SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Digital Forensics Case Leads: New versions of Bulk_extractor and FTK, new blogs on malware and forensics, and lost flash drives

In this week's edition of Case Leads we have updates to a couple of tools, Bulk_extractor and FTK as well as two new blogs featuring malware analysis and digital forensics tutorials. If you have an item you'd like to contribute toDigital Forensics CaseLeads, please send it to caseleads@sans.org. Tools: A new version of Bulk_extractor has … Continue reading Digital Forensics Case Leads: New versions of Bulk_extractor and FTK, new blogs on malware and forensics, and lost flash drives


Digital Forensics Case Leads: The New Forensics, The CyberMilitia and Bill Gates Gets Behind Open Source?

Case Leads is loaded for bear this week, after a week's break. Here is some of what you will find: * Are you ready for "The New Forensics"? If not, you might be left in the dust at trial. * What if the good guys adopted the organizing techniques of Anonymous? That's the goal behind … Continue reading Digital Forensics Case Leads: The New Forensics, The CyberMilitia and Bill Gates Gets Behind Open Source?


Digital Forensics Case Leads: New version of REMnux, tools for imaging iPhone and Android devices, and a list of "Best Reads" from 2011

This week's edition of Case Leads features a new version of REMnux for malware analysis and we have two tools for collecting forensic images from iPhone and Android devices. We also have a couple of articles on Android memory analysis and the use of Open Source digital forensics tools to validate commercial tools. As always, … Continue reading Digital Forensics Case Leads: New version of REMnux, tools for imaging iPhone and Android devices, and a list of "Best Reads" from 2011


Metadata distributions in Computer Forensics

After my previous post, on using uid and gid distributions to spot malicious code on *nix file systems, I took to working on some code to convert *nix "modes" (The Sleuth Kit bodyfile refers to file type and permission information as mode) from fls bodyfiles to their octal representations and then to calculate averages and … Continue reading Metadata distributions in Computer Forensics


Digital Forensics: UID and GID distributions

On Unix and Linux systems each file has a user id and a group id, uid and gid respectively, showing the file's owner and group. On most *nix systems files in system directories are uid and gid root, which is represented by the numeric uid and gid value of 0, see the sample listing below: … Continue reading Digital Forensics: UID and GID distributions