Welcome to SecurityDocs

A collection of 8,050 IT security white papers, carefully curated by professionals like yourself

Digital Forensics - Artifacts of Interactive Sessions


In this article I would like to go over some of the digital forensic artifacts that are likely to be useful on your quest to find answers to investigative questions. Specially, when conducting digital forensics and incident response on security incidents that you know the attacker performed its actions while logged in interactively into a Microsoft Windows systems. Normally, one of the first things I look is the Windows Event logs. When properly configured they are a treasure trove of informa...

Nov. 23, 2017 0 comments countuponsecurity.com Detection & Response

SkypeFreak: A Cross-Platform Skype Forensic tool

by Osanda Jayathissa

This is a small tool that can be used to investigate Skype user accounts stored in your PC. First of all, let’s learn how to investigate data manually. This is a very easy to understand article. I hope you have a basic understanding of SQL. All the data is stored in the main.db file related to each user in separate folders.

Oct. 8, 2017 0 comments INFOSEC Institute Detection & Response

Forensic Investigators- What They Are and Who Should Use Them

by Brett Pladna

This paper will try to demonstrate the importance of computer forensics by describing procedures, tools and differences in the use for individuals/small organizations vs. large organizations. The procedures described deal with how to collect evidence and the laws that need to be followed for admission of evidence into a court room. The tools used are the basis for all tools that are available. Tools include, backing up data, authentication, decryption, file auditing, IP tracking, and data rec...

Oct. 2, 2017 1 comment Infosecwriters Detection & Response

Digital Forensics, Part 9: Extracting EXIF Data from Graphics Files

In many cases when a computer, phone, or mobile device is seized for evidence, the system will have graphic images that might be used as evidence. Obviously, in some cases these graphic images may be the evidence such as in child pornography cases. In other situations, the graphic images may tell us something about where and when the suspect was somewhere specific. Most digital devices "stamp" information on these graphic images that can tell us a lot about the who, what, when, and where ...

Sept. 30, 2017 1 comment hackers-arise.com Detection & Response

Building Network Infrastructure Focusing on its Forensic Capability

by Nik Alleyne

The number of computer related security incidents continue to grow yearly, resulting in the need for ensuring network infrastructures are built to be forensically capable. During the period January 2011 to December 2015, the number of reported computer security incidents grew over this four-year period from 1,281 to 3,930. Similar to the increased number of reported computer security incidents, was the increased number of exposed records. During this same period, the number of exposed re...

Sept. 30, 2017 2 comments 20 minute read Apps & Hardening

Notes On Vista Forensics, Part Two

by Jamie Morris

n part one of this series we looked at the different editions of Vista available and discussed the various encryption and backup features which might be of interest to forensic examiners. In this article we will look at the user and system features of Vista which may (or may not) present new challenges for investigators and discuss the use of Vista itself as a platform for forensic analysis.

Sept. 25, 2017 1 comment Symantec Apps & Hardening

Notes On Vista Forensics, Part One

by Jamie Morris

At the time of writing, Vista is a very new product for almost all businesses and consumers and its features lie waiting to be fully discovered. In fact, the impact of Vista will not be determined solely through its technological offerings but also by the way in which it shapes users' patterns of behaviour. This article, the first in a two-part series, takes a high level look at what we know now about those changes in Vista which seem likely to have the most impact on computer forensic inv...

Sept. 25, 2017 1 comment Symantec Apps & Hardening

Web Browser Forensics, Part 2

by Keith J. Jones, Rohyt Belani

Welcome to part two of the Web Browser Forensics series. In part one, we began investigating the intrusion of the Docustodian document management server hosting a law firm's data. The server appeared to have been compromised by a group of hackers who were using it as a repository for their MP3s, MPEGs, and pirated software. In part two we now set out to determine who used Joe's machine while he was on vacation. We will proceed by examining further investigative leads that involve performing a...

Sept. 25, 2017 1 comment Symantec Detection & Response

Web Browser Forensics, Part 1

by Keith J. Jones, Rohyt Belani

Electronic evidence has often shaped the outcome of high-profile civil law suits and criminal investigations ranging from theft of intellectual property and insider trading that violates SEC regulations to proving employee misconduct resulting in termination of employment under unfavorable circumstances. Critical electronic evidence is often found in the suspect's web browsing history in the form of received emails, sites visited and attempted Internet searches. This two-part article presents...

Sept. 25, 2017 1 comment Symantec Detection & Response

A Method for Forensic Previews

by Timothy E. Wright

One of your systems administrators pokes his head in your office door. "The print spooler machine may have been compromised. Can you help me take a look? Some odd files have appeared -- that's all we know right now." Your pulse steps up a few beats: you told Operations on more than one occasion that they should address the availability issues faced by critical servers. The print spooler was one of those servers. If it is hacked, it will have to be taken out of production, and there will be se...

Sept. 25, 2017 1 comment Symantec Encryption & Authentication

Forensic Analysis of a Live Linux System, Pt. 2

by Mariusz Burdach

Last month in the first part of this article series, we discussed some of the preparation and steps that must be taking when analyzing a live Linux system that has been compromised. Now we'll continue our analysis by looking for malicious code on the running system, and then discuss some of the searches that can be done with the data once it has been transferred to our remote host.

Sept. 25, 2017 1 comment Symantec

Forensic Analysis of a Live Linux System, Pt. 1

by Mariusz Burdach

During the incident response process we often come across a situation where a compromised system wasn't powered off by a user or administrator. This is a great opportunity to acquire much valuable information, which is irretrievably lost after powering off. I'm referring to things such as: running processes, open TCP/UDP ports, program images which are deleted but still running in main memory, the contents of buffers, queues of connection requests, established connections and modules loaded i...

Sept. 25, 2017 1 comment Symantec Detection & Response

Windows Forensics: A Case Study, Part 1

by Stephen Barish

It's a security person's worst nightmare. You've just inherited a large, diverse enterprise with relatively few security controls when something happens. We all try to detect malicious activity at the perimeter of the network by monitoring our intrusion detection systems, and watching attackers bang futilely on our firewall. Even those attackers tricky enough to slip through the firewall bounce harmlessly off our highly secured servers, and trip alarms off throughout the network as they attem...

Sept. 24, 2017 0 comments Symantec Detection & Response

Forensics on the Windows Platform, Part Two

by Jamie Morris

This is the second of a two-part series of articles discussing the use of computer forensics in the examination of Windows-based computers. In Part One we discussed the wider legal issues raised by computer forensics and the benefits of pre-investigation preparation. In this article we will concentrate on the areas of a Windows file system that are likely to be of most interest to forensic investigators and the software tools that can be used to carry out an investigation.

Sept. 24, 2017 1 comment Symantec

Forensics on the Windows Platform, Part One

by Jamie Morris

Forensic examination of computer systems is commonly carried out by trained investigators using specialist hardware and software. The popularity of the Windows operating systems on both desktops and servers has made it a common source of evidence for such investigators. As a result, the range of tools available that can be used to analyze the Windows platform continues to grow. However, true forensic examination of a computer (i.e. where there may be a requirement to produce evidence in a cou...

Sept. 24, 2017 1 comment Symantec

Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysis

by T.J. OConnor

Forensics tools exist in abundance on the Web. Want to find a tool to dump the Windows SAM database out of volatile memory? Google and you will quickly find out that it exists. Want to mount and examine the contents of an iPhone backup? A tool exists to solve that problem as well. But what happens when a tool does not already exist? Anyone who has recently performed a forensic investigation knows that you are often left with a sense of frustration, knowing data existed only you had a tool tha...

Sept. 1, 2017 0 comments SANS Institute

Integrating Forensic Investigation Methodology into eDiscovery

by Colin Chisholm

The intent of this paper is twofold; to provide a primer on the eDiscovery process for forensic analysts and to provide guidance on the application of forensic investigative methodology to said process. Even though security practitioners such as forensic analysts operate in the legal vertical, they necessarily view and approach eDiscovery from a different perspective than legal professionals. This paper proposes that both parties can benefit when they integrate their processes; forensic tools...

Sept. 1, 2017 0 comments SANS Institute

A Forensic Primer for Usenet Evidence

by Mark Lachniet

This document is intended to provide an overview of the Usenet on theInternet, including the NNTP protocol and types of evidence of Usenet abuse thatmay be present on permanent storage devices such as hard disks and flash drives. Acursory review of the Usenet shows that the Usenet is frequently used as a means ofanonymous transmitting and receiving digital content including pirated software,intellectual property such as movies and music, and possibly even childpornography. Due to this fact,...

Sept. 1, 2017 0 comments SANS Institute Detection & Response

Remotely Accessing Sensitive Resources

by Jason Ragland

Often travelers require access to digital resources to perform work from off-site locations such as conferences, hotels, and homes. These resources can include emails, research, medical, financial data, server management applications, or any number of other things that may have a very high need for confidentiality and integrity. The acceptable methods for access vary based on a variety of factors such as size, complexity, available types of network connectivity, and bandwidth. Access to email...

Sept. 1, 2017 0 comments SANS Institute

Reverse Engineering the Microsoft exFAT File System

by Robert Shullich

As Technology pushes the limits of removable media - so drives the need for a new file system in order to support the larger capacities and faster access speeds being designed. Microsoft's answer to this need is the new Extended FAT File System (exFAT) which has been made available on its newer operating systems and which will be supported on the new secure digital extended capacity (SDXC) storage media. This new file system is proprietary and requires licensing from Microsoft and little has ...

Sept. 1, 2017 0 comments SANS Institute


We'll send you a carefully curated list of the best IT security white papers to your mailbox every Friday.