SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Digital Forensics Case Leads: PFIC 2011 Report, DNS forensics, Massive Flaws in Amazon EC2?

The Paraben Forensics Innovator's Conference was held last week in Park City, Utah. Your SANS Digital Forensic blogger attended the event, along with over 300 fellow, forensicators and lawyers. With information security events like BlackHat, and DefCon drawing thousands, this is yet another small event that has many advantages over the larger conferences. At these … Continue reading Digital Forensics Case Leads: PFIC 2011 Report, DNS forensics, Massive Flaws in Amazon EC2?


Outlier analysis in digital forensics

In my previous post, Atemporal time line analysis in digital forensics, I talked about using the inodes of a known piece of attacker code as a pivot point to discover previously unknown attacker code on a system. In this post, I want to point out another interesting thing about these inodes. Recall that I'm using … Continue reading Outlier analysis in digital forensics


Atemporal time line analysis in digital forensics

As incident responders we often find that attackers compromise one host in a network and then pivot to others. In digital forensic investigations involving intrusions, we can do our own pivoting from one piece of evidence to another. On October 19th, I had the good fortune to speak at SECTor about one method of doing … Continue reading Atemporal time line analysis in digital forensics


High Tech Crime Investigators Conference 2011 Report, Anonymous Promises Retaliation, DigiNotar Dies

The 25th High Technology Investigators Conference was held last week near Palm Springs California last week. Your SANS Forensic blogger attended the event, along with over 500 fellow lethal, and aspiring lethal, forensicators. Information security events like BlackHat, DefCon and RSA drawing thousands. It's more difficult to really get to know one's colleagues at those … Continue reading High Tech Crime Investigators Conference 2011 Report, Anonymous Promises Retaliation, DigiNotar Dies


NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files

Daunting as it may seem, one of the most wonderful aspects of Windows forensics is its complexity. One of the fascinating aspects of digital forensics is how we often leverage conventional operating system features to provide information peripheral to their original design. One such feature is the Windows NTFS Index Attribute, also known as the … Continue reading NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files