SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

System State Backup

The Windows system state backup is in effect a backup of the complete system. Everything that is present within the system will be copied as backup so that no data or information is lost whenever there is a system crash or corruption of the driver files, if certain system files stop the system from functioning properly. To perform a forensic analysis of evidence on a Windows system, backing up a system's registry is insufficient. An extensive backup of data is essential so that the system can be secured against any malfunctions.

This is most commonly an issue when conducting a live analysis.

A full system state backup saves the:


Top 7 ways investigators catch criminals using Mobile Device Forensics

Modern day mobile devices are a double-edged sword, creating new security risks while providing valuable sources of evidence for digital forensic investigators. Their ever expanding capabilities make mobile devices more like personal computers that accompany us as we navigate the world. Digital forensic investigators can use information stored on and generated by mobile devices to reconstruct our movements, communications, and other personal details.

If you need to extract information from cell phones, smart phones, and other mobile devices, or are concerned about the security of data on such devices, here are some important things you should know.

Bypassing Security Codes: Digital forensic investigators can extract the security code from some locked mobile devices using specialized tools. The screenshot below

... Continue reading Top 7 ways investigators catch criminals using Mobile Device Forensics


Live Investigations


Forensics 101: Acquiring an Image with FTK Imager

There are many utilities for acquiring drive images. I maintained my snobbish attachment to plain old dd for a long time, until I finally got tired of restarting acquisitions, forgetting checksums, and making countless other errors. The truth is: there are plenty of good tools that provide a high level of automation and assurance. The rest of this article will walk the reader through the process of taking a drive image using AccessData's FTK Imager tool.

FTK Imager is a Windows acquisition tool included in various forensics toolkits, such as Helix and the SANS SIFT Workstation. The version used for this posting was downloaded directly from the AccessData web site (


When "Redundant" Yields Different Results

by Hal Pomeranz, Deer Run Associates

One question that often comes up with I'm talking about Digital Forensics in SANS Sec506 is, "There are so many ways to get at the same data on a Linux/Unix system, which method should we choose?" My response is, "All of them." And then I show them this little example to explain why.

Let's take the case of active network connections on the system. There are all sorts of ways to get at this data, including "lsof" and "netstat":

# lsof -i :22
# netstat -anp | grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 172.1.1.136:22 172.1.1.1:39967 ESTABLISHED -

This is definitely a

...