First responders must be made fully aware of the significance of digital evidence and the role it may play when an investigation results in criminal proceedings. They should be trained to understand the basic forensic and procedural principles that must be applied.

By Don Penven

Analysts often avoid asking questions for fear of "looking stupid." There's not one of us that knows everything, and regardless of what your individual perception may be, no one expects you to know everything. As I see it, the question becomes, do you continue into the future not knowing something, or do you ask someone and at the least get a leg up on fully discovering the answer?

By Harlan Carvey

While there are plenty of elusive hackers that will forever manage to outrun the law, the good guys scored some impressive arrests, indictments, and convictions in 2011. Here are some of the highest profile cases to hit the headlines this year.

By Ericka Chickowski

The registry keys and values used by Windows to manage the display order of the Start Menu and IE Favorites menu present the forensic investigator the opportunity to uncover evidence of previously removed applications and favorites. In several realistic usage scenarios, significant artifacts may be left in these locations indefinitely.

This post examines a recent decision from the Oregon Court of Appeals in which the court addressed a man’s appeal from his conviction for “unlawfully obtaining the contents of a communication”. State v. Neff, __ P.3d __, 2011 WL 5067110 (Oregon Court of Appeals 2011).

By Susan Brenner

If you run a search on Google.com, your Internet search is likely recorded and logged in several places. Digital forensic examiners leverage this feature in digital forensic exams. If you're logged into Google all search results will soon be encrypted. That means that Internet browsers will treat those transactions like any other https communication—they won't cache.

By Jonathan Rajewski

Law enforcement’s challenge with the proliferation of potential video evidence is in obtaining and preserving the images captured for future evidentiary value. The stumbling blocks to the admissibility of digital evidence are the typical trial objections attorneys will make to newly introduced evidence, mainly that of either undue prejudice, hearsay, the best evidence rule or a lack of foundation for the introduction of the evidence. These are legal arguments which are left to the prosecutor to defend against in submitting the evidence at trial.

As technology becomes more ubiquitous, everyday objects are being replaced by their computer alternative. Even specialized applications such as the Amazon Kindle, a device specifically designed by Lab126 for reading books, have additional features such as an MP3 player and Internet browsing capability. In this post, we take a detailed look at the hardware and software of a 3rd generation Kindle in order to reveal the wealth of information that even a specialized device could provide in a forensic examination.

By Allyn Stott

Every now and then, I see requests for sample reports from people in the field. And while I can't share reports I've written due to confidentiality issues, I thought it might make for an interesting post to write about some of the guidelines that I like to follow when writing.

Criminals who operate large groupings of hacked PCs tend to be a secretive lot, and jealously guard their assets against hijacking by other crooks. But one of the world’s largest and most sophisticated botnets is openly renting its infected PCs to any and all comers, and has even created a Firefox add-on to assist customers.

By Brian Krebs

Ten years ago, nobody was interested in forensic auditing of databases. It has taken a decade, but the market now realizes that attackers alter databases. If you want to know what happened, then you will need to conduct a forensic audit—and you can forget going to your firewall or SIEM logs for the complete picture. We also know most breaches are not discovered immediately, and, in many cases, are detected by people outside of the company.

By Adrian Lane

Due to recent developments in counter-forensic technologies such as strong encryption, it may soon be necessary for forensic analysts to use system penetration or "hacking" techniques in order to obtain forensic evidence, a process here referred to as "Hostile Forensics". This issue is not one that has been adequately discussed in the forensic community at large, and as such there has been very little planning or public collaboration to discuss issues and define standards, tactics, strategies and best practices. It is a particular problem for U.S.