SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Decrypting a PointSec Encrypted Drive Using Live View, VMWare, and Helix

Doing it the HARD way!

Perhaps you remember my previous blog on EnCase and PointSec, which included my plea for Guidance Software and CheckPoint to work together to create a seamless way to decrypt drives without having to go through 20 or 30 steps to get there. I even wrote, out of desperation, A Case for Decryption of the Original, because it would save time consuming steps and not change the data relevant to an investigation.

Time for an update. As noted in my last blog on decrypting the original, VMWare no longer recognizes a raw disk as a valid disk image. Images have to be converted before


Flash Cookie Forensics

Flash cookies have been a hot topic lately with the release of an excellent research paper titled Flash Cookies and Privacy. Flash Cookies, or local Shared Objects in Macromedia parlance, are a great example of a forensic artifact that has existed for a long time but was virtually ignored until someone decided to shine some light on it. Whenever I see new research about problematic privacy controls, I immediately get out my notepad, because I know that I am going to find some great artifacts that can help in my forensic investigations.

First some basics:

  • Macromedia Flash has become ubiquitous on the web, providing features such as streaming video and a "rich client" experience. Many of the most popular sites on


Analysis of e-mail and appointment falsification on Microsoft Outlook/Exchange

Author: Joachim Metz


In digital forensic analysis it is sometimes required to be able to determine if an e-mail has or has
not been falsified. In this paper a review of certain Outlook Message Application Programming
Interface (MAPI)
is provided which can help in determining falsified e-mails or altered
appointments in an Microsoft Outlook/Exchange environment.

About the libpff project

In 2008 Joachim Metz a forensic investigator at Hoffmann Investigations started the libpff project.
At that time the best source about the Personal Folder File (PFF) format in the public domain was
the libpst project. The libpst project dated back to 2002 and had been contributed and


Making Reviewing Files From Data Carving Easier: Images


I usually do a lot of data carving. With 500 gig drives becoming the norm in machines, the recovered files I see from data carving is huge. Nothing like having to review 10000+ jpegs and having to review each one. I had a lot of issues trying to find something to review that many images. After trying many programs and some hacks to break up the images into smaller subsets. I decided to write my own set of tools for processing the files recovered from data carving.

Data Carver Processors

The Data Carver Processors are a combination of Perl scripts and other programs that are designed to break up the recovered files into manageable chunks. As the script runs over the files, it will create a series of web pages with thumbnails and a second web page for each file that contains plug-in output like metadata, hashes, and etc. The scripts, for the most part, will not process damaged files. If a file is damaged, there will be no image for it on

... Continue reading Making Reviewing Files From Data Carving Easier: Images

FAT File Sizes

If you're just checking this blog for the first time, you should know that this post is one in a series of posts dealing with a FAT file system that has been tweaked in various ways to make recovery of the data more difficult, if only for the casual observer. Forensics folks like yourselves would have no issue recovering the data, but the point of this series is to learn about the FAT file system and how it works.

In last week's FAT Tuesday post we looked at a file in our usb key image (get it here) called "Scheduled Visits.exe". We looked at the metadata for the file using