SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

Digital Forensic SIFTing: How to perform a read-only mount of filesystem evidence

by Rob Lee

Over the years, there has been a clear need for some digital forensic toolsets that will accomplish basic goals. The first of those goals is creating an environment friendly to analyzing acquired file system images.

The SIFT workstation was created as a part of the SANS Computer Forensics, Investigation, and Response course which is also known as SEC508. With the launch of the community website at http:\
it is useful to go through some basic architecture of how the SIFT Workstation actually can be useful for you.

The blog series "SIFT'ing" will show to utilize the workstation using a series of exercises. Today we will discuss how to use the

Is MSFT Serious About It's $250k Conficker Reward?

by Ira Victor

A few days ago, Microsoft made a big announcement about a $250,000 bounty to help catch the creators the Conficker Worm. I covered that bounty story in Data Security Podcast Episode #40. The only problem: Microsoft apparently didn't tell anyone WHO to contact if you are a successful bounty hunter and have quality information from your investigation or incident response process.

According to the Microsoft's


When Encountering Safeguard Easy's Boot-time Authentication Lockoutâ¦

Full disk encryption is great for security, but encrypting data carries with it some incidental risk. Forgotten or otherwise unknown encryption passphrases and keys can lead to serious consequences in many situations. In forensics and incident response we use and encounter encryption all the time, and accessing encrypted data in a timely fashion can be critical. I'd like to share a trick I learned while dealing with a "bricked" encrypted device utilizing SafeGuard Easy ("SGE") from Utimaco Software, a fairly common full disk encryption solution.

Safeguard Easy offers


Spin-Stand Microscopy of Hard Disk Data

I shall be posting a series detailing the additional data not included in the paper [1] on recovering overwritten data in the following weeks.

My thanks to Dave Kleiman (one of the original papers co-author's with myself) for reviewing and adding some details to this post series.

Due to the limitations of peer reviewed papers, much of the detail of a process is commonly lost. This series of posts will endeavor to fill out the areas that are not covered in the paper in any detail and also add some further level of knowledge.

The recovery of data from damaged hard drives has come a long way over the years. Various techniques have been developed using both optical and electron microscopes and leading to the use of Magnetic force microscopy (MFM). MFM is a category of Scanning Probe Microscopy (SPM) and perhaps is the most widely used of these techniques. Of the techniques


Recovering Open But Unlinked File Data

By Hal Pomeranz, Deer Run Associates

If you've ever been a Unix system administrator, you may have encountered "open but unlinked" files in the course of your normal duties. The typical scenario is a user who's launched a process that creates an unexpectedly large output file which consumes all of the free space in the partition. In a panic, the user deletes the output file but leaves the process running. Unfortunately, the operating system is not allowed to reclaim the space until the last process that has the output file open actually exits. So until the user kills their process, the space is still in use and the file system is full. But when you as the system administrator logs in to free some space in the partition, you're unable to find the massive file that's consuming all of the space with your normal file system