SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

Recovering Open But Unlinked File Data

By Hal Pomeranz, Deer Run Associates

If you've ever been a Unix system administrator, you may have encountered "open but unlinked" files in the course of your normal duties. The typical scenario is a user who's launched a process that creates an unexpectedly large output file which consumes all of the free space in the partition. In a panic, the user deletes the output file but leaves the process running. Unfortunately, the operating system is not allowed to reclaim the space until the last process that has the output file open actually exits. So until the user kills their process, the space is still in use and the file system is full. But when you as the system administrator logs in to free some space in the partition, you're unable to find the massive file that's consuming all of the space with your normal file system

...


PointSec Decryption - A Case for Decryption of the Original

By J. Michael Butler

A while back, I posted about EnCase and PointSec — "Encase and PointSec - I'm Not Feeling the Love". I wrote about my frustrations with the difficulties of decryption for a forensic exam. My main point was that EnCase and PointSec need to work together to provide forensic examiners a way to view the PointSec drive in EnCase simply by entering the PointSec password. I also detailed my process for decryption which involved the use of VMWare and a virtual image of the encrypted drive.


First Response: Recovering a Dying Hard Drive

By David Hoelzer
Enclave Forensics

So there I was, happily working away, when Time Machine pops up and tells me, "Time Machine has not successfully completed a backup in 18 days." "That's strange," I thought, and proceeded to look into what could possibly be wrong.

I won't bore you with my deep satisfaction with Macs and Time Machine. That's not what this article is about. However, what I discovered was that Time Machine was failing to mount the sparse bundle in which the backup is stored. After poking at this for a couple of minutes I decided to simply reformat the Time Machine partition and be done with it.

After doing

...


Robocopy - a Computer Forensics tool?

The usual practice for obtaining potential evidence would be to acquire a bit for bit forensic image of the drive and to lock the image up in an evidence safe. Depending upon the legal team's request, one may also replace the original hard drive and keep it in the safe instead of just an image. Another option I like is having a third party acquire the drive on our behalf and keep it in their secure area for us. Sometimes, however, for various reasons, a forensic image may not be feasible. So, then, what is another option?

In a recent e-mail exchange with Rob Lee, I asked him what he thought about using


NCS vs DRN - Taking Notes

Intro to Notes

If computer forensics is to be taken as a science, a key requirement is that results be repeatable. A key part of repetition is the quality of your notes.

Notes are an important aspect of an investigation. No matter how good of a memory you have, something is bound to slip through the cracks at some point. Take the size of some investigations, the length of time it may take before anyone takes action on your report, and the size of many case loads and a lack of notes can be a recipe for disaster. On the other hand, note taking style is a big matter of personal preference with no industry standard way of approaching the situation. I thought we might talk a bit about different options and problems that come from note taking, and hope that some others will chime in with how they approach the problem.

Format

First question that comes up with note taking, is where do you want to do it? Low tech has some

... Continue reading NCS vs DRN - Taking Notes