SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Forensics and Data Access Auditing

by Craig Wright

Data access auditing is a surveillance control that intersects with forensics and incident handling. In all events, the same level of care needs to be taken as any event can lead to a forensic engagement. By monitoring access to all sensitive information contained within the database, suspicious activity can be brought to the examiner's awareness. Databases commonly structure data as tables containing columns (think of a spreadsheet, only more complex). Data access examinations should address six questions:

  1. Who accessed the data?
  2. When was the data accessed?
  3. How was the data accessed? (This is what computer program or client software was used?)
  4. Where was the data accessed from (this is the location on the network or Internet)
  5. Which SQL query was used to


Pulling binaries from pcaps

When I started writing this post, my intention was to show off some of the capabilities of NetworkMiner for recovering files from network packet captures. I have used NetworkMiner a few times to recover malware from pcaps. I like it because it automates the process. My plan was to contrast NetworkMiner's automated process against the more manual process of extracting files using Wireshark and a hex editor or the `foremost` command.

However, NetworkMiner failed to automatically extract all the files that were being downloaded in the pcap file I was using. This underscores the importance of testing your tools. I have successfully used NetworkMiner with other pcaps to extract all files, so you mileage may vary. If you've got a packet capture that you want to extract files from, my suggestion would be to try NetworkMiner, it will


Missed It By That Much!

Hal Pomeranz, Deer Run Associates

One primitive forensic technique I show my students in my SANS Sec506 class is the tried and true method of using grep to display byte offsets of "strings of interest" found in a disk image. For example, I have my students go looking for "love" in the file system of the VMware image we use in class:

# grep -abi 'love' /dev/sda6
452925733:# This is a comment. I love comments.

Once you have the byte offsets from grep, all you have to do is divide by the block size of the file system (hint: use fsstat) to get the number of the block that the string resides in. In the example, /dev/sda6 is a small file system that only uses 1024 byte


Nevada bill would make some security research a felony

by Ira Victor

The 75th Session of Nevada Legislature is taking up a new bill - SB125 - that, if enacted into law as introduced to committee, could make it illegal for information security researchers to do work that shows the vulnerabilities in many types of RFID systems. There are important security research, criminal issues, and some forensic matters related to this bill.

The bill would make it a class C felony (up to 5 years in prison, up to a $10,000 fine) to skim personally identifiable information (PII) from another person's RFID enabled ID or other document, without that person's prior knowledge.

P2P Usage Leads To Presidential Security Breach

by Ira Victor

Pittsburgh TV Station WPXI is reporting that Security Company Tiversa discovered engineering and communications information about the Marine One Chopper fleet on an Iranian Computer system. Marine One is a critical transportation asset for the President of the United States.

Bob Boback, CEO Tiversa, said, that he found the entire blueprints and avionics package for the famous chopper on an Iranian system. The company traced the file back to it's original source, which appears to be a defense contractor in Bethesda, MD.

How did secret Marine One information end up in Iran? According to Mr. Boback, it appears that the defense contractor had a