SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

How To: Forensically Sound Mac Acquisition In Target Mode

Can a Mac hard drive be easily removed for imaging with a forensic hardware imager? It is really a matter of personal opinion, Mac's are an engineering marvel just ask anyone that has had to remove a hard drive from a Mac for forensic imaging and then try to put it back together properly. Depending … Continue reading How To: Forensically Sound Mac Acquisition In Target Mode


Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 1)

A simple how-to on capturing contents of physical RAM on Mac OS computer using Mac Memory Reader. I will demonstrate how incident responders can do a simple analysis on the resulting binary file using strings, a hex-editor and foremost. Continue reading Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 1)


Digital Forensics Case Leads: Capturing Mac Memory, the Shifting Threat Landscape, Forensics Tool Updates, and Zero Day: A Novel

This week's edition of Case Leads features new and updated forensics tools, a report on changes in attack patterns, a novel from what may seem like an unlikely source and thoughts on timestamp manipulations. The ability to create a memory image on OS X has been lacking until now. A recently released report suggests that … Continue reading Digital Forensics Case Leads: Capturing Mac Memory, the Shifting Threat Landscape, Forensics Tool Updates, and Zero Day: A Novel


How to Preserve Cyber Investigation Evidence | Screencast Tool

Witness Signature Commonly, a cyber investigation examines how a digital resource - like an app, a hyperlink or a web search box — works. Example: Investigator observes that when mouse clicks on hyperlink X, browser goes to web page containing content Y. As an investigator observes how a resource works, he wants to record … Continue reading How to Preserve Cyber Investigation Evidence | Screencast Tool


Digital Forensics: How to configure Windows Investigative Workstations

I like Windows. There... I said it. I understand that this statement will probably come with the requisite beatings, but I honestly enjoy using Windows on a day to day basis more than other operating systems and am willing to take whatever flack comes my way over it (and yes, my team at work loves … Continue reading Digital Forensics: How to configure Windows Investigative Workstations