SANS Digital Forensics and Incident Response Blog: Daily Archives: Apr 06, 2009

North Carolina: Seperate License for Digital Forensics Professionals or Private Investigator's License?

by Rob Lee

North Carolina's Proposed Ammendment

The North Carolina Private Protective Services Board is attempting to enact legislation that might require digital forensic examiners to become licensed private investigators. However, it could also open the door to license the digital investigator's separately. The language is vague and as such multiple organizations would love to see some specifics if the latter is the case.

In the proposed amendment: digital forensic examiners are defined as:

"Any person who, on a contractual basis, engages in the practice of conducting examinations of digitally stored data to recover, image, analyze, or examine the data by using specialized software to determine responsibility or reconstruct usage of the


Recovery of MP3s using regular expressions

by Quinn Shamblin

I was recently asked to recover audio MP3 from a corrupted memory chip.

The audio was recorded using a special-purpose audio recording machine configured to record in MP3 format in stereo 44.1KHz at 128kbps.

audio_editorThere are several tools and approaches that are sometimes helpful in automated data recovery. I tried Access Data's FTK, Foremost and Lazarus, but none of these worked in this case, so I needed a different approach.

An MP3 file is simply a sequential series of "frames", 417-418 bytes in length, that each have their own header that tells the MP3 player how to play that particular frame. If you carve out any single MP3 frame and save the result with a .mp3