SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Atemporal time line analysis in digital forensics

As incident responders we often find that attackers compromise one host in a network and then pivot to others. In digital forensic investigations involving intrusions, we can do our own pivoting from one piece of evidence to another. On October 19th, I had the good fortune to speak at SECTor about one method of doing … Continue reading Atemporal time line analysis in digital forensics


High Tech Crime Investigators Conference 2011 Report, Anonymous Promises Retaliation, DigiNotar Dies

The 25th High Technology Investigators Conference was held last week near Palm Springs California last week. Your SANS Forensic blogger attended the event, along with over 500 fellow lethal, and aspiring lethal, forensicators. Information security events like BlackHat, DefCon and RSA drawing thousands. It's more difficult to really get to know one's colleagues at those … Continue reading High Tech Crime Investigators Conference 2011 Report, Anonymous Promises Retaliation, DigiNotar Dies


NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files

Daunting as it may seem, one of the most wonderful aspects of Windows forensics is its complexity. One of the fascinating aspects of digital forensics is how we often leverage conventional operating system features to provide information peripheral to their original design. One such feature is the Windows NTFS Index Attribute, also known as the … Continue reading NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files


Digital Forensics Case Leads: Viva Las Vegas Forensics at BlackHat, SecurityBSidesLV, and DefCon

The 103 degree heat hits you in the face like a baseball bat. Some people say that 103 degrees (in the shade) is "no big deal", because, as they continue, "it's a dry heat." Yea, well, my oven is a dry heat, and I don't stick my head in it. But that is exactly the … Continue reading Digital Forensics Case Leads: Viva Las Vegas Forensics at BlackHat, SecurityBSidesLV, and DefCon


Hostile Forensics

Hostile Forensics Hello everybody to my first Blog post both here at SANS. I've released a whitepaper that may be of interest to people in the forensic community, and wanted to both share it with you and get feedback and criticism on it. Seeing a few great presentations today here at DefCon, namely by … Continue reading Hostile Forensics