SANS Digital Forensics and Incident Response Blog: Category - Linux IR

Digital Forensics Case Leads: Capturing Mac Memory, the Shifting Threat Landscape, Forensics Tool Updates, and Zero Day: A Novel

This week's edition of Case Leads features new and updated forensics tools, a report on changes in attack patterns, a novel from what may seem like an unlikely source and thoughts on timestamp manipulations. The ability to create a memory image on OS X has been lacking until now. A recently released report suggests that … Continue reading Digital Forensics Case Leads: Capturing Mac Memory, the Shifting Threat Landscape, Forensics Tool Updates, and Zero Day: A Novel

Digital Forensics Case Leads: Free tools, Treasure Hunts, Drive-by Attacks and Spying

This week's Case Leads features two free tools from AccessData and Paraben Corporation, a digital (forensics) treasure hunt to test your skills, spying, drive-by (browser) attacks and consequences resulting from Stuxnet.

As always, if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Earlier this month AccessData released a new version of their popular (and free) utility, the FTK Imager. Version 3 has a number of useful features such as the ability to boot forensic images in VMWare and the ability to mount AFF, DD, E01, and S01 image formats as physical devices or logical drive letters. The latest version of the application also supports HFS+, VxFS (Veritas File System), exFAT, EXT4, Microsoft's VHD (Virtual Hard Disk) and compressed and uncompressed DMG


How To - Digital Forensic Imaging In VMware ESXi

Paul A. Henry Forensics and Follow me on Twitter

As a follow up to my recent SANS Forensic Blog post "How To - Digital Forensics Copying A VMware VMDK" that provided insight in to making a "GUI tool" based copy of a VMware VMDK, I have put together a How To that addresses creating a forensically sound image of a VMware VMDK on the ESXi console, that is able to provide the "chain of custody" needed in a digital forensics investigation.

Important note: In the simplest of terms a VMDK is an abstraction of a physical disk for a VM contained within a file (VMDK-flat). We are making a bit by bit


How To - Digital Forensics Copying A VMware VMDK

Having recently seen a number of requests on the security and forensic list servers that I participate in requesting recommendations / procedures for copying the disk (VMDK) for a specific Virtual Machine (VM) within a VMware environment for analysis in an incident response, I put together a quick How To in effort to provide some insight in to a few of the methods that I have used.

The Game Has Clearly Changed With Virtualization

Most often the files associated with a given VM are not stored locally on the physical server running ESX or ESXi and the respective VM. It is important to understand that in order to use many of the more powerful features of VMware such as vMotion and DRS the files for the VM's must reside on shared storage that is reachable from each ESX or ESXi server that needs to interact with it. Hence, when


Computer Forensics: Armor For Your Feet

Hal Pomeranz, Deer Run Associates

As forensic professionals we take a great deal of care when acquiring and analyzing evidence. Write blockers, checksumming, working copies- these are part of everybody's standard policies and help to prevent corruption of our digital evidence. However, beyond spoiling your original evidence, there are still various mistakes that you can make that won't ruin your case but will cost you time and increase your frustration level. In this article I'm going to demo a couple of different ways you can shoot yourself in the foot when doing forensics on the Unix command-line (e.g., in the SIFT workstation) and some easy ways to prevent these mistakes.

Output Redirection is Your Friend... Until It Isn't

Let's say you