SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Reverse Engineer Malware, Analyze Timelines and Report Findings

This week, we have a wealth of information about REMnux, Lenny Zeltser's Linux distribution for analyzing malware, Kristinn Gudjonsson's paper on Super Timeline Analysis, and some interesting report-writing posts that I wanted to recall attention to. There's a lot of interesting reading ahead, so without further ado...

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to

Reverse Engineering Malware:

Since he released his REMnux distribution for analyzing malware, our friend Lenny Zeltser has gotten quite a bit of attention for his distribution and for his SANS class, Reverse Engineering Malware. I'd like to take a moment here to highlight Lenny's work and bring your attention to some of the numerous write-ups and interviews from the past few months:

Forensic Reporting:

A couple of recent posts by fellow contributors Joe Garcia and Brad Garnett got me thinking about forensic report writing, and about how little guidance there is in this area. Joe and Brad put a dent in that deficit, but this is still a subject that tends to get sacrificed on the alter of tools and techniques. Because, let's face it, it's usually more fun to talk about cool new tools and techniques than to deal with the end product of all our analysis. But, having said that, I think it's important to remember what resources are out there. While guidance on the nitty-gritty of producing good reports is still in short supply, one of the interesting byproducts of all the recent forensic challenges is that we have the opportunity to read reports from a lot of smart people-to see not only how they organize their thoughts, but how they think and work through an analysis. I'm not linking to the various contest results here because there are links to the recent DFRWS results below (in the "Good Reads" section) and because I've linked to other results in the past. But reading these recent posts on report writing also got me looking at the various contest results in a different way.

  • Joe Garcia recently posted a review/walkthrough of CaseNotes here on our blog that I was excited to read because the application is new to me. This free software from QCC Information Security enforces the integrity of your notes by implementing a write-once style of data capture with an audit trail of changes and edits. These features help ensure that your notes stand up questioning in court.
  • Brad Garnett followed up soon thereafter with his Intro to Report Writing for Digital Forensics. Brad's post is unique in that it's the first I've seen that dives into the nuts and bolts of report writing, touching on things like document structure, required content and style. A few of the reader comments are also insightful and worth a look, so be sure to scroll down through the comment section.

Good Reads:

  • Kristinn Gudjonsson, who gave us the terrific log2timeline tool, recently had his GIAC GCFA Gold paper published over in the SANS reading room. Or, in Kristinn's words, the "paper has finally been published." :-) Mastering the Super Timeline With log2timeline (PDF), provides a deep-dive into the functioning of the log2timeline and timescanner tools, and provides guidance on how to use these in your analysis. I haven't finished reading the paper yet, but it seems promising so far.
  • A couple weeks ago, the winner of the DFRWS 2010 Forensic Challenge was announced. Congratulations to Solal Jacob for his winning submission. As part of his submission, Solal created new modules for the Digital Forensic Framework (DFF) that parse memory dumps of Sony Ericsson K8000i devices. You can check out his detailed submission and read his reports by following the link from the DFRWS 2010 Results page.
  • Over on the cmdLabs blog, Eogan Casey (who helped create the DFRWS 2010 Challenge, in collaboration with the Netherlands Forensic Institute) posted an informative synopsis of the winning submissions and other interesting outcomes from the competition.
  • On her CYB3rCRIM3 blog, Susan Brenner has posted an interesting summary of a recent Virginia Court of Appeals decision regarding the interpretation of Virginia's child pornography laws. The appellant in the case argued that the evidence presented by the Commonwealth in the original case did not support his conviction on 10 counts of possessing child pornography. Instead, the appellant argued that the evidence presented only supported a maximum of 6 counts. The point of contention was language in the Virginia statute that requires three or more sexually explicit images or streaming videos be present in a computer's "temporary internet cache" in order to prove the possession charge. (Note, of course, that this number only applies to items in "temporary internet cache." The number does not apply to images/videos stored in other locations, where one item is likely sufficient.) To see how the Court ruled, click on over to Susan's blog and read the post for yourself.


Coming Events:

Digital Forensics Case Leads for 20100903 was compiled by Gregory Pendergast, interim Information Security Officer at Virginia Commonwealth University. If you have an article to suggest for case leads please email it to