SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: New Gear, New PDFs Abuse, and Defeating TrueCrypt

Logicube releases new forensics gear, Didier Stevens discovers a new way to do interesting things with a PDF and a cooperative user, and Passware provides a means to defeat TrueCrypt.

Logicube has released two devices which look interesting. The MPFS or Massive Portable Forensic Storage provides up to 8TB of storage capacity for acquiring multiple images. The device may be attached to a forensic analyst's workstation via firewire, USB, or eSATA. The unit is compatible with Logicube's Dossier imager and Logicube's second new device, the NETConnect which as the name suggests, allows network access to forensic images. Based on the description, NETConnect is essentially a file server which enables multiple investigators to access forensic images as soon as they are acquired. The device supports Windows, Mac, and Linux and includes support for CIFS and NFS. (I've not had the opportunity to test either device but if Logicube or anyone else wants to send me a set, I will be happy to do a write up.)

If you've ever analyzed a PDF, you've probably used a tool created by Didier Stevens. Didier has figured out a way to make certain PDF readers execute embedded binaries. Check out his explanation in Good Reads.

Disk encryption in various forms is becoming more common when it comes to incident response and forensics. In response to its customer's requests, Passware has updated their flagship product to handle TrueCrypt. Their product also has support for BitLocker.


Good Reads:

  • Didier Stevens figured out a vulnerability-free technique to make a PDF execute an embedded binary
  • Robert-Jan Mora and Bas Kloet have released a paper on using statistical sampling techniques in digital forensics in order to alleviate the backlog of existing casework. Yes, we posted this one earlier this week, but it's worth another look: Digital Forensic Sampling.



Coming Events:

Digital Forensics Case Leads for 20100401 was compiled by Ray Strubinger of the Georgia Institute of Technology. Ray leads the digital forensics and incident response team and when the incidents permit, he is involved in various aspects of the Institute's defense-in-depth strategy.


Posted April 6, 2010 at 8:06 PM | Permalink | Reply

Garland Web Design

I guess with the price of hard drives going way down this really opens up technology. Plus with advent of networking speed and mobile web. I rather like the direction this is going in.

Posted April 7, 2010 at 12:46 AM | Permalink | Reply


According to Passware's website, to be able to decrypt a hard drive that was encrypted with Truecrypt you must do the following:
"'The target computer is turned on, and the encrypted volume is mounted
'Both the target computer and the computer used for acquisition have FireWire (IEEE 1394) ports
'A FireWire cable"
Okay, to me this means it is still useless if the confiscated computer was found off and not on and running, correct?

Posted April 22, 2010 at 1:43 AM | Permalink | Reply


Yeah, you might as well just grab the RAM if the dang computer is turned on with a truecrypt volume mounted. That seems like MORE than liberal advertising if you ask me.