SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

Forensics 101: Acquiring an Image with FTK Imager

There are many utilities for acquiring drive images. I maintained my snobbish attachment to plain old dd for a long time, until I finally got tired of restarting acquisitions, forgetting checksums, and making countless other errors. The truth is: there are plenty of good tools that provide a high level of automation and assurance. The rest of this article will walk the reader through the process of taking a drive image using AccessData's FTK Imager tool.

FTK Imager is a Windows acquisition tool included in various forensics toolkits, such as Helix and the SANS SIFT Workstation. The version used for this posting was downloaded directly from the AccessData web site (

When "Redundant" Yields Different Results

by Hal Pomeranz, Deer Run Associates

One question that often comes up with I'm talking about Digital Forensics in SANS Sec506 is, "There are so many ways to get at the same data on a Linux/Unix system, which method should we choose?" My response is, "All of them." And then I show them this little example to explain why.

Let's take the case of active network connections on the system. There are all sorts of ways to get at this data, including "lsof" and "netstat":

# lsof -i :22
# netstat -anp | grep :22
tcp 0 0* LISTEN -

This is definitely a


Common Pitfalls of Forensic Processing of Blackberry Mobile Devices

by Eoghan Casey

Digital forensic investigators who are not properly trained will alter evidentiary media or will misinterpret important information, potentially damaging a case. Pitfalls that less experienced practitioners encounter when processing Blackberry devices are discussed below with guidance on how to obtain the most useful information from these devices.

We frequently encounter Blackberry devices in digital investigations that are not fully supported by commonly available forensic tools. Fortunately, a significant amount of data can be obtained using Blackberry Desktop Manager, which is freely available from the manufacturer's Web site. In fact, even when forensic tools can acquire data from a Blackberry device, it is still advisable to obtain a logical backup using Blackberry


The Death of Computer Forensics (on Web2.0 Sites)

by Jack Bezalel

Computer Forensic''Computer Investigation''Forensic Cases''

It is always about some geek wearing old style clothes,

3-days beard (for a gentleman) OR undone hair (for a lady) , glazing eyes,

lots of half eaten pizza remains around, empty cans of beer scattered around

and a refrigerator that looks like the dump bucket.

And then a beautiful young client knocks on the door, asking for help

in an X-files type of investigation.

Our geek hero always knows how to get the critical data off the disks, camera

phone, printer, remote server, whatever.

Our hero knows how to break in, decrypt, analyze, summarize, save the client

in the last moment from a crashing car, and drink some more beer (or wine).

Computer Crime resolved.


Pulling binaries from pcaps

When I started writing this post, my intention was to show off some of the capabilities of NetworkMiner for recovering files from network packet captures. I have used NetworkMiner a few times to recover malware from pcaps. I like it because it automates the process. My plan was to contrast NetworkMiner's automated process against the more manual process of extracting files using Wireshark and a hex editor or the `foremost` command.

However, NetworkMiner failed to automatically extract all the files that were being downloaded in the pcap file I was using. This underscores the importance of testing your tools. I have successfully used NetworkMiner with other pcaps to extract all files, so you mileage may vary. If you've got a packet capture that you want to extract files from, my suggestion would be to try NetworkMiner, it will