SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Computer Forensics How-To: Microsoft Log Parser

As any incident responder will agree, you can never have too many logs. That is, of course, until you have to analyze them! I was recently on an engagement where our team had to review hundreds of gigabytes of logs looking for evidence of hacking activity. I was quickly reminded of how much I love … Continue reading Computer Forensics How-To: Microsoft Log Parser


Digital Forensics Case Leads: SMS botnet has ripples into mobile forensics; New iOS forensic tool; New USB encryption tool; Record a cop, go to jail? Free RSA Expo Pass and Free Beer!

This week's case leads features a new SMS botnet attack that has ripples into mobile forensics; Guidance Software releases an iOS forensics tool; an in-depth legal analysis of a recent ruling that could encourage lawyers to sue businesses due to downstream liability, and these lawsuits could involve considerable e-discovery; SIFT wins forensic award; PLUS get … Continue reading Digital Forensics Case Leads: SMS botnet has ripples into mobile forensics; New iOS forensic tool; New USB encryption tool; Record a cop, go to jail? Free RSA Expo Pass and Free Beer!


Digital Forensics: PS3 Linux file system analysis and network forensics

Let me start by noting how much fun I had while investigating and analyzing everything for this forensics challenge, I was able to apply many different techniques, from analyzing logs to file carving and network forensics. It's the 2009 forensics challenge from DFRWS and you can find the description, system images and pcap files at … Continue reading Digital Forensics: PS3 Linux file system analysis and network forensics


Digital Forensics: In-depth analysis of SRM and BCWipe (for unix)

Secure wiping tools are nothing new, we've all seen and used them for a long time now. It's no mystery that these tools are used by intruders to cover their tracks by securely deleting files such as logs, or other files they downloaded onto compromised systems. Organizations also use these tools to securely delete confidential … Continue reading Digital Forensics: In-depth analysis of SRM and BCWipe (for unix)


Digital Forensics: Finding Encoded Evidence

Recently I was asked to recover images from a suspect machine. Numerous tools have the ability to categorize files based on type. Students of SANS 508 get a look under the hood at how this is done using the "magic numbers" found at or near the start of files with well-known formats. Fortunately, most of … Continue reading Digital Forensics: Finding Encoded Evidence