SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Directory Link Counts and Hidden Directories

by Hal Pomeranz, Deer Run Associates

One of the things I love about teaching at SANS is that the students are smart people and come up with great ideas. Sometimes these ideas even lead to useful tools, as was the case a few years ago when we were talking about hidden directories in the Digital Forensics section of Sec506.

First, a little background information. Unix file systems keep track of a "link count" to all objects in the file system. This "link count" value is the number of different directory entries that all point to the inode associated with the object. In the case of a regular file, the link count is the number of hard links to that file.

However, Unix file systems don't let you create hard links to

...


Common Pitfalls of Forensic Processing of Blackberry Mobile Devices

by Eoghan Casey

Digital forensic investigators who are not properly trained will alter evidentiary media or will misinterpret important information, potentially damaging a case. Pitfalls that less experienced practitioners encounter when processing Blackberry devices are discussed below with guidance on how to obtain the most useful information from these devices.

We frequently encounter Blackberry devices in digital investigations that are not fully supported by commonly available forensic tools. Fortunately, a significant amount of data can be obtained using Blackberry Desktop Manager, which is freely available from the manufacturer's Web site. In fact, even when forensic tools can acquire data from a Blackberry device, it is still advisable to obtain a logical backup using Blackberry

...


Perl-Fu: Regexp log file processing

Remember that with Perl the key benefit is the ability to easily implement almost any kind of input/output processing system one might need or conceive, without the need for a lot of code or time in development. When you are faced with massive amounts of data and a small amount of analytical time, this agility is critical. I will not be teaching regular expression syntax but there are countless primers and resources on the web for this, and they almost universally apply to languages/interpreters other than Perl, including our favorite command line tool, grep. Consider the following code:

#!/usr/bin/perl
# UserSplit.pl
# Creates user-specific files from a single log file based on the field "User="
$logfile = $ARGV[0];
open(LOG, "

Using mind maps in forensics

by Jeff Bryner

I've been playing with mind mapping software lately, mostly using the wonderfully open source freemind.I'm definitely not the first one to consider using this for forensic analysis, but hopefully I can help spread the meme and help us all organize our thoughts.

Just for fun, here's a sample starting point for a fake embezzlement case if you've not seen a mind map before:
basic mind map

I've posted it here in case it's easier to start

...


Strings, Strings, Are Wonderful Things

One of the basics of doing forensics involves gathering the ASCII and Unicode strings in the file system and searching for keywords. Using Linux we can gather the strings for both ASCII and Unicode using the strings command.

To Gather the ASCII Strings

# strings -td /dev/sdb > sdb.ascii

Note: The -td in the above line tells strings to print the offset in decimal for the line.

To Gather the Unicode Strings

# strings -td -el /dev/sdb > sdb.unicode

Note: The -el option will have the strings command handle 16-bit little endian encoding. Strings can handle other types of encoding such as 32-bit big/little endian. See the man page on strings and the -e option.

Below is a sample output from the command:

192301896     
192301972 This field is deprecated. Deprecated components of Microsoft

... Continue reading Strings, Strings, Are Wonderful Things