SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Facebook Memory Forensics

OK, like everyone I joined facebook just to get updates on my high school reunion. (Who knew you could also use it as a possible alibi.)

But then, after writing pdgmail and pdymail and seeing all the neat personal information in facebook...tada pdfbook! Memory parsing to grab facebook info.

Like it's predecessors pdgmail and pdymail, I'm following the simple construct that memory strings are easy to get to and yield a treasure of information given today's


Helix 3 Pro: First Impressions

I have used several versions of Helix over the recent years. I enjoy the tool set and recommend it to forensics colleagues, sysadmins, and even family members.

Quite a substantial ruckus was raised this year when e-fense announced that Helix 3 would no longer be free to download. Instead, would-be users must pay to register as a forum user to get access to Helix 3 Pro updates for a year.

I took the plunge and

...


Mounting Images Using Alternate Superblocks (Follow-Up)

Hal Pomeranz, Deer Run Associates

Several months ago, I blogged about using alternate superblocks to fake out the ext3 drivers so you could mount file system images read-only, even if they were needing journal recovery. However, due to recent changes in the ext file system driver the method I describe in my posting is no longer sufficient. Happily, there's a quick work-around.

Let's try the solution from the end of my previous posting under a more recent Linux kernel:

# mount -o loop,ro,sb=131072 dev_sda2.dd /mnt
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
missing codepage or helper program, or other error
In some cases useful info is

...


Is Your index.dat File LEAKing?

One of the projects that I've been working on, has required me to become intimately familiar with index.dat files. These files (index.dat) are usually associated with Internet Explorer's browser history. If you've ever worked with index.dat files before, you've probably encountered the mysterious "LEAK" record. After some analysis, I think I've finally figured out what LEAK records are used for.

Essentially, a LEAK record is created when a cached URL entry is deleted (by calling DeleteUrlCacheEntry) and the cached file associated with the entry (a.k.a. "temporary internet file" or TIF) can not be deleted.

You can easily test this on your own system:

  1. Open Internet Explorer and surf to a web page. Ideally a page with a unique and easily identifiable name (e.g.

Windows Scheduler (at job) Forensics

This information may be useful to people responding to compromise incidents involving Windows. Typically these days, when a job is scheduled for execution later, possibly every day, week, or month, it's done via a GUI tool or 'schtasks'. However , you can still use the original command line 'at' tool. This utility also allows such jobs to be scheduled over the network if admin credentials are possessed, which makes it quite useful to an attacker for post exploitation activities. When cleaning up after something like this, it's useful to know a bit about what it does under the hood, including the formats of the associated .job file, and the structure and location of associated log entries.

[caption id="attachment_11626" align="aligncenter" width="745" caption="Figure 1: A scheduled

...