SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

First forensics work - Part 2: Sure it's big enough ... but look at the location.

So you've managed to calm your nerves some. As we discussed in Part 1 of this series, you managed to collect memory and disk images from computers you could walk up too and touch using Helix. You haveexternal hard drivesfilling up with images to be looked at. You have been going down the list of systems that you need to image and things are going smoothly.

Until now.

You have discovered, things are slightly more complex for the next system. One of the computers you have to take an image of is located in Seattle.

Nice city. Space Needle webcam is cool. OK weather, if you're aduck. They do call it the Rain City for a reason.

Butthere isjust one small problem.

You are in Cleavland.

...


Digital Forensics Case Leads: ATT/Apple Rushes in The Forensics and Incident Response Team

A web application flaw was announced late Wednesday that appears to impact users of the 3G Apple iPad. According to press reports, AT&T is rushing in a forensic team in an attempt to determine the damage the flaw may have inflicted.

Gadget blog Gizmodo reports that a flaw in web application used to sign onto to an Apple/AT&T 3G iPad account allows an attacker to get into the account by incrementing the serial numbers on the SIM card on 3G iPads. It is not unusual for a web development team to not focus on using secure methods like using random numbers in generating web sessions. If there is no web application security team in place, these flaws can live on for years in web applications and sites.

AT&T claims that the team that discovered the flaw did not use responsible disclosure to alert AT&T and Apple about the flaw before going public. AT&T said that they closed this

...


Protecting Admin Passwords During Remote Response and Forensics

PsExec

PsExec has been a great tool for remotely executing processes on a Windows machine. It has been around for years and is one of many useful tools from Mark Russinovich (formerly of SysInternals, now with Microsoft). As described on PsExec's webpage, "PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software."

That said, there is a significant drawback to PsExec's default behavior, as described in the last sentence of the description on PsExec's webpage: "Note that the password is transmitted in clear text to the remote system."

This is something that needs to be seriously considered and accounted for when using PsExec. Corporate incident responders typically have domain administrator rights for response purposes. The idea of

...


First forensics work - Part 1: Organized chaos and panic

You've taken the plunge. You want to work in digital forensics. Congratulations. You've told your boss of this interest, managed to get some forensics training (SANS FOR508of course! ) and hyped upthe type of things you would be able to accomplish. You feel good about yourself.

Until now.

Two months after your course.

And you haven't had time to practice anything, let alone review the material.

The situation: You were called in and asked to use all of thesenew skills to help solve a problem. And the pressure is on, as they want someanswers by the end of the day. Now you are wondering why did I tell them I wanted to do this again?

Don't panic.

You can do this. We`ve all been there. All you need is a little help from your friends.

The goal of this seriesis to help guide you through a case, and provide suggestions on how

...


Digital Forensics Case Leads: The Gauntlet Edition

Greetings Forensicators, Incident Responders and other cool people. I've called this week's article The Gauntlet Edition because a number of organizations have recently thrown down the gauntlet and introduced some cool forensics challenges.Sometimes, the best tool in our arsenal is neither software, nor hardware, nor even our wetware. In many cases, the best tool we can have is a challenge.More than anything else I can think of, it's the process of working a case and rising to a new challenge that really causes us to sharpen our skills. Whether the problem is new to the community, or just new to us, working it through to a solution or an answer is what really causes us to upgrade our wetware.

In that spirit, I've provided a list of recently announced and upcoming challenges, along with our usual assortment of cool tools, good reads and other forensic fun. I encourage you all to pick up The Gauntlet and try your hand at one or more of the challenges listed below.

... Continue reading Digital Forensics Case Leads: The Gauntlet Edition