SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

The Death of Computer Forensics (on Web2.0 Sites)

by Jack Bezalel

Computer Forensic''Computer Investigation''Forensic Cases''

It is always about some geek wearing old style clothes,

3-days beard (for a gentleman) OR undone hair (for a lady) , glazing eyes,

lots of half eaten pizza remains around, empty cans of beer scattered around

and a refrigerator that looks like the dump bucket.

And then a beautiful young client knocks on the door, asking for help

in an X-files type of investigation.

Our geek hero always knows how to get the critical data off the disks, camera

phone, printer, remote server, whatever.

Our hero knows how to break in, decrypt, analyze, summarize, save the client

in the last moment from a crashing car, and drink some more beer (or wine).

Computer Crime resolved.


Pulling binaries from pcaps

When I started writing this post, my intention was to show off some of the capabilities of NetworkMiner for recovering files from network packet captures. I have used NetworkMiner a few times to recover malware from pcaps. I like it because it automates the process. My plan was to contrast NetworkMiner's automated process against the more manual process of extracting files using Wireshark and a hex editor or the `foremost` command.

However, NetworkMiner failed to automatically extract all the files that were being downloaded in the pcap file I was using. This underscores the importance of testing your tools. I have successfully used NetworkMiner with other pcaps to extract all files, so you mileage may vary. If you've got a packet capture that you want to extract files from, my suggestion would be to try NetworkMiner, it will


Hardcopy III

by Quinn Shamblin

HC3 Controls

HC3 Controls

Parts that come in the package

Parts that come in the package

VOOM has released a new version of their forensic hard drive imaging tool: Hardcopy III

Nevada bill would make some security research a felony

by Ira Victor

The 75th Session of Nevada Legislature is taking up a new bill - SB125 - that, if enacted into law as introduced to committee, could make it illegal for information security researchers to do work that shows the vulnerabilities in many types of RFID systems. There are important security research, criminal issues, and some forensic matters related to this bill.

The bill would make it a class C felony (up to 5 years in prison, up to a $10,000 fine) to skim personally identifiable information (PII) from another person's RFID enabled ID or other document, without that person's prior knowledge.

Digital Forensic SIFTing: How to perform a read-only mount of filesystem evidence

by Rob Lee

Over the years, there has been a clear need for some digital forensic toolsets that will accomplish basic goals. The first of those goals is creating an environment friendly to analyzing acquired file system images.

The SIFT workstation was created as a part of the SANS Computer Forensics, Investigation, and Response course which is also known as SEC508. With the launch of the community website at http:\
it is useful to go through some basic architecture of how the SIFT Workstation actually can be useful for you.

The blog series "SIFT'ing" will show to utilize the workstation using a series of exercises. Today we will discuss how to use the