SANS Digital Forensics and Incident Response Blog: Category - Incident Response

Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows

Creating Digital Forensic Filesystem Timelines From Multiple Windows Volume Shadow Copies

Introduction to Shadow Timelines:

This past weekend I was upgrading the SIFT Workstation to the new version and I realized I had not used the Windows version of the Sleuthkit tools in awhile. I usually demonstrate in class that many of the sleuthkit tools can work directly against the logical partitions of a Physical Hard Drive (e.g. \\.\\C:, \\.\\D:). It occurred to me that I had never tried to use the filesystem parser and timeline generator fls on a Windows Vista, Windows 7, or Windows 2008 Server ShadowCopyVolume.

We have known for some time now that you can image a Shadow Volume. I wrote a

...


Advanced Forensic Training in Asia Pacific

If you are in the Asia Pacific region, don't miss Singapore SOS October 10-18, 2011! We are bringing two of our most advanced forensics courses to the island nation. Forensics 508: Advanced Computer Forensic Analysis and Incident Response with Chad Tilbury Master advanced incident response and computer forensics tools and techniques to investigate data breach … Continue reading Advanced Forensic Training in Asia Pacific


Digital Forensics Case Leads: Registry and Malware Analysis Tools, Preparing to Testify, and Virtual Machine Technology on Mobile Devices

This week's edition of Case Leads features a number of new tools and updates for a few of the old standbys. We have a collection of tools designed for studying malware found on Windows or Android platforms and a couple of new applications for registry analysis. Virtual machine technology is heading for Android based devices … Continue reading Digital Forensics Case Leads: Registry and Malware Analysis Tools, Preparing to Testify, and Virtual Machine Technology on Mobile Devices


UPDATED DigiNotarSSL Incident Response Report: No Logging, Weak Password, No Protected Network

On Monday evening, as the host of CyberJungleRadio, I received a copy of the then just published report that appears to be from the security firm Fox-IT, the company hired by DigiNotar to investigate the massive SSL breach. On page nine of the thirteen page report, a shocking series of security omissions are revealed: No … Continue reading UPDATED DigiNotarSSL Incident Response Report: No Logging, Weak Password, No Protected Network


Digital Forensics Case Leads: RAM Capture Tool DumpIt, Monitoring Applications with Carbon Black, a Brief History of Malware, and the Impact of Technology in Trials

This week's edition of Case Leads features a couple of tools for Windows including a memory capture application, a kernel driver that monitors and reports on interesting processes, and a tool for exporting data from "the Cloud." We've also included a TED talk on the history of malware and we have an article on the … Continue reading Digital Forensics Case Leads: RAM Capture Tool DumpIt, Monitoring Applications with Carbon Black, a Brief History of Malware, and the Impact of Technology in Trials