SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

Case Leads: The Digital Forensics Case of the Decade? Digital Forensics at US Border Crossings; Serious Flaw in Enterprise Firewalls? The Feds Re-examine DFIR As Data Shifts To The Cloud

The digital forensic and ediscovery case of the decade could describe the litigation between Facebook and a man that claims he has a contract and emails from Harvard Student Mark Zukerberg for 50% ownership of "The Face Book" as an early-stage investor. There are more questions than answers in this case right now, among them: … Continue reading Case Leads: The Digital Forensics Case of the Decade? Digital Forensics at US Border Crossings; Serious Flaw in Enterprise Firewalls? The Feds Re-examine DFIR As Data Shifts To The Cloud


Digital Forensics Case Leads: Free Tools, Fancy Toys, Snipers, Manipulated Photos, and no PI licenses required in VA

A variety of forensical tidbits this week, from new tools to a history of photo manipulation, and a relaxation of the PI requirement in VA. If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org. Tools: Mandiant has released an update … Continue reading Digital Forensics Case Leads: Free Tools, Fancy Toys, Snipers, Manipulated Photos, and no PI licenses required in VA


Digital Forensics Case Leads: Do SSD Drives Auto Destroy Forensic Evidence? Industrial Espionage, and Cloud Computing Forensics

Solid State Drives (SSD) Forensics continue as the top story this week. Two University researchers published shocking research that indicates that the firmware in SSDs can destroy forensic evidence as part of it's everyday functionality. Details in MUST Reads (upgrading this week from "Good Reads"). Apple made big news with the launch of new tablet … Continue reading Digital Forensics Case Leads: Do SSD Drives Auto Destroy Forensic Evidence? Industrial Espionage, and Cloud Computing Forensics


Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 2)

In Part 1 of this post, I showed you how to acquire the contents of physical RAM of a Mac OS X computer using ATC-NY's Mac Memory Reader, and did some simple analysis using strings and grep searches. Today I'll provide a few more examples of what evidence can be found in a Mac OS X memory dump and how to extract it using file carving techniques. Continue reading Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 2)


Digital Forensics Case Leads: SMS botnet has ripples into mobile forensics; New iOS forensic tool; New USB encryption tool; Record a cop, go to jail? Free RSA Expo Pass and Free Beer!

This week's case leads features a new SMS botnet attack that has ripples into mobile forensics; Guidance Software releases an iOS forensics tool; an in-depth legal analysis of a recent ruling that could encourage lawyers to sue businesses due to downstream liability, and these lawsuits could involve considerable e-discovery; SIFT wins forensic award; PLUS get … Continue reading Digital Forensics Case Leads: SMS botnet has ripples into mobile forensics; New iOS forensic tool; New USB encryption tool; Record a cop, go to jail? Free RSA Expo Pass and Free Beer!