SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

Hardcopy III

by Quinn Shamblin

HC3 Controls


HC3 Controls

Parts that come in the package


Parts that come in the package

VOOM has released a new version of their forensic hard drive imaging tool: Hardcopy III


Nevada bill would make some security research a felony

by Ira Victor

The 75th Session of Nevada Legislature is taking up a new bill - SB125 - that, if enacted into law as introduced to committee, could make it illegal for information security researchers to do work that shows the vulnerabilities in many types of RFID systems. There are important security research, criminal issues, and some forensic matters related to this bill.

The bill would make it a class C felony (up to 5 years in prison, up to a $10,000 fine) to skim personally identifiable information (PII) from another person's RFID enabled ID or other document, without that person's prior knowledge.


Digital Forensic SIFTing: How to perform a read-only mount of filesystem evidence

by Rob Lee

Over the years, there has been a clear need for some digital forensic toolsets that will accomplish basic goals. The first of those goals is creating an environment friendly to analyzing acquired file system images.

The SIFT workstation was created as a part of the SANS Computer Forensics, Investigation, and Response course which is also known as SEC508. With the launch of the community website at http:\

orensics.sans.org
it is useful to go through some basic architecture of how the SIFT Workstation actually can be useful for you.

The blog series "SIFT'ing" will show to utilize the workstation using a series of exercises. Today we will discuss how to use the


Is MSFT Serious About It's $250k Conficker Reward?

by Ira Victor

A few days ago, Microsoft made a big announcement about a $250,000 bounty to help catch the creators the Conficker Worm. I covered that bounty story in Data Security Podcast Episode #40. The only problem: Microsoft apparently didn't tell anyone WHO to contact if you are a successful bounty hunter and have quality information from your investigation or incident response process.

According to the Microsoft's

...


When Encountering Safeguard Easy's Boot-time Authentication Lockoutâ¦

Full disk encryption is great for security, but encrypting data carries with it some incidental risk. Forgotten or otherwise unknown encryption passphrases and keys can lead to serious consequences in many situations. In forensics and incident response we use and encounter encryption all the time, and accessing encrypted data in a timely fashion can be critical. I'd like to share a trick I learned while dealing with a "bricked" encrypted device utilizing SafeGuard Easy ("SGE") from Utimaco Software, a fairly common full disk encryption solution.

Safeguard Easy offers

...