SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Missed It By That Much!

Hal Pomeranz, Deer Run Associates

One primitive forensic technique I show my students in my SANS Sec506 class is the tried and true method of using grep to display byte offsets of "strings of interest" found in a disk image. For example, I have my students go looking for "love" in the file system of the VMware image we use in class:

# grep -abi 'love' /dev/sda6
452925733:# This is a comment. I love comments.

Once you have the byte offsets from grep, all you have to do is divide by the block size of the file system (hint: use fsstat) to get the number of the block that the string resides in. In the example, /dev/sda6 is a small file system that only uses 1024 byte


Nevada bill would make some security research a felony

by Ira Victor

The 75th Session of Nevada Legislature is taking up a new bill - SB125 - that, if enacted into law as introduced to committee, could make it illegal for information security researchers to do work that shows the vulnerabilities in many types of RFID systems. There are important security research, criminal issues, and some forensic matters related to this bill.

The bill would make it a class C felony (up to 5 years in prison, up to a $10,000 fine) to skim personally identifiable information (PII) from another person's RFID enabled ID or other document, without that person's prior knowledge.

P2P Usage Leads To Presidential Security Breach

by Ira Victor

Pittsburgh TV Station WPXI is reporting that Security Company Tiversa discovered engineering and communications information about the Marine One Chopper fleet on an Iranian Computer system. Marine One is a critical transportation asset for the President of the United States.

Bob Boback, CEO Tiversa, said, that he found the entire blueprints and avionics package for the famous chopper on an Iranian system. The company traced the file back to it's original source, which appears to be a defense contractor in Bethesda, MD.

How did secret Marine One information end up in Iran? According to Mr. Boback, it appears that the defense contractor had a

Digital Forensic SIFT'ing: Registry and Filesystem Timeline Creation

by Rob Lee

Over the years, being able to examine filesystem timeline data has truly been a breakthrough for many investigations. We started using this technique when we were working on cases in the AFOSI very early on when I wrote a script that would create a basic timeline called based off of the original coroner's toolkit. To my surprise, this key forensic capability that is found in the TCT tools, sleuthkit, andothershas not been picked up on by the major forensic vendors as a capability in their toolsets such as EnCase and FTK.

Today's post will discuss how to create a windows operating system timeline of both filesystem and registry data using the SIFT Digital Forensics Workstation.

What is computer


Digital Forensic SIFTing: How to perform a read-only mount of filesystem evidence

by Rob Lee

Over the years, there has been a clear need for some digital forensic toolsets that will accomplish basic goals. The first of those goals is creating an environment friendly to analyzing acquired file system images.

The SIFT workstation was created as a part of the SANS Computer Forensics, Investigation, and Response course which is also known as SEC508. With the launch of the community website at http:\
it is useful to go through some basic architecture of how the SIFT Workstation actually can be useful for you.

The blog series "SIFT'ing" will show to utilize the workstation using a series of exercises. Today we will discuss how to use the