SANS Digital Forensics and Incident Response Blog: Category - FOR498: Battlefield Forensics & Data Acquisition

Kick off the new year with the industry's top CTI experts at the SANS Cyber Threat Intelligence Summit

This January, cyber threat intelligence (CTI) practitioners from around the world will gather in Arlington, Va., for the SANS DFIR Cyber Threat Intelligence Summit & Training. One of only a handful of events devoted to cyber threat intelligence and analysis, the SANS CTI Summit brings together leading experts and analysts for in-depth threat intelligence talks, … Continue reading Kick off the new year with the industry's top CTI experts at the SANS Cyber Threat Intelligence Summit

Cloud Storage Acquisition from Endpoint Devices

Over the past several years, multiple tools have been released to enable API-based collection of cloud storage data. While this is an important capability, it has the often fatal liability that API-based collections require valid user credentials (and multi-factor authentication). An often overlooked area of cloud forensics is data and metadata stored on the local … Continue reading Cloud Storage Acquisition from Endpoint Devices

Strengthen Your Investigatory Powers by Taking the New FOR498: Battlefield Forensics & Data Acquisition Course from SANS

Digital forensics is a high-stress, high-stakes job. There are so many devices, repositories, and massive data sets, yet in most cases you have only one chance to find and properly extract the evidence that can make or break your case. The new SANS new courseFOR498: Battlefield Forensics & Data Acquisitionis designed to provide first responders, investigators, and digital forensics teams with the advanced skills to quickly and properly identify, collect, preserve, and respond to data from a wide range of storage devices and repositories.

FOR498 is co-authored and taught by certified SANS instructorsKevin RipaandEric Zimmerman, both veteran cybersecurity experts who are highly regarded in the digital investigations field. With 25 years of experience in digital forensics, Kevin has assisted in complex cyber-forensics and hacking response investigations around the world. He is sought after for his expertise in information technology investigations and frequently serves as an expert witness. Keven is president of The Grayson Group of Companies, which consists of Computer Evidence Recovery, Pro Data Recovery Inc., and J.S. Kramer & Associates, Inc. Eric, a former FBI Special Agent, has written more than 50 programs used by thousands of law enforcement officers in over 80 countries, and has created many world-classopen-source forensic tools (EZ Tools). Today, Eric serves as a Senior Director at Kroll in the company's cybersecurity and investigations practice.

Kevin and Eric decided to create FOR498 in response to growing demand from SANS students for more guidance on data acquisition. Traditionally, law enforcement officers who enrolled in SANS forensics classes already had forensics experience and a strong working knowledge of how to image a device. However, examiners outside of law enforcement are often not as familiar with imaging. In addition, data acquisition and forensics are more challenging than ever before because of the constantly increasing numbers and sizes of data sets and the more complex nature of acquiring evidence from so many different types of devices and repositories. With any given hard drive, forensicators might have to deal with 1, 2, or even 4 terabytes of data, and traditional ways to get at those data are no longer tenable.

As Kevin points out in awebinar about FOR498, attacks require not only a thorough investigation but also one that produces evidence quickly. Take, for example, the Las Vegas mass shooting in October 2017, the deadliest in modern U.S. history. Investigators got to work right away, especially since there were concerns about possible accomplices who might have fled the scene. At the same time, investigators had to work thoroughly to try and determine the shooter's motives, including documenting his Internet search history and examining all computers and cell phones tied to the case. Of note, it was reported that a hard drive in a laptop found in the shooter's hotel room was missing, and that the shooter had purchased software designed to erase files from hard drives.

Countdown to DFIRCON 2019!

At this year's annual DFIRCON 2019, one of the industry's most unique Digital Forensics and Incident Response (DFIR) training events, you'll train, network and battle with the best. Join us in Coral Gables, Fla., Nov. 4 - Nov. 9, to level up your DFIR skills, get in on the latest in research and technology, and … Continue reading Countdown to DFIRCON 2019!