Forensic Methods

Free laptop with SANS FOR508 Advanced Forensics vLive!

By Chad Tilbury on October 3, 2011 in Computer Forensics — Leave a comment

UPDATE: This promotion has ended, but there is a new promotion offering a free 11″ MacBook Air! The promotion link is the same.

Just in time for Christmas, get a quad core Dell 15” laptop when you sign up for SANS vLive. If you have end of year funds left, vLive is a fantastic way to take a SANS class. I will be teaching SANS Forensics 508: Advanced Forensics and Incident Response for 6 weeks starting November 1st, 2011 (don’t worry, we will be skipping Thanksgiving). Course information link.

“Companies should not be behaving like supercookie monsters, gobbling up personal, sensitive information without users’ knowledge.”

- Ed Markey, Co-Chairman of the US House Bi-Partisan Privacy Caucus, calling for a FTC investigation into the increasing use of “supercookies”.

http://markey.house.gov/index.php?option=content&task=view&id=4527&Itemid=125

FTC Asked to Investigate Supercookies

Posted on September 29, 2011 In Computer Forensics

NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files

By Chad Tilbury on September 26, 2011 in Computer Forensics — 7 Comments

Note: This post originally appeared on the SANS Forensics blog

Daunting as it may seem, one of the most wonderful aspects of Windows forensics is its complexity. One of the fascinating aspects of digital forensics is how we often leverage conventional operating system features to provide information peripheral to their original design. One such feature is the Windows NTFS Index Attribute, also known as the $I30 file. Knowing how to parse $I30 attributes provides a fantastic means to identify deleted files, including those that have been wiped or overwritten.

Infographic: A Zettabyte World

By Chad Tilbury on September 15, 2011 in Computer Forensics — Leave a comment

How big is a Zettabyte? Continue Reading…

“The computer that allowed us to stare in wonder at the world has allowed the world to stare pitilessly back at us.”

Paul Theroux from How Apple Revolutionized Our World

How Apple Revolutionized Our World

Posted on September 13, 2011 In Apple Forensics

Content Authenticity and Digital Forensics

By Chad Tilbury on September 7, 2011 in Forensics Jobs — Leave a comment

Since I do a lot of teaching, I make a point of keeping tabs on the latest job trends in digital forensics. I like to be versed in what qualifications, experience, and certifications are most important to employers. Hence when recruiters call, I pick their brains and often try to help them find a good candidate. I was recently contacted regarding an intriguing job. The job title is Director of Content Authenticity and it is a digital forensics role that I hadn’t previously considered.

$I30 (NTFS Index Attribute) Parser

By Chad Tilbury on September 4, 2011 in Computer Forensics, Tool Review — Leave a comment

$I30 (NTFS INDEX Attribute) parser from @williballenthin http://t.co/sShGNgE <- Awesome!

September 4, 2011 12:19 pm via MetroTwit ReplyRetweetFavorite

@chadtilbury

Chad Tilbury

“The Windows Mobile operating system is clearly sending information that can lead to accurate location information of the mobile device regardless of whether the user allowed it”

– Samy Kamkar http://cnet.co/qail1o

Windows Mobile Geolocation Collection

Posted on September 1, 2011 In Geolocation, Mobile Devices

Joining the Consortium of Digital Forensic Specialists (CDFS)

By Chad Tilbury on September 1, 2011 in Computer Forensics — Leave a comment

August was a busy month for CDFS, with the official launch, introduction of the website, and open membership enrollment. Membership is growing fast and, if the mailing list is any indication, the organization is already working to support the digital forensics field. Why should you care? Here is what a student of mine from Texas had to go through just to have the privilege of continuing to practice forensics.

As most of you are aware, multiple states have enacted legislation to require private investigator licenses for those conducting digital forensics. My colleague had a successful, long standing forensics practice in Texas performing data recovery and forensic investigations. Continue Reading…

F-Response Tactical

By Chad Tilbury on August 7, 2011 in Incident Response, Memory Forensics, Tool Review — 2 Comments

I have been using F-Response Tactical lately and wanted to share some of my thoughts. When I first encountered the Tactical product, I had to brainstorm with Matt Shannon at F-Response to understand its use cases. I spend a lot of my time doing incident response, and in that role I have used many of the enterprise forensic platforms. These tools are largely agent based, meaning a small application is run on the target system allowing raw device access to system components and communication back to a central hub for analysis. F-Response has this capability in their Consultant and Enterprise editions, and the capability has even started to filter down to some of our standard forensic suites, such as FTK 3 covered in this previous post. F-Response Tactical takes a different approach. It uses a paired set of dongles instead of agents. While limiting for some applications (such as geographically remote acquisition), it makes up for it by being dead simple to use. To start, you plug the “Subject” dongle into your target system and execute an application to begin beaconing on the network. The matched “Examiner” dongle plugs into your forensic workstation and is used to connect to the Subject. Once connected, you have full access to all physical disks, volumes, and memory on the Subject system. Since access is at the raw device level, even files traditionally locked by the filesystem can be accessed, like Exchange .edb database files, Registry hives, and System Restore Points. These items are mounted on your forensic workstation, allowing analysis using your favorite forensic software.

Live Response Applications

FOR408: Windows Forensics

10/08/13 - 10/13/13 FOR408: Windows Forensics in Prague, CZ at SANS Forensics Europe

FOR508: Advanced Forensics & Incident Response

07/11/13 - 07/16/13 FOR508: Advanced Forensics & Incident Response in Austin, TX at SANS DFIR Summit
09/16/13 - 09/21/13 FOR508: Advanced Forensics & Incident Response in Las Vegas, NV at SANS Network Security 2013
11/18/13 - 11/23/13 FOR508: Advanced Forensics & Incident Response in Seoul at SANS Korea 2013