SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Recovery of MP3s using regular expressions

by Quinn Shamblin

I was recently asked to recover audio MP3 from a corrupted memory chip.

The audio was recorded using a special-purpose audio recording machine configured to record in MP3 format in stereo 44.1KHz at 128kbps.

audio_editorThere are several tools and approaches that are sometimes helpful in automated data recovery. I tried Access Data's FTK, Foremost and Lazarus, but none of these worked in this case, so I needed a different approach.

An MP3 file is simply a sequential series of "frames", 417-418 bytes in length, that each have their own header that tells the MP3 player how to play that particular frame. If you carve out any single MP3 frame and save the result with a .mp3


Block Pornography - The Bane of Computer Forensics

By J. Michael Butler

What is more important? Searching for porn on an organization owned asset, or looking for misuse of organization owned data? Not even a trick question. Too easy. So why do organization's computer forensic experts still find themselves searching for porn? Because it is there.

New problem? I think not. In T.h.e. Journal, there is an article written in 1997 addressing this same issue and suggesting a product called "Little Brother" to fix it.[1] Today there are a plethora of software products for home and office use, ranging from free to more than $100 per workstation. Some are more effective than others, but evaluation is outside the scope of this article. Just know that


SQL Rootkits

Forensics and Data Access Auditing

by Craig Wright

Data access auditing is a surveillance control that intersects with forensics and incident handling. In all events, the same level of care needs to be taken as any event can lead to a forensic engagement. By monitoring access to all sensitive information contained within the database, suspicious activity can be brought to the examiner's awareness. Databases commonly structure data as tables containing columns (think of a spreadsheet, only more complex). Data access examinations should address six questions:

  1. Who accessed the data?
  2. When was the data accessed?
  3. How was the data accessed? (This is what computer program or client software was used?)
  4. Where was the data accessed from (this is the location on the network or Internet)
  5. Which SQL query was used to


Pulling binaries from pcaps

When I started writing this post, my intention was to show off some of the capabilities of NetworkMiner for recovering files from network packet captures. I have used NetworkMiner a few times to recover malware from pcaps. I like it because it automates the process. My plan was to contrast NetworkMiner's automated process against the more manual process of extracting files using Wireshark and a hex editor or the `foremost` command.

However, NetworkMiner failed to automatically extract all the files that were being downloaded in the pcap file I was using. This underscores the importance of testing your tools. I have successfully used NetworkMiner with other pcaps to extract all files, so you mileage may vary. If you've got a packet capture that you want to extract files from, my suggestion would be to try NetworkMiner, it will