SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Dates from Unallocated Space

By John McCash

A recent podcast I listened to (Forensic 4cast - Well worth the time to listen to it) made a statement which I took as an implication that files recovered from unallocated space were useless in most investigations because they lacked the filesystem metadata, specifically the MAC times. While it's true that the lack of this data can be a significant handicap, I disagreed rather strongly with that, and my disagreement forms the basis for this blog entry. I did follow up with Lee (Hi Lee!) at Forensic 4cast, and such a blanket implication was unintentional. Nonetheless, I think it worthwhile to enumerate for the community a number of points to consider when sieving through unallocated space.

Dates in particular, as well as other file metadata, can be extracted from many file types. Additionally, often filesystem


PointSec Decryption - A Case for Decryption of the Original

By J. Michael Butler

A while back, I posted about EnCase and PointSec — "Encase and PointSec - I'm Not Feeling the Love". I wrote about my frustrations with the difficulties of decryption for a forensic exam. My main point was that EnCase and PointSec need to work together to provide forensic examiners a way to view the PointSec drive in EnCase simply by entering the PointSec password. I also detailed my process for decryption which involved the use of VMWare and a virtual image of the encrypted drive.

PowerShell Timestamp Manipulation

Manipulating timestamps on Unix and Linux systems is as simple as touching a file on the file system. Of course, the individual attempting to modify timestamps will need to have permissions to do so on the file(s) in question.

On Windows based systems changing time stamps has historically required the use of third-party tools. However, Windows 7 and Windows Server 2008 will reportedly ship with Windows PowerShell installed.

Among the many advanced capabilities of Windows PowerShell is the ability to modify three different timestamps for Windows file systems. These are the file creation time, last access time and modification time. Forensic analysts should also be familiar with the metadata change time that is updated to reflect changes in


Rapier: A Different Data Carver

By Keven Murphy

Rapier is a data carver written for Linux. It is a bit different than the other ones out there. First of all, the data carver treats the input file as a stream of data. For example, if the header/word is broken up between cluster/sector boundaries, Rapier doesn't see the data divided up between the clusters/sectors. Instead, it ignores these boundaries. Secondly, headers and footers (footers are not 100% implemented yet) can be up to 100 bytes/characters long. Third, there are a few built-in search patterns. Those are index.dat and registry files. Like most data carvers, it doesn't review the data it carves out to see if it is good data. That part is left to the forensics examiner.

Every byte on the drive is reviewed by Rapier. I realize that this can make it run long as


Oracle Forensics: Toad from Quest Software

Here are some notes for Oracle related forensics concerning Toad from Quest Software.


The CONNECTIONS.INI file stores connection information related to previously used connections. It contains the passwords, usernames, and servers the user connected to using Toad. During a forensics review, you will find bits and pieces of this file all over unallocated space and slack space depending on how much the user used Toad.

In my experience with Oracle developers, I have found this file being traded among them as it offers an easy way to pass connection information. Based on that you should be able to see how easy it is for one user to obtain credentials of another user and log in with them. All the user has to do is put the file in the proper spot, bring up Toad, and then click on the connection to log in. No password checks are made by Toad provided that previous connection listed in the

... Continue reading Oracle Forensics: Toad from Quest Software