SANS Digital Forensics and Incident Response Blog

Mass Triage Part 5: Processing Returned Files - Amcache

Mass Triage Part 4: Processing Returned Files - AppCache/Shimcache

Parsing Sysmon Events for IR Indicators

Strengthen Your Investigatory Powers by Taking the New FOR498: Battlefield Forensics & Data Acquisition Course from SANS

Digital forensics is a high-stress, high-stakes job. There are so many devices, repositories, and massive data sets, yet in most cases you have only one chance to find and properly extract the evidence that can make or break your case. The new SANS new courseFOR498: Battlefield Forensics & Data Acquisitionis designed to provide first responders, investigators, and digital forensics teams with the advanced skills to quickly and properly identify, collect, preserve, and respond to data from a wide range of storage devices and repositories.

FOR498 is co-authored and taught by certified SANS instructorsKevin RipaandEric Zimmerman, both veteran cybersecurity experts who are highly regarded in the digital investigations field. With 25 years of experience in digital forensics, Kevin has assisted in complex cyber-forensics and hacking response investigations around the world. He is sought after for his expertise in information technology investigations and frequently serves as an expert witness. Keven is president of The Grayson Group of Companies, which consists of Computer Evidence Recovery, Pro Data Recovery Inc., and J.S. Kramer & Associates, Inc. Eric, a former FBI Special Agent, has written more than 50 programs used by thousands of law enforcement officers in over 80 countries, and has created many world-classopen-source forensic tools (EZ Tools). Today, Eric serves as a Senior Director at Kroll in the company's cybersecurity and investigations practice.

Kevin and Eric decided to create FOR498 in response to growing demand from SANS students for more guidance on data acquisition. Traditionally, law enforcement officers who enrolled in SANS forensics classes already had forensics experience and a strong working knowledge of how to image a device. However, examiners outside of law enforcement are often not as familiar with imaging. In addition, data acquisition and forensics are more challenging than ever before because of the constantly increasing numbers and sizes of data sets and the more complex nature of acquiring evidence from so many different types of devices and repositories. With any given hard drive, forensicators might have to deal with 1, 2, or even 4 terabytes of data, and traditional ways to get at those data are no longer tenable.

As Kevin points out in awebinar about FOR498, attacks require not only a thorough investigation but also one that produces evidence quickly. Take, for example, the Las Vegas mass shooting in October 2017, the deadliest in modern U.S. history. Investigators got to work right away, especially since there were concerns about possible accomplices who might have fled the scene. At the same time, investigators had to work thoroughly to try and determine the shooter's motives, including documenting his Internet search history and examining all computers and cell phones tied to the case. Of note, it was reported that a hard drive in a laptop found in the shooter's hotel room was missing, and that the shooter had purchased software designed to erase files from hard drives.

iOS Location Mapping with APOLLO Part 2: Cellular and Wi-Fi Data (locationd)

Myprevious articleshowed a new capability ofAPOLLOwith KMZ location file support. It worked great''for routined data, but there was something missing. What about the cellular and Wi-Fi locations that are stored in databases? Well, turns out I need to test better. I fixed the locationd modules to have the activity as "Location" versus "LOCATION". Case sensitivity is apparently thing in Python''my bad. '''''

I should also mention with the fixes, my total location data points for a iOS 12.1.1 device jumped to ~57,000! I should note this is not inclusive of workout locations. Those are a bit different as they are stored as separate records, one for latitude and one for longitude. In the future I might attempt to pair these up for KMZ support.