I have a new paper on EMC Storage Area Network Forensics, or EMC SAN Forensics for short. This mainly covers the topical area of acquisition and considers underway specific to an EMC SAN environment. Much of the information is certainly applicable to non-EMC environments as well, including overall process and approach considerations.

Read More ... (0 Comments Posted)

I have loved relying on dd.exe to perform dumps of memory on Windows-based machines for quite some time now.  It is handy, and requires no pre-requisite packages on the machine.  However, I learned today that Windows 2003 SP1 and up (Vista, etc.) no longer supports user access of the \Device\PhysicalMemory object.  More on this can be found here.  (http://technet2.microsoft.com/WindowsServer/en/Library/e0f862a3-cf16-4a48-bea5-f2004d12ce351033.mspx).

Read More ... (1 Comments Posted)

My new whitepaper on The Sleuth Kit provides an overview of this wonderful, and free, UNIX package of command line file system and media management tools from Brian Carrier.  Full source code is available, providing complete transparency which is (arguably) much better within a legal setting.  Feedback thus far on the paper has been quite positive, so thank you!

Read More ... (0 Comments Posted)

I have posted my latest paper on a Beginners Guide to Linux Forensics.  The document assumes a fundamental understanding of installing and using Linux, and focuses on command line tools.  Basic concepts covered include imaging, hashing, file headers, and basic analysis. 

Read More ... (0 Comments Posted)