SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: The Gauntlet Edition

Greetings Forensicators, Incident Responders and other cool people. I've called this week's article The Gauntlet Edition because a number of organizations have recently thrown down the gauntlet and introduced some cool forensics challenges. Sometimes, the best tool in our arsenal is neither software, nor hardware, nor even our wetware. In many cases, the best tool we can have is a challenge. More than anything else I can think of, it's the process of working a case and rising to a new challenge that really causes us to sharpen our skills. Whether the problem is new to the community, or just new to us, working it through to a solution or an answer is what really causes us to upgrade our wetware.

In that spirit, I've provided a list of recently announced and upcoming challenges, along with our usual assortment of cool tools, good reads and other forensic fun. I encourage you all to pick up The Gauntlet and try your hand at one or more of the challenges listed below. Even if you're new to the field or are not confident in your abilities, give it a try and see how far you get. Even if you don't submit a solution, your attempt to work through one or more of these challenges will make the winning submissions more meaningful when they are announced and available for reading.

If you know of Challenges I've missed, please let us know in the comments section. Also, if you have news or links to share, you can send them to us at caseleads [AT] sans [DOT] org.

  • SANS Digital Forensics and Incident Response Challenge - Ann's Aurora: An Advanced Persistent Threat-based challenge. Submissions for this challenge are due by 6/27/2010 (11:59:59pm UTC-11). "In other words, if it's still 6/27/10 anywhere in the world, you can submit your entry." Winners will be announced June 8, 2010 at the SANS Forensics and Incident Response Summit in Washington D.C. There are prizes for the top 3 teams.
  • DFRWS 2010 Forensics Challenge - This year's DFRWS challenge involves mobile device forensics, in the form of NAND and NOR flash memory analysis from a Sony Ericsson K800i Cybershot. Submissions are due by July 25, 2010.
  • DOD Cyber Crime Center (DC3) Forensics Challenge - Solution submissions for this challenge are due by 11/2/2010. The web site is not quite as intuitive as one would like, so to view details about the challenge you'll need look at their detailed rules (PDF) by clicking Challenge > Rules > click here (PDF). There are 22 single-scenario challenges with points for each challenge assigned based on the difficulty level of the challenge.
  • The Honeynet Project's Forensic Challenge 2010/4 will be posted on June 1st. No other information is available as of this writing.


  • There's a new tool in the Windows Sysinternals arsenal. RAMMap 1.0 is an "advanced physical memory usage analysis utility" for Windows Vista and higher.
  • On May 23rd, Brian Carrier released The Sleuth Kit 3.1.2, which contains bug fixes detailed in the release news. Among the changes are fixes to speed up FAT directory and OrphanFiles listings, a couple of NTFS processing fixes, and some errors fixed in mmls and ifind.
  • AccessData has released Command Line versions of FTK Imager for Windows, Mac OS X, and Linux (Red Hat & Debian based distributions). I haven't had an opportunity to work with these yet, so if you have any thoughts you'd like to share, please post them to the comments section.
  • If you use a Tableau TD1 Forensic Duplicator, you'll want to go download Tableau Firmware Update v6.70. It adds support for .E01 disk-to-file images and support for several localized languages. See the revision history for details.

Good Reads:

  • Rich Mogull has an interesting post over on the Securosis blog: FireStarter: The Only Value/Loss Metric That Matters. He discusses the difficulty (nay, impossibility?) of valuing information assets and predicting losses due to a security incident. Then, over on his TaoSecurity blog, Richard Bejtlich picks this up an runs with it, briefly discussing the difficulty of calculating the cost of an incident after it has happened. And if we can't easily or successfully calculate losses from an incident that has already occurred, we have little-to-no hope of projecting future costs of incidents.
  • Over at Law Technology News, Leonard Deutchman has an thorough and interesting article on the application of the Plain View doctrine to computer searches. In his article, To Avoid 'Plain View,' Investigators Need Blinders, Mr. Deutchman provides some background on reasons that the 1st, 4th and 7th U.S. Circuit Courts of Appeal have applied the plain view doctrine to computer searches, where the 9th Circuit Court rejected it, then goes on to provide some insightful analysis of the issue.


  • KrebsOnSecurity: Fraud Bazaar Hacked - the German-based forum dedicated to helping criminals sell stolen financial data was hacked, and some of its data posted to, further exposing the data of many identity/banking theft victims.


  • Hyperbole and a Half blog by Allie Brosh. It's not technical, but it's funny. READ IT! :-)
  • Check out the JeffandCeleste blog over on Blogspot. Talented comic makers with some darkness in their humor. Be sure to check out both the Beatrice and Genre Squad comic strips.

Coming Events:

Digital Forensics Case Leads for 20100527 was compiled by Gregory Pendergast, incident handler and digital forensicator at Virginia Commonwealth University.


Posted June 9, 2010 at 4:42 PM | Permalink | Reply


Dear Forensicators!
I am new on the field, preparing a honours project on: "Anti Forensic methods and the traces they leave behind" Can anyone help with relevant source of helpful materials? But I must say that, blogs and other resources on this site have been very useful so far. Thanks to all, great jobs!

Posted June 14, 2010 at 7:25 PM | Permalink | Reply

Gregory Pendergast

I haven't researched anti-forensics much myself, but you may find a recent Securabit Podcast (Episode 58) helpful. It features an interview with Harlan Carvey. In the episode, he discusses (among other things) anti-forensic techniques pertaining to time-stamp manipulation and how to detect when some of those techniques have been used.

Posted June 28, 2010 at 4:44 PM | Permalink | Reply

Alambreck Johnson

Thanks a million! I really find that quite helpful. I also find some useful materials on the SANS Reading Room.
Once again thanks!

Posted October 13, 2010 at 4:29 AM | Permalink | Reply

jay gusler

I was the target of several anonymously posted threatening posting to an internet message board site. I complained to law enforcement who finally got around to looking into the matter about 5 months after my complaint. The investigating agency told me that the site's owner had the offensive materials deleted shortly after they were posted, thus rendering the origins of the threatening posts irretrievable. This all occurred around June-July 2009. Any advice on how true this is, and whether there is any way to uncover those responsible?

Posted October 15, 2010 at 3:16 PM | Permalink | Reply

Gregory Pendergast

Hi Jay. I'm sorry to hear that you were threatened in that way. Without knowing any of the specifics of your case (which is best), I can only offer a general impression. It's not likely that Law Enforcement had any reason to lie to you about their findings. And, in general, logs like that don't persist very long on servers or other systems unless the system administrators take steps to actively archive and preserve them. And that's something that just isn't as widely done as it should be, especially if the site in question does not belong to a regulated organization that is required to implement security controls such as log monitoring. So, in all probability, Law Enforcement would have to have contacted the system owner much sooner (a matter of days or weeks) after you complaint in order to have significant hope of collecting any evidence of the posts or the underlying logs. And without those, there's not a technical way to trace the postings back to any particular individual(s). In fact, tracing back to that level of attribution can be difficult even when you do have logs. I hope this answers your question, but if not, feel free to reply.