Clik here to view.
Don't go fishing for server data.. Just ask Dav Nads!!!
No one likes to go fishing for data, so this is the basic list of information I request from IT administrators before I start cutting data!! If you don't get answers, check out this secret millitarty...
View ArticleClik here to view.
Exchange 2007 Collections ....ugggh!
Once upon a time, DAV NADS was collecting mailboxes from a 64-bit Exchange 2007 server environment (LOL!). I wanted to take a moment to highlight a few things I learned that I hope you may find...
View ArticleClik here to view.
GroupWise .. Who the F#$% knew this...??!!
I was out and about doing some "Live" GroupWise E-mail collections. For the living sake of me, I could not figure out how the #$% to "log out" of one users mailbox and log into another, from the client...
View ArticleClik here to view.
Dav Nads & USB protection
The Windows operating system has a Registry setting that can add USB write protection to a computer system. It is like a switch that can be enabled to make use of the write protection or disabled to...
View ArticleClik here to view.
Dav Nads gets Certified!!
I have always been eager to learn and challenge myself to further develop intellectually. Over the last 3 months, I challenged myself to obtain 3 professional certifications. Dav Nads is now EnCE,...
View ArticleClik here to view.
DAV NADS @ CEIC IN VEGAS!!!
Dav Nads is tweeting from the CEIC conference in Las Vegas this week!! Holla @ me if your reading and check back for updates!!
View ArticleClik here to view.
Incident Response Questions
The next time your network gets p'owned don't choke your suspects with USB cables, just ask the same questions Dav Nads would!Understand the Nature of the Incident’s Background1. What is the nature...
View ArticleClik here to view.
MacBook Air Fun
I had a small window of time the other day to image a Apple Macbook Air. It was like “my first time” so I felt it would be appropriate to do a little research about “how to turn it on” and “what...
View ArticleClik here to view.
FTK Imager (for OS X) to the Rescue
So you have been tasked with acquiring an Apple Macbook Air. There you are, it’s just you and the laptop and you’re losing; · Your favorite Linux distribution disk won’t boot, · You...
View ArticleClik here to view.
cHECK oUT Microsoft’s Audit Object Access Policy for Forensic Evidence!
Let's say client XYZ maintains sensitive budget information within a select folder on one particular Windows fileserver. When originally created, the folder was restricted to specific AD users. At some...
View ArticleClik here to view.
Basic Groundwork for cmd line Scripting Computer Forensic Tasks + VIDEO BONUS
Watch the video tutorial that I created for our internal team to see this in action and how it works: http://dl.dropbox.com/u/27705041/final%20bat%20with%20redact.wmvTask: 50 hard drives, Windows XP,...
View ArticleClik here to view.
Dear Dav Nads, help me make some folders
yoGirl: Davnads, you put the "sic" in forensic bc you got skillz. Davnads: dat riteyoGirl: I'm trying to stage some data on my network for a eDiscovery engagement that I need to process using the...
View ArticleClik here to view.
Debian GNU/Linux Postfix Server Incident - p'owned?
Reason to believe a server was compromised and it's a physical Debian GNU/Linux mail server in a production environment? ..Sounds like fun!Below is a short list of items to consider when responding to...
View ArticleClik here to view.
Reminiscing about my CEIC 2010 video competition entry
In 2010, Guidance Software hosted a video competition for 2 free passes to their CEIC conference. We did not win because apparently it was not appropriate.I still went anyways, but reminiscing about...
View ArticleClik here to view.
Intellectual Property (IP) Theft and Technology 1o1o1o1
I'm working on a paper on High Tech Intellectual Property Theft so I thought I would share some food for thought!According to Wikipedia (whatev that's worth), Intellectual Property (IP) is a term...
View ArticleClik here to view.
Extending Reg Ripper, again.
A few months ago I posted how to automate the process of reporting all date/time instances a USB connection was made (including from Restore Points), using a combination of Mount Image Pro,...
View ArticleClik here to view.
Digital Forensics SIFT'ing: Cheating Timelines with log2timeline
Check out my article on SANS about cheating timeline with log2timeline.Digital Forensics SIFT'ing: Cheating Timelines with log2timeline
View ArticleClik here to view.
Article 7
Thank you to all of my #DFIR followers. Hope everyone had a great New Years. Let 2012 bring many dongles, matching hashes, and cold blowing CPU fans to everyone!-DAV NADS
View ArticleClik here to view.
Timeline Analysis: The Hybird Approach
Harlan Carvey recently blogged about approaches to conduct Timeline Analysis:"So, anyway...I've been thinking about some of the things that I put into pretty much all of my timeline analysis...
View ArticleClik here to view.
Dav Nads was Nominated!!
Sorry for the lack of log posts biatches but Dav Nads has been busywrangling APT hackers and getting nominated for writing "best digital forensic article of year" by the digital forensic incident...
View Article