SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Ann's Aurora Edition

We won! We won! We WON! Okay. Breathe. Now that I've gotten than out...

On behalf of all of the contributors to the SANS Computer Forensic Investigations and Incident Response Blog, I want to thank everyone who voted for us as Best Digital Forensics Blog in this year's Forensic 4cast awards. We are all deeply grateful to know that our work is recognized and appreciated by our peers in the Security and Forensics professions. And we are also grateful for the community that continues to grow around this blog. The amount of feedback we've received from readers has increased in the past few months, and we thank you for helping to make this a lively and thought-provoking site to visit.

In keeping with that spirit, if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, please send it to

I also want to congratulate Dave Hull, who will receive the Forensic 4cast award on our behalf and give it a good home. [Hopefully Dave won't throttle me after this ;-) ]. Dave does a lot to keep this blog humming along on a day-to-day basis, not the least of which is serving as the Case Leads cat-herder and making sure we get this series off the ground each week. Congratulations Dave! (please don't beat me)

Finally, thanks again to Lee Whitfield and Disklabs for bringing us the Forensic 4cast Awards. It's a great joy to be honored, and a great service that you've done for the community by creating a way to recognize outstanding contribution to the field.

Since we're just coming down from the SANS Forensics and Incident Response Summit, this week's edition is named in honor of the recently completed SANS Digital Forensics and Incident Response Challenege. A great many interesting tools and solutions rose out of that challenge, a few of which I've mentioned here. There have also been some interesting writings on Advanced Persistent Threat (APT) of late that are worth noting. So, without further ado...


  • Congratulations to Wesley McGrew, winner of the SANS Digital Forensics and Incident Response Challenege. As part of his winning submission, Wesley introduced a cool new tool called This Python script parses packet captures stored in PCAP format, then generates an HTML report that summarizes the flows contained in the specified packet capture. This report allows the analyst to drill down into each flow as needed. Also be sure to check out Wesley's blog for more information.
  • Thanks in part to the Ann's Aurora Challenge, Finalist Erik Hjelmvik released an update to his popular NetworkMiner Network Forensic Analysis Tool. "Erik noticed that Network Miner was not properly detecting the HTML transfers at the beginning of the pcap file, because the TCP handshake was missing. He added functionality so that Network Miner more intelligently figures out which host is the server, and which is the client, when the TCP handshake is missing."
  • Lenny Zeltser recently released REMnux, which he describes as "a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software." This isn't my area of expertise, so I'll leave you to read Lenny's write-up, but it sounds quite cool.
  • Kristinn Gudjonsson released log2timeline v0.50 on June 30. This release contains a number of improvements. One of the most exciting is the ability to specify which modules timescanner uses to perform its recursive scan for time-stamped artifacts.
  • The Sleuth Kit v3.1.3 was released on July 2. It contains several bug fixes.

Good Reads:

  • Our friends over at Network Forensics Puzzle Contest have the answers to the Ann's Aurora Challenge, as well as more information on the various submissions. There's some very cool and educational stuff here, so be sure to check out the details.
  • Richard Bejtlich earns the cover of this month's Information Security magazine with his article Understanding the Advanced Persistent Threat. Richard's article answers the question "What Is the Advanced Persistent Threat?" It provides some historical perspective, then briefly discusses what defenders should do to counter APT. This last section on countering APT seems a bit thin to me. It calls for employing "trained and knowledgeable information security analyst[s]" and "building visibility in to one's organization." These things are both necessary and true, but the article leaves me hungry for details. If I were to put on my management cap (which I don't actually own), for example, I might like to see this section answer the question "What can I do and where can I look to get my existing staff sufficiently trained?" Other questions would likely come to mind if I were to try on different hats. But that's not really the point. I'm sure Richard was constrained by word-count or some similar limitation when composing the article. So Richard, if you're reading this, I'd love to see you elaborate on that section elsewhere.
  • A while back, over on Forensic Incident Response, hogfly posted some fun and interesting musings on metaphors. Go take a look at what Chess, Ants, and APT have in common.


  • Did you ever think the world of Digital Forensics needed its own set of Gods? Happy as a Monkey did, and offered up a few ideas.
  • If that weren't enough, Girlie Geek suggests that the language of Computer Forensics become even more specialized and arguably incomprehensible. So she takes a cue from the Cockney dialect and gives us "Fockney."

Coming Events:

Digital Forensics Case Leads for 20100715 was compiled by Gregory Pendergast, incident handler and digital forensicator at Virginia Commonwealth University. If you have an article to suggest for case leads please email it to


Posted July 15, 2010 at 5:11 PM | Permalink | Reply

Lee Whitfield

The pleasure is all mine. Thanks for letting me be a part of this.