SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

Review: Access Data Forensic Toolkit (FTK) Version 3 — Part 1

When it comes to computer forensic tools, I consider myself to be somewhat of a late adopter. I love to play with the latest tool release, but when it comes to what I'm actually going to use in my lab, I prefer to have a mature product. It takes too much time to test and validate tools to waste time on buggy or incomplete versions. So, I finally made the jump (back) to Access Data's Forensic Toolkit (FTK) in its 3.1 version. Like many forensic professionals I know, I sat out the "lost generation" of FTK v2. However, if you haven't taken a look recently, version 3 will likely surprise you.

I don't expect tool suites to solve all of my forensic problems, but I do appreciate the breadth of capabilities they can provide in one package. FTK v3 excels at facilitating keyword searches, graphics review, email archive parsing, compound file extraction, and has an excellent

...


Internet Evidence Finder Part II: Intro to IEF v3.3

I had an opportunity earlier this year to interview Jad Saliba of JadSoftware.com discussing his Internet Evidence Finder tool. You can view that interview here. Hopefully, SANS Computer Forensic Blog readers enjoyed the 15% discount that Jad offered exclusively to SANS CF blog readers and have taken the time to implement this tool into your forensic toolkit. This post is part of a series and will introduce functionality of IEF v3.3. You can download the most recent version (v3.5.1 at time of this article) from JadSoftware.com.Just a brief recap of what IEF will search for on a mounted drive/folder. Facebook chat, Yahoo! chat (IEF must have chat username to decode), Windows Live Messenger chat, Google Talk chat, AIM logs, hotmail webmail fragments, yahoo! webmail fragments, etc. For a full listing of supported artifacts and limitations visit

...


Digital Forensics Case Leads: Spies, Social Networking Experiments, Live CDs & More

This "007" edition of Case Leads (20100708) features Russian spies, a mini-write blocker that would make Q proud, an experiment in social networking, Live CDs for Windows and Linux and an online journal on small digital device forensics.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

News:


People Searches

In the course of assisting corporations with their incident response activities, we are occasionally asked to help find information about employees that might reside on the internet. During a computer exam for an employee threats case, we found activity on Facebook, Twitter, and two different webmail accounts. We captured the public facing social media pages and included them as part of our exam report.

While this is nowhere near new territory, it may be useful to compile a quick hit list of websites to quickly and efficiently build a profile of an individual's social media and internet use. In our case, if the person of interest made public threats outside the business as well as the private threats that occurred inside the business, we needed to find them as quickly as possible and make sure we had them documented.

Here are some good places to start your search:

Social Media


Digital Forensics Case Leads: Certs and Books and Meetings - Oh My!

Tools

Good Reads:

  • Dominik Weber of Guidance Software has a very interesting writeup regarding acquisition of flash drives. The wear-leveling technology that is incorporated to extend the lifetime of flash devices can cause apparently random changes in hash values between acquisitions of the device, so it's important to take this into account. With the increasing popularity of SSD drives in computers, this will likely become increasingly important.

News:

  • Not to be outdone by Guidance Software's acquisition of Tableau, Access Data announced

...