SANS Digital Forensics and Incident Response Blog

SANS Digital Forensics and Incident Response Blog

DFIR Hero -- Cindy Murphy Interview

MurphyCindy Murphyis teaching our Advanced Smartphone Forensics Course in SANS Boston in August 2015. Sign up now to take this course with Cindy. We interviewed Cindy so you can get to know her a bit better. Cindy's real world experience working in law enforcement and cyber security communities combined with her unending knowledge of smartphone forensics (and almost everything else) makes her one of the best and most sought after speakers in the entire


How to Install SIFT Workstation and REMnux on the Same Forensics System

Combine SIFT Workstation and REMnux on a single system to create a supercharged Linux toolkit for digital forensics and incident response tasks. Here's how.

New Windows Forensics Evidence of Poster Released


Link for new poster ->

The "Evidence of..." categories were originally created by SANS Digital Forensics and Incidence Response faculty for the SANS course FOR408: Windows Forensics. The categories map a specific artifact to the analysis questions that it will help to answer. Use this poster as a cheat-sheet to help you remember where you can discover key Windows artifacts for computer intrusion, intellectual property theft, and other common cyber crime investigations.

Proper digital forensic and incident response analysis is essential to successfully solving today's complex cases.


ESE Databases are Dirty!

With the release of Internet Explorer 10, Microsoft made a radical departure from the way previous browser artifacts were stored. The perennial Index.dat records were replaced with a centralized meta-data store for the browser using the proven "JET Blue" Extensible Storage Engine (ESE) database format. While many forensic examiners have remained blissfully unaware of the ESE format, it has been increasingly used throughout Microsoft products for Exchange, NTDS.DIT, the Windows search database, Windows Live Messenger contacts, and Internet Explorer (IE). With the introduction of an enterprise-grade database hosting network artifacts, it is now time for every Windows investigator to understand how the database works and what data they may be missing. Remember that even if a user never opens Internet Explorer, there may still be valuable records in their IE database including files opened on the local system, network shares, and removable devices. It may also hold evidence of


DFIR Hero -- David Cowen Interview


David Cowen is teaching our Windows Forensics Course in SANS Minneapolis in July 2015. Sign up now to take this course with David. We interviewed David so you can get to know him a bit better -- he is one of the best in the industry. A leader. An astonishing analyst and visionary. He is our current DFIR Hero.

1. Who are you? What is your homepage?