SANS Digital Forensics and Incident Response Blog: Category - Network Forensics

Digital Forensics Case Leads: Industrial Controls Forensics, Cracking Crackberries, Mobile Forensics

While most technical and non-technical types focus on servers, desktop, and mobile phones/pads when thinking about security and forensics, an area of growing concern is industrial controls security. This was brought to light in the wake of the Stuxnet worm. The accusations continue to fly, via arm-chair forensics. Was it an attack on Iran? Or maybe an attack against India, since it seems Stuxnet may have knocked out a TV Satellite. Security honcho Bruce Schnier says we may never know.

What is certain is a growing concern over industrial controls security. According to a San Francisco Chronicle story that ran on this week: "... Liam O Murchu, a researcher with the computer security firm Symantec, used a

...


I'm here! Now what?

Working for a small police department in a rural area, my opportunities to do digital forensic work on real cases are much fewer and farther between than those who work in large departments or in the private sector. Once I had completed computer forensics training and acquired the necessary software, I was ready to go. Now what? There was no existing forensics unit in my department, so there was no caseload to jump into and no one there to work with. How to stay current and confident with my knowledge and skills, as well as my chosen tools?

Staying sharp can be tough. There are many high quality blogs and forums that are fantastic resources for learning and exchanging information, but I'm the type of person who learns by doing, not just reading. However, you can only image your own hard drive and examine it for practice so many times before you're bored to death with it. Fortunately, in addition to the free and low cost tools out on the net, there are also a number of

... Continue reading I'm here! Now what?


Digital Forensics Case Leads: Ann's Aurora Edition

We won! We won! We WON! Okay. Breathe. Now that I've gotten than out...

On behalf of all of the contributors to theSANS Computer Forensic Investigations and Incident Response Blog, I want to thank everyonewho voted for us asBest Digital Forensics Blog in this year's Forensic 4cast awards. We are all deeply grateful to know that our work is recognized and appreciated by our peers in the Security and Forensics professions. And we are also grateful for the community that continues to grow around this blog. The amount of feedback we've received from readers has increased in the past few months, and we thank you for helping to make this a lively and thought-provoking site to visit.

In keeping with that spirit,if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, please

...


Digital Forensics Case Leads: Certs and Books and Meetings - Oh My!

Tools

Good Reads:

  • Dominik Weber of Guidance Software has a very interesting writeup regarding acquisition of flash drives. The wear-leveling technology that is incorporated to extend the lifetime of flash devices can cause apparently random changes in hash values between acquisitions of the device, so it's important to take this into account. With the increasing popularity of SSD drives in computers, this will likely become increasingly important.

News:

  • Not to be outdone by Guidance Software's acquisition of Tableau, Access Data announced

...


NDIFF for incident detection

A good way to see changes to the network is with a tool called ndiff.

Ndiff is a tool that utilizes nmap output to identify the differences, or changes that have occurred in your environment. Ndiff can be downloaded from http://www.vinecorp.com/ndiff/. The application requires that perl is installed in addition to nmap. The fundamental use of ndiff entails combining ndiff with a baseline file. This is achieved by using the "-b" option to select the file that is the baseline with the file to be tested using the "-o" option. The "-fmt" option selects the reporting format.

Ndiff can query the system's port states or even test for types of hosts and Operating Systems using the "-output-ports" or "-output-hosts" options.

The options offered in ndiff include:

ndiff [-b|-baseline ] [-o|-observed ]

[-op|-output-ports ] [-of|-output-hosts ]

... Continue reading NDIFF for incident detection