SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: New RegRipper Feature, An Open Letter to Judges, the DFRWS Challenge and How Not to Seize Smart Phones

This week's installment of Digital Forensics Case Leads features a couple of tools useful for reviewing Window's systems. There is an announcement about a new feature of RegRipper and we have an open letter to the court on the use of neutral digital forensic examiners. The 2010 DFRWS Challenge is underway and law enforcement experiences the remote wiping feature of smart phones.

Keep those suggestions and topics for Digital Forensics Case Leads coming to caseleads at!


  • Miss Identify is a cross-platform tool developed by Jesse Kornblum that identifies mislabeled Window's executables. A mislabeled executable is any executable without an executable extension of exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb.
  • If you've ever lost a software application key, (or need to audit installed software) the Jalapeno Keyfinder V2.0 may come in handy. The application requires no installation and may be used in GUI or command line mode. The application's FAQ lists the software keys the product can locate (currently 171 applications and versions are listed.)

Good Reads:


  • The DFRWS 2010 Forensic Challenge is underway. This year's challenge storyline revolves around the recovery of evidence from a mobile device (a Sony Ericsson K800i Cybershot) that once belonged to an arms dealer. Over the past five years the Digital Forensic Research Workshop has attempted to push the boundaries of digital forensics through these challenges. Aspects of the forensic challenge are intended to be accessible by any digital forensic practitioner regardless of experience level. The deadline for submissions to the Forensic Challenge is July 25, 2010. Results will be announced at the DFRWS2010 conference in Portland, Oregon (August 2-4, 2010).
  • Do you know the proper technique for seizing mobile devices such as smart phones?* If you aren't familiar with the proper technique, you're not alone. A presentation at AusCERT 2010 suggests that some law enforcement agencies have been caught by the remote data wiping features available for the BlackBerry and iPhone. You may recall that the "4th gen" iPhone of Gizmodo fame was erased by Apple by using the Remote Wipe feature of MobileMe. *Smart phones are radio transceivers so the use of Faraday bags (which block radio signals) is encouraged. Depending on the situation, removal of the battery may be appropriate.
  • For the OpenBSD fans, version 4.7 has been released.


Coming Events:

Digital Forensics Case Leads for 20100520 was compiled by Ray Strubinger of the Georgia Institute of Technology. Ray is involved in digital forensics, incident response, and numerous aspects of the Institute's defense in depth strategy.