SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

Common Pitfalls of Forensic Processing of Blackberry Mobile Devices

by Eoghan Casey

Digital forensic investigators who are not properly trained will alter evidentiary media or will misinterpret important information, potentially damaging a case. Pitfalls that less experienced practitioners encounter when processing Blackberry devices are discussed below with guidance on how to obtain the most useful information from these devices.

We frequently encounter Blackberry devices in digital investigations that are not fully supported by commonly available forensic tools. Fortunately, a significant amount of data can be obtained using Blackberry Desktop Manager, which is freely available from the manufacturer's Web site. In fact, even when forensic tools can acquire data from a Blackberry device, it is still advisable to obtain a logical backup using Blackberry


The Death of Computer Forensics (on Web2.0 Sites)

by Jack Bezalel

Computer Forensic''Computer Investigation''Forensic Cases''

It is always about some geek wearing old style clothes,

3-days beard (for a gentleman) OR undone hair (for a lady) , glazing eyes,

lots of half eaten pizza remains around, empty cans of beer scattered around

and a refrigerator that looks like the dump bucket.

And then a beautiful young client knocks on the door, asking for help

in an X-files type of investigation.

Our geek hero always knows how to get the critical data off the disks, camera

phone, printer, remote server, whatever.

Our hero knows how to break in, decrypt, analyze, summarize, save the client

in the last moment from a crashing car, and drink some more beer (or wine).

Computer Crime resolved.


Pulling binaries from pcaps

When I started writing this post, my intention was to show off some of the capabilities of NetworkMiner for recovering files from network packet captures. I have used NetworkMiner a few times to recover malware from pcaps. I like it because it automates the process. My plan was to contrast NetworkMiner's automated process against the more manual process of extracting files using Wireshark and a hex editor or the `foremost` command.

However, NetworkMiner failed to automatically extract all the files that were being downloaded in the pcap file I was using. This underscores the importance of testing your tools. I have successfully used NetworkMiner with other pcaps to extract all files, so you mileage may vary. If you've got a packet capture that you want to extract files from, my suggestion would be to try NetworkMiner, it will


Hardcopy III

by Quinn Shamblin

HC3 Controls

HC3 Controls

Parts that come in the package

Parts that come in the package

VOOM has released a new version of their forensic hard drive imaging tool: Hardcopy III

Nevada bill would make some security research a felony

by Ira Victor

The 75th Session of Nevada Legislature is taking up a new bill - SB125 - that, if enacted into law as introduced to committee, could make it illegal for information security researchers to do work that shows the vulnerabilities in many types of RFID systems. There are important security research, criminal issues, and some forensic matters related to this bill.

The bill would make it a class C felony (up to 5 years in prison, up to a $10,000 fine) to skim personally identifiable information (PII) from another person's RFID enabled ID or other document, without that person's prior knowledge.