SANS Digital Forensics and Incident Response Blog: Category - Incident Response

Atemporal time line analysis in digital forensics

As incident responders we often find that attackers compromise one host in a network and then pivot to others. In digital forensic investigations involving intrusions, we can do our own pivoting from one piece of evidence to another. On October 19th, I had the good fortune to speak at SECTor about one method of doing … Continue reading Atemporal time line analysis in digital forensics


OSX Lion User Interface Preservation Analysis

Recently I've updated to OS X Lion (10.7) and started testing my incident response scripts on the system. I started looking through new default folders created for users and ran across a folder called "Saved Application State." I began researching this folder and determined that it's used to store settings for a new feature called … Continue reading OSX Lion User Interface Preservation Analysis


High Tech Crime Investigators Conference 2011 Report, Anonymous Promises Retaliation, DigiNotar Dies

The 25th High Technology Investigators Conference was held last week near Palm Springs California last week. Your SANS Forensic blogger attended the event, along with over 500 fellow lethal, and aspiring lethal, forensicators. Information security events like BlackHat, DefCon and RSA drawing thousands. It's more difficult to really get to know one's colleagues at those … Continue reading High Tech Crime Investigators Conference 2011 Report, Anonymous Promises Retaliation, DigiNotar Dies


Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows

Creating Digital Forensic Filesystem Timelines From Multiple Windows Volume Shadow Copies

Introduction to Shadow Timelines:

This past weekend I was upgrading the SIFT Workstation to the new version and I realized I had not used the Windows version of the Sleuthkit tools in awhile. I usually demonstrate in class that many of the sleuthkit tools can work directly against the logical partitions of a Physical Hard Drive (e.g. \\.\\C:, \\.\\D:). It occurred to me that I had never tried to use the filesystem parser and timeline generator fls on a Windows Vista, Windows 7, or Windows 2008 Server ShadowCopyVolume.

We have known for some time now that you can image a Shadow Volume. I wrote a

...


Advanced Forensic Training in Asia Pacific

If you are in the Asia Pacific region, don't miss Singapore SOS October 10-18, 2011! We are bringing two of our most advanced forensics courses to the island nation. Forensics 508: Advanced Computer Forensic Analysis and Incident Response with Chad Tilbury Master advanced incident response and computer forensics tools and techniques to investigate data breach … Continue reading Advanced Forensic Training in Asia Pacific