SANS Digital Forensics and Incident Response Blog: Tag - linking fields

Using a Database as a Forensics Tool - Part 2 of 2

In my first post...

I discussed the value of importing discovered flat files into a database in order to analyze them for the legal team. I showed two files of mock data based on an actual case where we were able to tie together relative fields of NPI/PII data to determine what the malicious user had stolen. We also discussed the need for legal to know what persons lost data and what type of data was exposed for each individual. Lawyers always want details!

In this post I will discuss the import procedure for Microsoft Access and some

... Continue reading Using a Database as a Forensics Tool - Part 2 of 2


Using a Database as a Forensics Tool - Part 1 of 2

What do you do, when your computer forensic tool of choice, Autopsy, EnCase, FTK, etc., helps you to find, say, 40 million data records containing credit card numbers, date of birth, SSN, checking account numbers or similar non-public personal information (NPI)? What if those data are in flat files created by an employee who pulled them from some data source belonging to your organization? What next?

Simulation of "discovered" flat files patterned after an actual case

Query from table 1