SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Ultimate Windows Timelining

Recently, I was considering material for an internal knowledge transfer session on timelining, when it occurred to me that the subject matter was likely of broader interest, and so, without further ado... First, a note about the way I personally use timelines. I find them a great way to identify dated tidbits which one might … Continue reading Ultimate Windows Timelining


Digital Forensics Case Leads: RAM Capture Tool DumpIt, Monitoring Applications with Carbon Black, a Brief History of Malware, and the Impact of Technology in Trials

This week's edition of Case Leads features a couple of tools for Windows including a memory capture application, a kernel driver that monitors and reports on interesting processes, and a tool for exporting data from "the Cloud." We've also included a TED talk on the history of malware and we have an article on the … Continue reading Digital Forensics Case Leads: RAM Capture Tool DumpIt, Monitoring Applications with Carbon Black, a Brief History of Malware, and the Impact of Technology in Trials


Digital Forensics: Dropbox

Update: Thanks to everyone for the feedback. I'm glad the info is useful and interesting - mission complete here. For everyone who asked about the full article, it's now available on Forensic Focus: http://www.forensicfocus.com/dropbox-forensics Dropbox is a web-based file synchronization and sharing service. While it can be a backup of sorts, it's really geared toward … Continue reading Digital Forensics: Dropbox


How to Mount Dirty EXT4 File Systems

Hal Pomeranz, Deer Run Associates As some of you may remember, I've previously written about a technique for mounting EXT3 file system images with the read-only option, even when power was abruptly removed from the system- as is typical during forensic seizure- and the file system is still "dirty". In these cases, my technique involves … Continue reading How to Mount Dirty EXT4 File Systems


Volume Shadow Copies and LogParser

Volume Shadow Copies (VSCs) can contain a treasure trove of information - so much information that if not treated correctly, they can become too cumbersome for many investigators. (Note: if you are unfamiliar with VSCs, Rob Lee has a great write-up about the subject.) One way to make the examination of VSCs a little less … Continue reading Volume Shadow Copies and LogParser