Thursday, August 26, 2010

Intro to Report Writing for Digital Forensics

So you’ve just completed your forensic examination and found that forensic gem or smoking gun in your case, so how do you proceed? Depending on where you fall as a forensicator (e.g., law enforcement, intelligence, criminal defense work, incident response, e-discovery) you will have to report your findings. Foremost, find out what type of work product you are going to be required to produce to the client, attorney, etc. This will be your guide for completing your report...

Continue Reading

Thursday, August 12, 2010

> 140 characters & 4cast plug

I've neglected my duties to the blog readers recently. I've been very busy with training, research items, and a digital forensic project, so I haven't had much time recently to update the blog. I'm currently working on a SANS blog post and that should be complete very soon and will be posted here as well.
This Sunday, August 15, 2010 @3pm Eastern, please show your support to the Forensic 4cast, which will be LIVE! Yes, LIVE! Lee Whitfield of Forensic 4cast is working really hard to make this a great event, so what can you do?  Visit  this Sunday, August 15, 2010 @ 3:00pm Eastern. Lee has a forensic guru lined up and I'm sure other great stuff setup for the LIVE show! You can watch the podcast live here! Follow @4cast on Twitter for the latest show information.

Tuesday, August 3, 2010

Internet Evidence Finder Part II: Intro to IEF v3.3

I had an opportunity earlier this year to interview Jad Saliba of discussing his Internet Evidence Finder tool. You can view that interview here. Hopefully, SANS Computer Forensic Blog readers enjoyed the 15% discount that Jad offered exclusively to SANS CF blog readers and have taken the time to implement this tool into your forensic toolkit. This post is part of a series and will introduce functionality of IEF v3.3. You can download the most recent version (v3.5.1 at time of this article) from Just a brief recap of what IEF will search for on a mounted drive/folder. Facebook chat, Yahoo! chat (IEF must have chat username to decode), Windows Live Messenger chat, Google Talk chat, AIM logs, hotmail webmail fragments, yahoo! webmail fragments, etc. For a full listing of supported artifacts and limitations visit

Continue Reading

Author's Note: Part III in this series we will take a closer look at the artifacts that IEF is reporting and what we can do to validate our findings.