SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

P2P Usage Leads To Presidential Security Breach

by Ira Victor

Pittsburgh TV Station WPXI is reporting that Security Company Tiversa discovered engineering and communications information about the Marine One Chopper fleet on an Iranian Computer system. Marine One is a critical transportation asset for the President of the United States.

Bob Boback, CEO Tiversa, said, that he found the entire blueprints and avionics package for the famous chopper on an Iranian system. The company traced the file back to it's original source, which appears to be a defense contractor in Bethesda, MD.

How did secret Marine One information end up in Iran? According to Mr. Boback, it appears that the defense contractor had a


Digital Forensic SIFT'ing: Registry and Filesystem Timeline Creation

by Rob Lee

Over the years, being able to examine filesystem timeline data has truly been a breakthrough for many investigations. We started using this technique when we were working on cases in the AFOSI very early on when I wrote a script that would create a basic timeline called mac_daddy.pl based off of the original coroner's toolkit. To my surprise, this key forensic capability that is found in the TCT tools, sleuthkit, andothershas not been picked up on by the major forensic vendors as a capability in their toolsets such as EnCase and FTK.

Today's post will discuss how to create a windows operating system timeline of both filesystem and registry data using the SIFT Digital Forensics Workstation.

What is computer

...


Digital Forensic SIFTing: How to perform a read-only mount of filesystem evidence

by Rob Lee

Over the years, there has been a clear need for some digital forensic toolsets that will accomplish basic goals. The first of those goals is creating an environment friendly to analyzing acquired file system images.

The SIFT workstation was created as a part of the SANS Computer Forensics, Investigation, and Response course which is also known as SEC508. With the launch of the community website at http:\

orensics.sans.org
it is useful to go through some basic architecture of how the SIFT Workstation actually can be useful for you.

The blog series "SIFT'ing" will show to utilize the workstation using a series of exercises. Today we will discuss how to use the


Google Privacy tip of the day

by Jeff Bryner

If I keep writing on Google and forensics, they'll probably re-arrange my searches someday to all return kittenwar. However, just for you I'll sacrifice my sanity to pass on a helpfull tidbit about Google Toolbar.

Whether you're looking to determine information about what's in the toolbar, or looking to protect your privacy you may be interested to know that on startup the toolbar retrieves the favicon.ico file of all sites in your bookmark list.

I don't normally use it, but in deciphering some web traffic I had a hunch to work out so I tested it against XP and IE. I bookmarked two sites, rebooted and restarted IE with a blank home page. The network traffic on

...


Information Ordnance: Logic Bombs, Forensics, and the Tragical History of Roger Duronio

Given the ongoing investigation at Fannie Mae, it seems appropriate to start waxing philosophical a bit on some recent evolutionary changes in the digital forensics world. While it is true a majority of forensics cases revolve around suspected wrongdoing involving a computer (e.g. fraud), using computers and code as weapons themselves crosses into the realm of information warfare. Yet forensic analysts and incident response experts will have to continue to straddle both of these realms in the new millennium, as both fields continue to evolve and in many respects, converge.

I have seen the devastating results of logic bomb "detonation" up close, and I can assure everyone that carefully prepared information weapons are far more damaging than almost any

...