SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Digital Forensics Case Leads: RAM Capture Tool DumpIt, Monitoring Applications with Carbon Black, a Brief History of Malware, and the Impact of Technology in Trials

This week's edition of Case Leads features a couple of tools for Windows including a memory capture application, a kernel driver that monitors and reports on interesting processes, and a tool for exporting data from "the Cloud." We've also included a TED talk on the history of malware and we have an article on the … Continue reading Digital Forensics Case Leads: RAM Capture Tool DumpIt, Monitoring Applications with Carbon Black, a Brief History of Malware, and the Impact of Technology in Trials


Digital Forensics: Dropbox

Update: Thanks to everyone for the feedback. I'm glad the info is useful and interesting - mission complete here. For everyone who asked about the full article, it's now available on Forensic Focus: http://www.forensicfocus.com/dropbox-forensics Dropbox is a web-based file synchronization and sharing service. While it can be a backup of sorts, it's really geared toward … Continue reading Digital Forensics: Dropbox


How to Mount Dirty EXT4 File Systems

Hal Pomeranz, Deer Run Associates As some of you may remember, I've previously written about a technique for mounting EXT3 file system images with the read-only option, even when power was abruptly removed from the system- as is typical during forensic seizure- and the file system is still "dirty". In these cases, my technique involves … Continue reading How to Mount Dirty EXT4 File Systems


Volume Shadow Copies and LogParser

Volume Shadow Copies (VSCs) can contain a treasure trove of information - so much information that if not treated correctly, they can become too cumbersome for many investigators. (Note: if you are unfamiliar with VSCs, Rob Lee has a great write-up about the subject.) One way to make the examination of VSCs a little less … Continue reading Volume Shadow Copies and LogParser


Data reduction redux and map-reduce

A few days ago I wrote a post about applying the principle of least frequent occurrence to string searches in forensics. This post will discuss how long that process may take and at the end, will show some significant ways to speed up the process. In the previous post I used the following compound command … Continue reading Data reduction redux and map-reduce