SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Timestamped Registry & NTFS Artifacts from Unallocated Space

Frequently, while following up a Windows investigation, I will add certain filenames or other string values to my case wordlist and subsequently find these strings embedded in binary data of one type or another in unallocated space. Close examination of the surrounding data structures has shown that these are often old MFT entries, INDX structures, or registry keys or values. The thing that makes these things very interesting from a forensic perspective is that all of them but registry values incorporate Windows timestamps. (All timestamps referenced in this article are 64bit Windows filetime values.) Even registry values often follow closely after their parent keys in the registry, which do have associated timestamps. Once I'd noticed these key facts, it occurred to me that it would be useful to use the timestamp values to work backward to other associated data, and hence the genesis of this

...


Digital Forensic Case Leads: Malware hunting

Incident responders and digital forensics investigators are on the front-lines in the battle against malware. We need good intelligence for tracking its origins and command and control structures. This intelligence can help us limit malware's access to our networks and help us find it. When we do find it, we need good tools for eradicating it. For this week's Case Leads, I've been looking into some resources and tools that can aid in these efforts.
Tools:

  • First up, a new, to me, malware removal tool called Malwarebytes. As I said, it's new to me, and I've only done a little playing around in the lab, but I've been told by others that it works great. I'm blocking out some time to delve into the tool more extensively and will have more to say about it then.
  • Two sites that provide lists of sites known to be distributing malware, http://www.malwaredomains.com/

...


Digital Forensics Case Leads: The SIFT Workstation 2.0 Edition

Rob Lee recently brought us version 2.0 of the SANS Investigative Forensics Toolkit (SIFT), Into the Boxes Issue 0x1 was released, along with some interesting new tools by Harlan Carvey, and the New Jersey Supreme Court makes a ruling that could have significant impact on employer policies and employee expectations of privacy. Those in or near the Toronto area should also check out SANS Computer Forensic Essentials taught by SANS Computer Forensics blog contributor Chad Tilbury. There's a lot of good stuff linked below, so explore and enjoy. And, as always, thanks to all who make such excellent information and tools available to the community.

Tools:

...


Digital Forensics Case Leads: New Gear, New PDFs Abuse, and Defeating TrueCrypt

Logicube releases new forensics gear, Didier Stevens discovers a new way to do interesting things with a PDF and a cooperative user, and Passware provides a means to defeat TrueCrypt.

Logicube has released two devices which look interesting. The MPFS or Massive Portable Forensic Storage provides up to 8TB of storage capacity for acquiring multiple images. The device may be attached to a forensic analyst's workstation via firewire, USB, or eSATA. The unit is compatible with Logicube's Dossier imager and Logicube's second new device, the NETConnect which as the name suggests, allows network access to forensic images. Based on the description, NETConnect is essentially a file server which enables multiple investigators to access forensic images as soon as they are acquired. The device supports Windows, Mac, and Linux and includes support for CIFS and NFS. (I've not had the opportunity to test either device but if Logicube or anyone else wants to send me a set, I will be

... Continue reading Digital Forensics Case Leads: New Gear, New PDFs Abuse, and Defeating TrueCrypt


Digital Forensic Sampling

Robert-Jan Mora and Bas Kloet have released an interesting paper called DigitalForensicSampling.pdf and it's about applying statistical sampling to digital forensics. Digital forensic practitioners are frequently faced with extremely large amounts of data to analyze, a situation that looks to get worse as storage capacities continue to increase. Mora and Kloet propose the use of random sampling for certain types of cases as a means of alleviating this problem.

Here's a quote from the paper's introduction:

In this paper we would like to address a few problems that we encounter in the digital forensic field,in general, which probably will get worse if our methods do not get smarter soon. A few problemsthat the digital forensic community has to deal with are:

  • The amount of data that needs to be investigated in cases increases every year;