SANS Digital Forensics and Incident Response Blog: Category - Network Forensics

I'm here! Now what?

Working for a small police department in a rural area, my opportunities to do digital forensic work on real cases are much fewer and farther between than those who work in large departments or in the private sector. Once I had completed computer forensics training and acquired the necessary software, I was ready to go. Now what? There was no existing forensics unit in my department, so there was no caseload to jump into and no one there to work with. How to stay current and confident with my knowledge and skills, as well as my chosen tools?

Staying sharp can be tough. There are many high quality blogs and forums that are fantastic resources for learning and exchanging information, but I'm the type of person who learns by doing, not just reading. However, you can only image your own hard drive and examine it for practice so many times before you're bored to death with it. Fortunately, in addition to the free and low cost tools out on the net, there are also a number of

... Continue reading I'm here! Now what?


Digital Forensics Case Leads: Ann's Aurora Edition

We won! We won! We WON! Okay. Breathe. Now that I've gotten than out...

On behalf of all of the contributors to theSANS Computer Forensic Investigations and Incident Response Blog, I want to thank everyonewho voted for us asBest Digital Forensics Blog in this year's Forensic 4cast awards. We are all deeply grateful to know that our work is recognized and appreciated by our peers in the Security and Forensics professions. And we are also grateful for the community that continues to grow around this blog. The amount of feedback we've received from readers has increased in the past few months, and we thank you for helping to make this a lively and thought-provoking site to visit.

In keeping with that spirit,if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, please

...


Digital Forensics Case Leads: Certs and Books and Meetings - Oh My!

Tools

Good Reads:

  • Dominik Weber of Guidance Software has a very interesting writeup regarding acquisition of flash drives. The wear-leveling technology that is incorporated to extend the lifetime of flash devices can cause apparently random changes in hash values between acquisitions of the device, so it's important to take this into account. With the increasing popularity of SSD drives in computers, this will likely become increasingly important.

News:

  • Not to be outdone by Guidance Software's acquisition of Tableau, Access Data announced

...


NDIFF for incident detection

A good way to see changes to the network is with a tool called ndiff.

Ndiff is a tool that utilizes nmap output to identify the differences, or changes that have occurred in your environment. Ndiff can be downloaded from http://www.vinecorp.com/ndiff/. The application requires that perl is installed in addition to nmap. The fundamental use of ndiff entails combining ndiff with a baseline file. This is achieved by using the "-b" option to select the file that is the baseline with the file to be tested using the "-o" option. The "-fmt" option selects the reporting format.

Ndiff can query the system's port states or even test for types of hosts and Operating Systems using the "-output-ports" or "-output-hosts" options.

The options offered in ndiff include:

ndiff [-b|-baseline ] [-o|-observed ]

[-op|-output-ports ] [-of|-output-hosts ]

... Continue reading NDIFF for incident detection


Digital SANS Forensics and IR Summit 2010: Network Forensics Panel Questions Released!

The 2010 Digital Forensics and Incident Response Summit's focus this year is examining and advancing the digital forensic professional to deal with advanced threats such as the APT and organized crime. Understanding how many of these crimes take place is crucial to creating lethal forensicators armed with the knowledge and skills to analyze complex cases. REGISTER NOW!!

Network Forensics Panel

Panelists will tell you the challenges faced by properly collecting and analyzing network based evidence. It is critical in investigations. Data collected from intrusion detection systems, firewalls, routers, proxies, and access points all end up telling unique stories that could be critical to solving your case. Learn the

...