SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

Digital Forensics Case Leads: Tools and Lists, Bugs, and Web 2.0 for Packet Ninjas

A variety of items this week, including news of the first successful prosecution using memory forensics, several tool updates, a Web 2.0 site for packet ninjas, bugs (the tiny biological kind) for forensics, and even forensics for mortgage refinancing. I've included Twitter handles in the form (@TwitterHandle) where applicable.

Tools:

  • Tableau (@tableauforensic), maker of write-blocker and duplicating hardware and software, has initiated a video series to update viewers on info about their products and items of general interest. The first entry concerns their firmware update tool. The Tableau T35e write blocker is provided as part of the

Nokia n900 mobile forensic cheat sheet

Nokia N900
Shadowed by coverage of all things Nexus and iPad, Nokia's new n900 is the unsung hero of the smart phone world. That's just fine for folks like DT and HD and anyone else looking for a *phone* that runs nmap, aircrack, metasploit and wireshark. Future functionality includes backtrack itself packaged as neopwn v2!

Cutting to the chase then this is a quickie cheat sheet about forensic artifacts on the n900 and where to find

...


RSA 2010 - Digital Forensic Analyst Notebook

The RSA Security Conference was held this week in San Francisco. The conference is jammed packed with sessions, whiteboarding events, demonstrations, and more. Here are my observations and interview sound bites. I was covering RSA San Francisco 2010 as a forensic analyst and co-host of The CyberJungle, a weekly live news and talk program on security, privacy, and the law.

Digital forensics is still the non-sexy topic at RSA Security. There were no dedicated forensics tracks for this conference. But computer forensics were mentioned now and then in session talks, although many times by the audience more than the speakers.

Smart Grid Forensics
For example, there was an industry panel on electric smart grid security standards. The panelists in this session did not have forensics on their agenda, but a member of the audience did. Gerry Brown is an independent forensics consultant.

...


Cryptome Spying guides as a Digital Forensic Resource

Since December 2009, Cryptome.org has been publishing the legal spying guides from a variety of services and Service Providers. Therewas publicitythis past week when the Microsoft Legal Spying Guide was posted and a DMCA takedown notice was placed againstCryptome domain and its owner John Young. The DMCA restraint has since been lifted. This blog entry is not intended to defend or decry the DMCA notice. It is intended to provide Digital Forensic investigators a resource for appropriate contact and process logic contained in the Legal Spy guides published.

These documents were created to assist Law enforcement and appropriate investigators of what can be provided and the methodology for request. The guideswere generally considered confidential in nature when distributed. It is not my intent to break confidentiality of the source or creator. It is intended to assist in digital forensic discovery. Many of these documents are strictly intended for Law Enforcement and not

... Continue reading Cryptome Spying guides as a Digital Forensic Resource


Tableau Imager: First Look

I haven't paid much attention to write blocking technology for the last few years. As long as I was able to validate that the device worked as expected and it had a high speed connection (Firewire 800 / eSATA), I was happy. But I spent some time with Tableau's founder, Robert Botchek at the end of last year and he impressed upon me how much room for innovation still exists in the write-blocker market. We are up against some major hurdles in the digital forensics world that are rapidly changing the way we do business. With 2TB drives on the shelves, the decision to take a full forensic image is no longer obvious. If a user has to be without their computer or a server has to be down for 2 days, that significantly changes the equation. That's why I was excited to see Tableau enter the imaging software space with Tableau Imager (TIM).

Michael Cloppert recently made an excellent plea for innovation in the IDS industry in his post,