SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

It's the little things (Part One)

For forensic analysts working in Windows environments, .lnk shortcut files and the thumbprint caches are valuable sources for details about missing data.

Individuals wanting to hide their activities may flush their browser cache, Temp files, use, and even wipe the drive free space. However, they may forget these two minor "tidbits". These can show detail, indicate actions and associated history. Be Warned, I have found Windows machines having thousands of .lnk files on a "scrubbed PC."

The shortcut (.lnk) file is an amazing mine of information for such a small file. This PDF (See Link) is an invaluable source describing the details of the shortcut .lnk. The shortcut file name format is usually name.ext.lnk There may be multiple .lnk files created for one file depending upon the type.

XP stores the .lnk files for the Word 2007 Document Brains.docx in:

Fun with FIFOs (Part II): Output Splitting

Hal Pomeranz, Deer Run Associates

Several months ago now, I wrote up a little article on using FIFOs to trick the script command into writing output over the network. But there are other neat hacks you can do with FIFOs, and I want to show you one right now that can save you lots of time.

Suppose you had a disk image and you wanted to pull out both the ASCII and Unicode strings from a specific partition. The classic approach is to read the partition twice- once to gather the ASCII strings and once to pull out the Unicode. But on a large partition, reading the image even once can take a huge amount of time. The good news is we can use some Unix FIFO magic along with the frequently overlooked tee


Using Image Offsets

Hal Pomeranz, Deer Run Associates

One of the basic techniques we teach in SANS Forensic classes is "carving" out partition images from complete raw disk images. All it takes is a little facility with mmls and dd. Here's a quick example of carving an NTFS partition out of a disk image to show you what I mean:

$ mmls -t dos drive-image.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description
00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000001 0000000062 0000000062 Unallocated
02: 00:00 0000000063 0000064259 0000064197 DOS FAT12 (0x01)
03: 00:01 0000064260 0000273104 0000208845 DOS Extended (0x05)


NTFS: Attributes Part One

In the previous post in this series on NTFS file systems, we were just dipping our feet in the complicated waters by examining the output of fsstat. Let's pick up where we left off. Below is the $AttrDef Attribute Values section of fsstat's output from the previous post:

$AttrDef Attribute Values:
$STANDARD_INFORMATION (16) Size: 48-72 Flags: Resident
$ATTRIBUTE_LIST (32) Size: No Limit Flags: Non-resident
$FILE_NAME (48) Size: 68-578 Flags: Resident,Index
$OBJECT_ID (64) Size: 0-256 Flags: Resident
$SECURITY_DESCRIPTOR (80) Size: No Limit Flags: Non-resident
$VOLUME_NAME (96) Size: 2-256 Flags: Resident
$VOLUME_INFORMATION (112) Size: 12-12


Learn To Investigate Data Breach Incidents

Computer Forensic Training is becoming more critical to your organizations incident response plan due to some of the current threats that are being discovered. Organizations will find more and more that they will need a team of trained incident responders and computer forensic analysts. Your organization needs to be prepared on how to handle sophisticated incidents and organized groups that can easily walk around your perimeter defenses.

Here are just a few recent headlines over the last year scoping the current threat against many networks.

MSNBC: "Report: Obama helicopter security breached. Pa company says blueprints for Marine One found at Iran IP address"

Wall Street Journal: "Computer Spies Breach Fighter-Jet Project"