SANS Computer Forensics and e-Discovery with Rob Lee

"New version of Nmap, 60TB hard drives on the way, attacker trends, & a dissected web attack "

Ray Strubinger — Fri, 25 May 2012 1:10:24 +0000

This week's edition of Case Leads features updates to a popular network scanning tool and another application which may be useful in gaining access to encrypted documents. We also have an article detailing a recent attack against a website and a couple of papers that look at attack trends. There's news that hard drives could approach 60TB and a report that a popular paste site will change its approach in how it manages sensitive content. As always, if you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org. Tools: Nmap 6 has been released. In addition to improvements in web scanning, overall scanning speed and the scripting engine, this popular scanner now fully supports ...

"Digital Forensic Case Leads: A Volume Shadow Copies Toolset Updated, Malware Binary Files Analysis Became Easier, Media and Mobile Forensics Analysis, And A Man Stabs His Computer!"

Mark McKinnon — Sat, 19 May 2012 1:59:38 +0000

Welcome to the Digital Forensic Case Leads. A Volume Shadow Copies toolset updated with a new great ability, Malware binary files analysis became easier, Media and Mobile forensics analysis,is your cloud data secure? Data killers, a man stab his computer!? Mobile phones cyberthieves, i-robot film in reality? All that and more, this week on Case LeadsIf you have an item you'd like to contribute toDigital Forensics CaseLeads, please send it to caseleads@sans.org.Tools: VSC toolset A.K.A Volume Shadow Copies toolset updated, and one of the biggest change incorporates the ability to browse shadow copies using an Explorer-like interface! That's a great feature to ease forensicators tasks Anubis is a web application/service for analyzing malware. Submit your Windows executable and receive ...

"Digital Forensic Case Leads: Report from the Forensic Expert Witness Conference, Judge: Viewing CP might NOT be possession, Mac crypto bug helps forensicators"

Ira Victor — Thu, 10 May 2012 11:14:12 +0000

Welcome to Digital Forensics Case Leads. Another a busy week in digital forensics, incident response and the law. In this edition: The SANS Computer Forensics Blog was at the Forensic Expert Witness Annual Conference, and your humble reporter asked a seasoned member of the bench: What is it like for a Judge to sit on the bench and digest the testimony of a foresicator / technical expert witness? * Another Judge rules that viewing CP might NOT be the same as possession under the law. * Has Law Enforcement tipped their hand in a report that spells out how to use anti-forensics to conduct criminal acts using BitCoin? * A bevy of encryption tools *And, could a forensicator leverage a Mac OS X bug to recover encrypted data, even after the user applies a new patch to "fix" the bug?If you have an item you'd like to contribute to Digital Forensics CaseLeads, please send it to caseleads@sans.org.Good Reads/Listens: Law Enforcement ...

"Writing Malware Reports"

Mike Murr — Tue, 08 May 2012 9:41:29 +0000

One of the more common questions that people ask in the FOR610 (reversing) class is about writing malware reports. Specifically what should go into a malware report?The Guiding PrincipleWhen I get asked this question my first response is usually "well why did you do the exam?" Besides potentially being a bit cheeky, the reason I ask this question is because it highlights the fact that malware analysis is something that's usually done to facilitate investigations, incident response, etc. So the heuristic to use when deciding what to put into a malware report falls along the lines of "include whatever supports the purpose of the exam".Now that's all fine and dandy in many situations, but what if you don't know how your results will be used? Perhaps the examination is being done fairly early on in the investigation. Another common scenario is to be brought in and given a specific task (e.g. analyze this specimen) and that's all that you are told.

"Digital Forensic Case Leads Getting caught via metadata, A Forensic Guide to Windows 8 and the New DFIR Wall Poster."

Mark McKinnon — Fri, 04 May 2012 5:41:06 +0000

This week in Case Leads Apples security questions, Hacker gets caught via metadata, A DFIR wall poster will be available, a guide to Windows 8 forensics, a few tools have been updated and watching 182 superhero movies in under 5 minutes.If you have an item you'd like to contribute to Digital Forensics CaseLeads, please send it to caseleads@sans.org.Tools: Simple Carver Suite just released version 4.7 which includes more tools to analyse and extract infromation from many different file types and utilities to assist in everyday tasks. The program can be found here. Oxygen Software Updates Oxygen Forensic Suite 2012. More information can now be mined from new applications/messengers and web browsers. Didier Stevens has Updated his TaskManager.xls ...