SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

Protecting Admin Passwords During Remote Response and Forensics

PsExec

PsExec has been a great tool for remotely executing processes on a Windows machine. It has been around for years and is one of many useful tools from Mark Russinovich (formerly of SysInternals, now with Microsoft). As described on PsExec's webpage, "PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software."

That said, there is a significant drawback to PsExec's default behavior, as described in the last sentence of the description on PsExec's webpage: "Note that the password is transmitted in clear text to the remote system."

This is something that needs to be seriously considered and accounted for when using PsExec. Corporate incident responders typically have domain administrator rights for response purposes. The idea of

...


First forensics work - Part 1: Organized chaos and panic

You've taken the plunge. You want to work in digital forensics. Congratulations. You've told your boss of this interest, managed to get some forensics training (SANS FOR508of course! ) and hyped upthe type of things you would be able to accomplish. You feel good about yourself.

Until now.

Two months after your course.

And you haven't had time to practice anything, let alone review the material.

The situation: You were called in and asked to use all of thesenew skills to help solve a problem. And the pressure is on, as they want someanswers by the end of the day. Now you are wondering why did I tell them I wanted to do this again?

Don't panic.

You can do this. We`ve all been there. All you need is a little help from your friends.

The goal of this seriesis to help guide you through a case, and provide suggestions on how

...


Digital Forensics Case Leads: The Gauntlet Edition

Greetings Forensicators, Incident Responders and other cool people. I've called this week's article The Gauntlet Edition because a number of organizations have recently thrown down the gauntlet and introduced some cool forensics challenges.Sometimes, the best tool in our arsenal is neither software, nor hardware, nor even our wetware. In many cases, the best tool we can have is a challenge.More than anything else I can think of, it's the process of working a case and rising to a new challenge that really causes us to sharpen our skills. Whether the problem is new to the community, or just new to us, working it through to a solution or an answer is what really causes us to upgrade our wetware.

In that spirit, I've provided a list of recently announced and upcoming challenges, along with our usual assortment of cool tools, good reads and other forensic fun. I encourage you all to pick up The Gauntlet and try your hand at one or more of the challenges listed below.

... Continue reading Digital Forensics Case Leads: The Gauntlet Edition


Digital Forensics Case Leads: Guidance Busy this week.

This week big news from Guidance Software, maker of Encase. The U.S. Secret Service will now add more data to the Verizon Breach Report. Microsoft release Office 2010 and several new/updated tools and virtual pit bulls are now protected.

Tools:

Good Reads:

...


Digital Forensics and Social Media

Privacy | Transparency

Social networks like Facebook, Twitter, Foursquare and Google Buzz can be a treasure trove for forensics investigations. The expanding ocean of data in those networks is irresistible to investigators.

Marketers are already exploiting social data to analyze associations among consumers. A startup named 33Across looks at relationships among social media users to ascertain who, for example, would be a good prospect for viewing an ad on costume jewelry. If Jane is a good prospect, then some of her friends - or maybe just people who circulate in the same social group - might be too. 33Across uses tools like tracking cookies to follow relationships.

Just as this style of data gathering and analysis can help marketing, it can help law enforcement or dispute resolution.