Analyze McAfee quarantine files with punbup.py

Have you ever needed to extract a McAfee quarantine file? Today’s tutorial will show you how to extract a BUP file with punbup in the lab. There are many reasons to extract the files out of a McAfee quarantine file, the most common is to perform deeper analysis or to restore a file that was incorrectly identified. We will use the SANS SIFT workstation today to perform this task using the punbup.py script.

Continue reading “Analyze McAfee quarantine files with punbup.py”

Acquiring a Forensic Disk Image with FTK Imager and the Wiebetech USB Writeblocker

This tutorial covers the process of imaging a hard drive that has already been removed from a system with FTK Imager and a write blocker. FTK Imager comes in two versions, one that is installed on a pc and one that can be used during incident response from a thumb drive. We will be using the installed version for this tutorial, but both look and function the same. I will cover the following key steps in the process:

Continue reading “Acquiring a Forensic Disk Image with FTK Imager and the Wiebetech USB Writeblocker”