SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Digital Forensics: PS3 Linux file system analysis and network forensics

Let me start by noting how much fun I had while investigating and analyzing everything for this forensics challenge, I was able to apply many different techniques, from analyzing logs to file carving and network forensics. It's the 2009 forensics challenge from DFRWS and you can find the description, system images and pcap files at … Continue reading Digital Forensics: PS3 Linux file system analysis and network forensics


Digital Forensics: In-depth analysis of SRM and BCWipe (for unix)

Secure wiping tools are nothing new, we've all seen and used them for a long time now. It's no mystery that these tools are used by intruders to cover their tracks by securely deleting files such as logs, or other files they downloaded onto compromised systems. Organizations also use these tools to securely delete confidential … Continue reading Digital Forensics: In-depth analysis of SRM and BCWipe (for unix)


Digital Forensics: Finding Encoded Evidence

Recently I was asked to recover images from a suspect machine. Numerous tools have the ability to categorize files based on type. Students of SANS 508 get a look under the hood at how this is done using the "magic numbers" found at or near the start of files with well-known formats. Fortunately, most of … Continue reading Digital Forensics: Finding Encoded Evidence


Understanding EXT4 (Part 1): Extents

Hal Pomeranz, Deer Run Associates EXT4 is a next generation file system replacement for the EXT2/EXT3 family of Linux file systems. It was accepted as "stable" in the Linux 2.6.28 kernel in October 2008[1]. As of this writing, it's starting to appear as the default file system in newer versions of several Linux distros. While … Continue reading Understanding EXT4 (Part 1): Extents


Digital Forensics: How to configure Windows Investigative Workstations

I like Windows. There... I said it. I understand that this statement will probably come with the requisite beatings, but I honestly enjoy using Windows on a day to day basis more than other operating systems and am willing to take whatever flack comes my way over it (and yes, my team at work loves … Continue reading Digital Forensics: How to configure Windows Investigative Workstations