SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Google Privacy tip of the day

by Jeff Bryner

If I keep writing on Google and forensics, they'll probably re-arrange my searches someday to all return kittenwar. However, just for you I'll sacrifice my sanity to pass on a helpfull tidbit about Google Toolbar.

Whether you're looking to determine information about what's in the toolbar, or looking to protect your privacy you may be interested to know that on startup the toolbar retrieves the favicon.ico file of all sites in your bookmark list.

I don't normally use it, but in deciphering some web traffic I had a hunch to work out so I tested it against XP and IE. I bookmarked two sites, rebooted and restarted IE with a blank home page. The network traffic on


Information Ordnance: Logic Bombs, Forensics, and the Tragical History of Roger Duronio

Given the ongoing investigation at Fannie Mae, it seems appropriate to start waxing philosophical a bit on some recent evolutionary changes in the digital forensics world. While it is true a majority of forensics cases revolve around suspected wrongdoing involving a computer (e.g. fraud), using computers and code as weapons themselves crosses into the realm of information warfare. Yet forensic analysts and incident response experts will have to continue to straddle both of these realms in the new millennium, as both fields continue to evolve and in many respects, converge.

I have seen the devastating results of logic bomb "detonation" up close, and I can assure everyone that carefully prepared information weapons are far more damaging than almost any


The Trojan solved it! Catching a fraudster with another criminal, 'myspacce.exe'

by Robert-Jan Mora


I work as a forensic investigator at Hoffmann Investigations ( in the Netherlands. Besides doing a lot of investigations our department develops open source forensic software like:


RegRipper: Ripping Registries With Ease

Harlan Carvey's RegRipper, available at, is fantastic tool for getting data quickly out of the registry whether you are doing it for incident response or forensics. In essence what it does is produce reports based upon pre-canned registry searches. All you need to do is give it the registry file you want to review, give it a location for the report, and select the type of registry file. Then push a button.

RegRipper uses plugins to extract information out of the registry files. Each plugin has been created to handle the data that is stored in the registry key it has been setup to review. For example, the plugins will decode the ROT-13 encrypted data and translate binary data to ASCII.

Example Screen Shot

PTK Live and Indexed keyword search

A forensics analysis tool has to be able to execute thorough keyword search operations. PTK's search tool is be able to isolate the keywords searched even in the most complex and unusual situations. It is possible to verify if a keyword is in portions of the file system that are hard to analyze whether this is due to chance or user intent. Here are examples of the most interesting situations:

'' allocated/unallocated space
'' crosses two allocated/unallocated files
'' crosses consecutive sectors in a file
'' crosses a file into slack
'' slack space
'' crosses fragmented sectors
'' Resident allocated/unallocated file
'' Resident alternate data stream in an allocated/unallocated file/directory
'' Non-resident allocated/unallocated file

All these situations can further vary depending on the file system under investigation. For instance, NTFS offers features that can be used to "hide" a file, consider the

... Continue reading PTK Live and Indexed keyword search