SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

Top 7 ways investigators catch criminals using Mobile Device Forensics

Modern day mobile devices are a double-edged sword, creating new security risks while providing valuable sources of evidence for digital forensic investigators. Their ever expanding capabilities make mobile devices more like personal computers that accompany us as we navigate the world. Digital forensic investigators can use information stored on and generated by mobile devices to reconstruct our movements, communications, and other personal details.

If you need to extract information from cell phones, smart phones, and other mobile devices, or are concerned about the security of data on such devices, here are some important things you should know.

Bypassing Security Codes: Digital forensic investigators can extract the security code from some locked mobile devices using specialized tools. The screenshot below

... Continue reading Top 7 ways investigators catch criminals using Mobile Device Forensics

Live Investigations

Forensics 101: Acquiring an Image with FTK Imager

There are many utilities for acquiring drive images. I maintained my snobbish attachment to plain old dd for a long time, until I finally got tired of restarting acquisitions, forgetting checksums, and making countless other errors. The truth is: there are plenty of good tools that provide a high level of automation and assurance. The rest of this article will walk the reader through the process of taking a drive image using AccessData's FTK Imager tool.

FTK Imager is a Windows acquisition tool included in various forensics toolkits, such as Helix and the SANS SIFT Workstation. The version used for this posting was downloaded directly from the AccessData web site (

When "Redundant" Yields Different Results

by Hal Pomeranz, Deer Run Associates

One question that often comes up with I'm talking about Digital Forensics in SANS Sec506 is, "There are so many ways to get at the same data on a Linux/Unix system, which method should we choose?" My response is, "All of them." And then I show them this little example to explain why.

Let's take the case of active network connections on the system. There are all sorts of ways to get at this data, including "lsof" and "netstat":

# lsof -i :22
# netstat -anp | grep :22
tcp 0 0* LISTEN -

This is definitely a


Common Pitfalls of Forensic Processing of Blackberry Mobile Devices

by Eoghan Casey

Digital forensic investigators who are not properly trained will alter evidentiary media or will misinterpret important information, potentially damaging a case. Pitfalls that less experienced practitioners encounter when processing Blackberry devices are discussed below with guidance on how to obtain the most useful information from these devices.

We frequently encounter Blackberry devices in digital investigations that are not fully supported by commonly available forensic tools. Fortunately, a significant amount of data can be obtained using Blackberry Desktop Manager, which is freely available from the manufacturer's Web site. In fact, even when forensic tools can acquire data from a Blackberry device, it is still advisable to obtain a logical backup using Blackberry