SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

Digital Forensics Case Leads: Free Tools, Fancy Toys, Snipers, Manipulated Photos, and no PI licenses required in VA

A variety of forensical tidbits this week, from new tools to a history of photo manipulation, and a relaxation of the PI requirement in VA. If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org. Tools: Mandiant has released an update … Continue reading Digital Forensics Case Leads: Free Tools, Fancy Toys, Snipers, Manipulated Photos, and no PI licenses required in VA


Digital Forensics Case Leads: Do SSD Drives Auto Destroy Forensic Evidence? Industrial Espionage, and Cloud Computing Forensics

Solid State Drives (SSD) Forensics continue as the top story this week. Two University researchers published shocking research that indicates that the firmware in SSDs can destroy forensic evidence as part of it's everyday functionality. Details in MUST Reads (upgrading this week from "Good Reads"). Apple made big news with the launch of new tablet … Continue reading Digital Forensics Case Leads: Do SSD Drives Auto Destroy Forensic Evidence? Industrial Espionage, and Cloud Computing Forensics


Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 2)

In Part 1 of this post, I showed you how to acquire the contents of physical RAM of a Mac OS X computer using ATC-NY's Mac Memory Reader, and did some simple analysis using strings and grep searches. Today I'll provide a few more examples of what evidence can be found in a Mac OS X memory dump and how to extract it using file carving techniques. Continue reading Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 2)


Digital Forensics Case Leads: SMS botnet has ripples into mobile forensics; New iOS forensic tool; New USB encryption tool; Record a cop, go to jail? Free RSA Expo Pass and Free Beer!

This week's case leads features a new SMS botnet attack that has ripples into mobile forensics; Guidance Software releases an iOS forensics tool; an in-depth legal analysis of a recent ruling that could encourage lawyers to sue businesses due to downstream liability, and these lawsuits could involve considerable e-discovery; SIFT wins forensic award; PLUS get … Continue reading Digital Forensics Case Leads: SMS botnet has ripples into mobile forensics; New iOS forensic tool; New USB encryption tool; Record a cop, go to jail? Free RSA Expo Pass and Free Beer!


How To: Forensically Sound Mac Acquisition In Target Mode

Can a Mac hard drive be easily removed for imaging with a forensic hardware imager? It is really a matter of personal opinion, Mac's are an engineering marvel just ask anyone that has had to remove a hard drive from a Mac for forensic imaging and then try to put it back together properly. Depending … Continue reading How To: Forensically Sound Mac Acquisition In Target Mode