SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

Tricking the "script" Command

Keeping a record of all of the commands you type as well as their output is obviously useful during a forensic investigation. On Unix and Linux systems, we have the "script" command which does precisely this. You run "script " and the script command spawns a new shell: everything you type and all output you receive in return is automatically captured to the specified file.

From a forensic perspective, however, the classic problem is that script insists on writing its output to a file in the local file system. This is particularly a problem during the initial stages of incident response when you're operating on a live system trying to verify whether or not it has been compromised. If you capture your session with the script command, you may be trampling important data as your output file grows. Of course you could attach a portable storage device and write your output there, but that could be problematic on many levels.

This topic came up recently

... Continue reading Tricking the "script" Command


Dealing with PC Guardian's Encryption Plus Hard Drive (EPHD)

Dealing with EPHD, or PC Guardian's Encryption Plus is not too bad provided it has been setup correctly. By being setup correctly, I mean that the PC administrators have created an account that anyone can use to get past the hard drive encryption. This account and password needs to be treated just like the admin account. Only those people who need to know it, should have the userid and password.

On a side note: If your corporation has not implemented for your laptops and mobile devices, I have to ask why not? Hard drive encryption is much cheaper to implement then letting your corporate secrets and customer data out into the public.

Before We Begin

Before doing anything talk with your management and legal with regard to how they want you to proceed with imaging the encrypted devices. They may feel that this methodology is not right for them. The other aspect to be aware of is do you image the drive in its encrypted state and then use the

... Continue reading Dealing with PC Guardian's Encryption Plus Hard Drive (EPHD)


System State Backup

The Windows system state backup is in effect a backup of the complete system. Everything that is present within the system will be copied as backup so that no data or information is lost whenever there is a system crash or corruption of the driver files, if certain system files stop the system from functioning properly. To perform a forensic analysis of evidence on a Windows system, backing up a system's registry is insufficient. An extensive backup of data is essential so that the system can be secured against any malfunctions.

This is most commonly an issue when conducting a live analysis.

A full system state backup saves the:


Top 7 ways investigators catch criminals using Mobile Device Forensics

Modern day mobile devices are a double-edged sword, creating new security risks while providing valuable sources of evidence for digital forensic investigators. Their ever expanding capabilities make mobile devices more like personal computers that accompany us as we navigate the world. Digital forensic investigators can use information stored on and generated by mobile devices to reconstruct our movements, communications, and other personal details.

If you need to extract information from cell phones, smart phones, and other mobile devices, or are concerned about the security of data on such devices, here are some important things you should know.

Bypassing Security Codes: Digital forensic investigators can extract the security code from some locked mobile devices using specialized tools. The screenshot below

... Continue reading Top 7 ways investigators catch criminals using Mobile Device Forensics


Live Investigations