SANS Digital Forensics and Incident Response Blog

Digital Forensic Case Leads: Introductions

Recently, the forensicator-in-chief, Rob Lee, put out the call for a new series of posts here at the SANS Computer Forensics Blog. Rob wanted to present a few short "case leads" that may interest practitioners. A small group of volunteers took on the task of formulating a weekly "Digital Forensic Case Leads" post each Friday to include coverage of tools both new and old, interesting reads, news items and more.

And so in the spirit of Kevin Riggins and his "Interesting Information Security Bits" or Dave Lewis, James Arlen (et al) and their "Liquid Matrix Security Briefings", we present "Case Leads: 20100205-001:"


  • Andreas Shuster released an update of his Vista event log parser, Evtx Parser Version 1.0.2. The update fixes a few issues with the tool's XML output. See Andreas' blog and the README for additional information about Evtx Parser.
  • Also check out David Kovar's analyzeMFT, a Python script that parses $MFT files from NTFS volumes into CVS files. Be sure to read the comments Kovar puts in the script itself.
  • Good Reads:

  • With this year's SANS WhatWorks in Forensics and Incident Response Summit just around the corner (see below), we remind you last year's presentations (Forensics and Incident Response Summit 2009) are full of great content.
  • In addition, the Presentations for the Forensics and Incident Response Summit 2008 are also online
  • Take note of the Slaying the Red Dragon Presentation by Wendi Rafferty and Ken Bradley of MANDIANT discussing the Advanced Persistent Threat back in October, 2008
  • News:

  • Wired: Report Details Hacks Targeting Google, Others
  • MSNBC/Washington Post: Google to enlist NSA to fight off cyberattacks
  • Levity:

  • "Watched with @nickharbour and @0x73davis. very very funny!! Next Gen Hacker 101 FTW!" 12:07 PM Feb 3rd from web — via Twitter.
  • Coming events:

  • Sec 508: Computer Forensics Investigations and Incident Response: Boston, MA, Mar 15-20. St. Patrick's Day in Boston!
  • SANS WhatWorks in Forensics and Incident Response Summit 2010: London, UK, Apr 14-20
  • SANS WhatWorks in Forensics and Incident Response 2010: Washington, DC, Jul 8-15

  • Digital Forensic Case Leads: Introductions compiled by Dave Hull of Trusted Signal. Hull's working life is "on the Venns" between incident response, forensics and web application security. Dave will be teaching the above course in Boston over St. Patrick's Day


    Posted February 5, 2010 at 5:06 PM | Permalink | Reply

    Kevin Riggins

    Thanks for the mention Dave. This is going to be a very cool feature.