SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Live Investigations


Directory Link Counts and Hidden Directories

by Hal Pomeranz, Deer Run Associates

One of the things I love about teaching at SANS is that the students are smart people and come up with great ideas. Sometimes these ideas even lead to useful tools, as was the case a few years ago when we were talking about hidden directories in the Digital Forensics section of Sec506.

First, a little background information. Unix file systems keep track of a "link count" to all objects in the file system. This "link count" value is the number of different directory entries that all point to the inode associated with the object. In the case of a regular file, the link count is the number of hard links to that file.

However, Unix file systems don't let you create hard links to

...


Common Pitfalls of Forensic Processing of Blackberry Mobile Devices

by Eoghan Casey

Digital forensic investigators who are not properly trained will alter evidentiary media or will misinterpret important information, potentially damaging a case. Pitfalls that less experienced practitioners encounter when processing Blackberry devices are discussed below with guidance on how to obtain the most useful information from these devices.

We frequently encounter Blackberry devices in digital investigations that are not fully supported by commonly available forensic tools. Fortunately, a significant amount of data can be obtained using Blackberry Desktop Manager, which is freely available from the manufacturer's Web site. In fact, even when forensic tools can acquire data from a Blackberry device, it is still advisable to obtain a logical backup using Blackberry

...


Perl-Fu: Regexp log file processing

Remember that with Perl the key benefit is the ability to easily implement almost any kind of input/output processing system one might need or conceive, without the need for a lot of code or time in development. When you are faced with massive amounts of data and a small amount of analytical time, this agility is critical. I will not be teaching regular expression syntax but there are countless primers and resources on the web for this, and they almost universally apply to languages/interpreters other than Perl, including our favorite command line tool, grep. Consider the following code:

#!/usr/bin/perl
# UserSplit.pl
# Creates user-specific files from a single log file based on the field "User="
$logfile = $ARGV[0];
open(LOG, "

Using mind maps in forensics

by Jeff Bryner

I've been playing with mind mapping software lately, mostly using the wonderfully open source freemind.I'm definitely not the first one to consider using this for forensic analysis, but hopefully I can help spread the meme and help us all organize our thoughts.

Just for fun, here's a sample starting point for a fake embezzlement case if you've not seen a mind map before:
basic mind map

I've posted it here in case it's easier to start

...