SANS Digital Forensics and Incident Response Blog: Category - Linux IR

Digital Forensic Case Leads: Report from the Forensic Expert Witness Conference, Judge: Viewing CP might NOT be possession, Mac crypto bug helps forensicators

Welcome to Digital Forensics Case Leads. Another a busy week in digital forensics, incident response and the law. In this edition: The SANS Computer Forensics Blog was at the Forensic Expert Witness Annual Conference, and your humble reporter asked a seasoned member of the bench: What is it like for a Judge to sit on … Continue reading Digital Forensic Case Leads: Report from the Forensic Expert Witness Conference, Judge: Viewing CP might NOT be possession, Mac crypto bug helps forensicators


Digital Forensics: UID and GID distributions

On Unix and Linux systems each file has a user id and a group id, uid and gid respectively, showing the file's owner and group. On most *nix systems files in system directories are uid and gid root, which is represented by the numeric uid and gid value of 0, see the sample listing below: … Continue reading Digital Forensics: UID and GID distributions


Digital Forensic SIFTing: SUPER Timeline Creation using log2timeline

This is a series of blog articles that utilize the SIFT Workstation. The free SIFT workstation, can match any modern forensic tool suite, is also directly featured and taught in SANS' Advanced Computer Forensic Analysis and Incident Response course (FOR 508). SIFT demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge … Continue reading Digital Forensic SIFTing: SUPER Timeline Creation using log2timeline


Outlier analysis in digital forensics

In my previous post, Atemporal time line analysis in digital forensics, I talked about using the inodes of a known piece of attacker code as a pivot point to discover previously unknown attacker code on a system. In this post, I want to point out another interesting thing about these inodes. Recall that I'm using … Continue reading Outlier analysis in digital forensics


Digital Forensics Case Leads: Tracking Takes Center Stage - Photos, Vehicles, and Phones

Photo forensics tops the news in this edition of Digital Case Leads. Valdimir Katalov, CEO of ElcomSoft is interviewed about his team's discovery that the implementation of many of the digital signature systems used by Canon and Nikon are faulty. His team demonstrated that they could forge "authentic" digital photos. How many courts rely upon … Continue reading Digital Forensics Case Leads: Tracking Takes Center Stage - Photos, Vehicles, and Phones