SANS Digital Forensics and Incident Response Blog: Category - Incident Response

Computer Forensic Artifacts: Windows 7 Shellbags

As Windows Registry artifacts go, the "Shellbag" keys tend to be some of the more complicated artifacts we have to decipher. But they are worth the effort, giving an excellent means to prove the existence of files and folders along with user knowledge. Shellbags can be used to answer the difficult questions of data enumeration … Continue reading Computer Forensic Artifacts: Windows 7 Shellbags


Digital Forensics Case Leads: Massive eDisco Penalty, Dodd-Frank Law and Digital Forensics, It's Not Business, It's Personal

Legal, regulatory matters, and threats to Law Enforcement and members of the US armed forces top this edition of Digital Case Leads. An appeals court uphold a massive penalty against a company for not properly retaining electronically stored information (ESI). If the offending party doesn't cough up over $1,000,000 in penalties, a senior exec from … Continue reading Digital Forensics Case Leads: Massive eDisco Penalty, Dodd-Frank Law and Digital Forensics, It's Not Business, It's Personal


Digital Forensics Case Leads: There Is No Theme

This week in Case Leads, we feature a wide array of new tools and articles that defy classification under any particular theme. You'll find tools forensic image processing and analysis, PDF analysis, and password cracking. News and articles include issues of law, process automation, forensic value, and incident response. Continue reading Digital Forensics Case Leads: There Is No Theme


Digital Forensics Case Leads: Tracking Takes Center Stage - Photos, Vehicles, and Phones

Photo forensics tops the news in this edition of Digital Case Leads. Valdimir Katalov, CEO of ElcomSoft is interviewed about his team's discovery that the implementation of many of the digital signature systems used by Canon and Nikon are faulty. His team demonstrated that they could forge "authentic" digital photos. How many courts rely upon … Continue reading Digital Forensics Case Leads: Tracking Takes Center Stage - Photos, Vehicles, and Phones


How to Extract Flash Objects from Malicious PDF Files

Authors of malicious PDF documents have often relied on JavaScript embedded in the PDF file to produce more reliable Adobe Reader exploits. The attackers now also embed Flash programs, which incorporate ActionScript, in a similar manner. This note demonstrates several steps for extracting malicious Flash from PDF files, so you can analyze it for malware artifacts. We will take a brief look at using pdf-parser, PDF Stream Dumper and SWFDump for this purpose. Continue reading How to Extract Flash Objects from Malicious PDF Files