data Forensic Toolkit (FTK) Version 3 — Part 2

Welcome to part two of my FTK v3 review. If you have not read the first post, it can be found here. Forensic suites are notoriously difficult to review because of the sheer number of features they include. We are lucky within the computer forensic community to have multiple vendors operating in a highly competitive environment. As such, the core forensic suites continue to add functionality. I have chosen to highlight a few of the new(er) features within Access Data's Forensic Toolkit (FTK). I interact with a lot of folks who are building forensic capabilities within their organizations, often with a limited budget. With the new additions to FTK, I find myself recommending it more and more. For the typical forensic shop it really does have a lot of bang

...