SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

People Searches

In the course of assisting corporations with their incident response activities, we are occasionally asked to help find information about employees that might reside on the internet. During a computer exam for an employee threats case, we found activity on Facebook, Twitter, and two different webmail accounts. We captured the public facing social media pages and included them as part of our exam report.

While this is nowhere near new territory, it may be useful to compile a quick hit list of websites to quickly and efficiently build a profile of an individual's social media and internet use. In our case, if the person of interest made public threats outside the business as well as the private threats that occurred inside the business, we needed to find them as quickly as possible and make sure we had them documented.

Here are some good places to start your search:

Social Media


Digital Forensics Case Leads: Certs and Books and Meetings - Oh My!

Tools

Good Reads:

  • Dominik Weber of Guidance Software has a very interesting writeup regarding acquisition of flash drives. The wear-leveling technology that is incorporated to extend the lifetime of flash devices can cause apparently random changes in hash values between acquisitions of the device, so it's important to take this into account. With the increasing popularity of SSD drives in computers, this will likely become increasingly important.

News:

  • Not to be outdone by Guidance Software's acquisition of Tableau, Access Data announced

...


First forensics work - Part 2: Sure it's big enough ... but look at the location.

So you've managed to calm your nerves some. As we discussed in Part 1 of this series, you managed to collect memory and disk images from computers you could walk up too and touch using Helix. You haveexternal hard drivesfilling up with images to be looked at. You have been going down the list of systems that you need to image and things are going smoothly.

Until now.

You have discovered, things are slightly more complex for the next system. One of the computers you have to take an image of is located in Seattle.

Nice city. Space Needle webcam is cool. OK weather, if you're aduck. They do call it the Rain City for a reason.

Butthere isjust one small problem.

You are in Cleavland.

...


Digital Forensics Case Leads: ATT/Apple Rushes in The Forensics and Incident Response Team

A web application flaw was announced late Wednesday that appears to impact users of the 3G Apple iPad. According to press reports, AT&T is rushing in a forensic team in an attempt to determine the damage the flaw may have inflicted.

Gadget blog Gizmodo reports that a flaw in web application used to sign onto to an Apple/AT&T 3G iPad account allows an attacker to get into the account by incrementing the serial numbers on the SIM card on 3G iPads. It is not unusual for a web development team to not focus on using secure methods like using random numbers in generating web sessions. If there is no web application security team in place, these flaws can live on for years in web applications and sites.

AT&T claims that the team that discovered the flaw did not use responsible disclosure to alert AT&T and Apple about the flaw before going public. AT&T said that they closed this

...


Protecting Admin Passwords During Remote Response and Forensics

PsExec

PsExec has been a great tool for remotely executing processes on a Windows machine. It has been around for years and is one of many useful tools from Mark Russinovich (formerly of SysInternals, now with Microsoft). As described on PsExec's webpage, "PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software."

That said, there is a significant drawback to PsExec's default behavior, as described in the last sentence of the description on PsExec's webpage: "Note that the password is transmitted in clear text to the remote system."

This is something that needs to be seriously considered and accounted for when using PsExec. Corporate incident responders typically have domain administrator rights for response purposes. The idea of

...