SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Spies, Social Networking Experiments, Live CDs & More

This "007" edition of Case Leads (20100708) features Russian spies, a mini-write blocker that would make Q proud, an experiment in social networking, Live CDs for Windows and Linux and an online journal on small digital device forensics.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Russian spies used a mixture of high tech, low tech and old tech The techniques ranged from drive-by (ad-hoc) Wi-Fi, steganography, and burst transmissions.
  • Thomas Ryan decided to do a little experiment in social networking known as the Robin Sage affair. His approach is fairly straight forward: create a few profiles on sites like FaceBook, LinkedIn, MySpace, and Twitter, add a photograph and use name that you might expect to be memorable to a certain demographic. Let the ingredients simmer for about a month and what do you get? Apparently over 300 connections, offers of employment and dinner invitations from Congress, the Joint Chiefs and just about anyone in between.

Good Reads:

  • There is a lot of work currently being done on the Windows Forensic Environment. Also known as WinFE or Windows FE, it is a modified version of Windows PE with the goal of being a Windows based LiveCD/DVD suitable for digital forensics and incident response. Because the project is now quickly evolving, some of the documentation is considered out of date but it is still somewhat useful. This slide deck from Microsoft's Troy Larson about Windows Forensic Environment (WinFE) and this PDF from Brett Shavers provide a good overview and historical context. Brett also posted a brief check list and a couple of videos to help you create your own WinFE ISO. I followed his instructions and used his batch files to quickly create a functional WinFE ISO that included the SysInternals Suite, RegRipper, FTK Imager Lite, and a few other tools. If you decide to dive in and create the ISO without watching the videos, keep in mind you will need run the Windows AIK shell as admin before you run createwinfe.bat. The batch files for creating your own WinFE image are included in a zip file available for download from the site. Brett Shavers, Mauritz Botha, Björn Ganster, and Troy Larson have all contributed files to help create a Windows FE image. Colin Ramsden is also contributing to the effort and though his contribution is not yet available for download, a preview of his work is available.
  • The Orion Live CD is a Ubuntu based incident response CD now available at SourceForge. This Live CD was originally based on BackTrack 4 and was developed by John Jarocki to meet the requirements for SANS GCIH gold certification. The paper is less than 50 pages and includes screen shots, tested platforms, and a list of added files. You may find this post useful to gain access root access to the system.



  • Not a tool exactly, but a cheat sheet for several tools by Ed Skoudis. Hping, Metasploit, the Meterpreter, and FGDump are all featured.
  • In keeping with the spy theme, Q would likely be satisfied with this device. Wiebe Tech has come out with what may be the smallest USB writeblocker. At approximately $200, it may be also be the least expensive USB writeblocker currently on the market.

Coming Events:

Digital Forensics Case Leads for 20100708 was compiled by Ray Strubinger of the Georgia Institute of Technology. Ray leads the digital forensics and incident response team and when the incidents permit, he is involved in various aspects of the Institute's defense-in-depth strategy. If you have an article to suggest for case leads please email it to


Posted July 11, 2010 at 3:28 AM | Permalink | Reply


Do you have a list of tool that will investigate infected machine (incase the antivirus can't detect new malwares or the machine has no antivirus installed). SOme tools like process explorer,autoruns, etc.

Posted March 21, 2012 at 12:00 AM | Permalink | Reply

Brett Shavers

Colin Ramsden's GUI application for WinFE is available as a WinBuilder script from A year in the making, but well worth the wait. Its still in beta as it needs to be tested, but feel free to test and validate (as we do anyway with all tools'').