SANS Digital Forensics and Incident Response Blog: Tag - metadata

Tools for Analyzing Static Properties of Suspicious Files on Windows

Examining static properties of suspicious files is a good starting point for malware analysis. This effort allows you to perform an initial assessment of the file without even infecting a lab system or studying its code. Let's take a look at several free Windows tools that are useful for extracting such meta data from potentially-malicious executables. Continue reading Tools for Analyzing Static Properties of Suspicious Files on Windows

Digital Forensics Case Leads: Your Password Is Out There, again...

Data breaches at LinkedIn, eHarmony, and exposed millions of account passwords, and probably other data that the attackers haven't made public. also a wealth of interesting new and updated tools. Among these are HexDive, SquirrelGripper, ShadowKit, and a Report Writing cheat sheet from Girl,Unallocated. Also worthy of particular note is Corey Harrell's Compromise Root Cause Analysis Model Continue reading Digital Forensics Case Leads: Your Password Is Out There, again...

Atemporal time line analysis in digital forensics

As incident responders we often find that attackers compromise one host in a network and then pivot to others. In digital forensic investigations involving intrusions, we can do our own pivoting from one piece of evidence to another. On October 19th, I had the good fortune to speak at SECTor about one method of doing … Continue reading Atemporal time line analysis in digital forensics

NTFS: An Introduction

Earlier this year, a life time ago in internet years, I published a series of posts on the FAT file system. Over the next few months, I'll be publishing a similar series on NTFS. Much of the information contained in these posts will come from Brian Carrier's excellent book, File System Forensic Analysis, articles from Microsoft and other sources. Where applicable, specific sources will be cited within each blog post.

On day one of SANS Sec 508: Computer Forensics, Investigation and Response we cover the most common file systems in detail. Almost without fail, someone asks if the material is really important


Office 2007 Metadata

Metadata information from documents can be a great source of information for investigators and it's value has often been discussed before. Documents created using Microsoft Office often come up during investigations. There are several scripts and tools out there to read the proprietary binary format of Office documents created using Office 2003 and earlier versions so there is not more to add to those tools. Yet there aren't that many tools out there that can list the metadata information from the new format that Office 2007 uses, OpenXML. So I decided to examine it a bit further.

Microsoft has already published a good enough document describing the structure of OpenXML [1]. Essentially a document created in the OpenXML document format is a compressed file, using the well known ZIP