SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

Is MSFT Serious About It's $250k Conficker Reward?

by Ira Victor

A few days ago, Microsoft made a big announcement about a $250,000 bounty to help catch the creators the Conficker Worm. I covered that bounty story in Data Security Podcast Episode #40. The only problem: Microsoft apparently didn't tell anyone WHO to contact if you are a successful bounty hunter and have quality information from your investigation or incident response process.

According to the Microsoft's


When Encountering Safeguard Easy's Boot-time Authentication Lockoutâ¦

Full disk encryption is great for security, but encrypting data carries with it some incidental risk. Forgotten or otherwise unknown encryption passphrases and keys can lead to serious consequences in many situations. In forensics and incident response we use and encounter encryption all the time, and accessing encrypted data in a timely fashion can be critical. I'd like to share a trick I learned while dealing with a "bricked" encrypted device utilizing SafeGuard Easy ("SGE") from Utimaco Software, a fairly common full disk encryption solution.

Safeguard Easy offers


Spin-Stand Microscopy of Hard Disk Data

I shall be posting a series detailing the additional data not included in the paper [1] on recovering overwritten data in the following weeks.

My thanks to Dave Kleiman (one of the original papers co-author's with myself) for reviewing and adding some details to this post series.

Due to the limitations of peer reviewed papers, much of the detail of a process is commonly lost. This series of posts will endeavor to fill out the areas that are not covered in the paper in any detail and also add some further level of knowledge.

The recovery of data from damaged hard drives has come a long way over the years. Various techniques have been developed using both optical and electron microscopes and leading to the use of Magnetic force microscopy (MFM). MFM is a category of Scanning Probe Microscopy (SPM) and perhaps is the most widely used of these techniques. Of the techniques


Recovering Open But Unlinked File Data

By Hal Pomeranz, Deer Run Associates

If you've ever been a Unix system administrator, you may have encountered "open but unlinked" files in the course of your normal duties. The typical scenario is a user who's launched a process that creates an unexpectedly large output file which consumes all of the free space in the partition. In a panic, the user deletes the output file but leaves the process running. Unfortunately, the operating system is not allowed to reclaim the space until the last process that has the output file open actually exits. So until the user kills their process, the space is still in use and the file system is full. But when you as the system administrator logs in to free some space in the partition, you're unable to find the massive file that's consuming all of the space with your normal file system


PointSec Decryption - A Case for Decryption of the Original

By J. Michael Butler

A while back, I posted about EnCase and PointSec — "Encase and PointSec - I'm Not Feeling the Love". I wrote about my frustrations with the difficulties of decryption for a forensic exam. My main point was that EnCase and PointSec need to work together to provide forensic examiners a way to view the PointSec drive in EnCase simply by entering the PointSec password. I also detailed my process for decryption which involved the use of VMWare and a virtual image of the encrypted drive.