SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Free tools, Treasure Hunts, Drive-by Attacks and Spying

This week's Case Leads features two free tools from AccessData and Paraben Corporation, a digital (forensics) treasure hunt to test your skills, spying, drive-by (browser) attacks and consequences resulting from Stuxnet.

As always, if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Earlier this month AccessData released a new version of their popular (and free) utility, the FTK Imager. Version 3 has a number of useful features such as the ability to boot forensic images in VMWare and the ability to mount AFF, DD, E01, and S01 image formats as physical devices or logical drive letters. The latest version of the application also supports HFS+, VxFS (Veritas File System), exFAT, EXT4, Microsoft's VHD (Virtual Hard Disk) and compressed and uncompressed DMG files. Wait! There's more! The tool also has the ability to create and view AFF (Advanced Forensic Format) images.
  • Paraben Corporation released an update to its free and professional version of P2 eXplorer. The professional and free versions differ in a few ways (mainly in 64-bit support and support for VMware and VirtualPC images) but both versions will mount most forensic image formats as physical or logical disks.

Good Reads:

  • The Digital Forensics Security Treasure Hunt created by Rob Lee, Mike Murr and the DC3 Challenge Team is an online environment designed to help identify people with digital forensics interest and skills. Various challenges found on the site test participants' knowledge and skills in the areas such as disk, memory, and network forensics. Everyone is welcome to participate.
  • If you're curious about "drive-by" browser attacks, you will want to take a look at Corey Harrell's analysis in "Anatomy of a Drive-by" part 1 & part 2. (The author cautions that some of the links may be "unfriendly".) In the analysis Corey makes use of several tools including log2timeline and the SIFT workstation, both of which have been featured on this blog.


  • Got GPS? After reading this, you may want to check your car. You may recall that the 9th US Circuit Court of Appeals issued an opinion stating that it is legal for law enforcement to place a tracking device on a suspect's car without a warrant. It seems that a California college student caused some US Federal agency enough concern that they decided to place a tracking device on his car. The device was discovered when the car was taken for an oil change and the mechanic noticed some "unusual" wiring.
  • Location-aware browsing or how-a-website-can-locate-you-without-a-GPS. The article by Ben Grubb comments about the way wireless MAC addresses (collected by Google's Street View cars) enable websites to determine a visitor's geographical location.
  • Sometimes it's rough being a spy. As mentioned in an earlier Case Leads, spies are sometimes sent home, traded for other spies, or jailed when caught. If you happened to be a spy in Iran and you were involved with infecting that country's nuclear facilities with Stuxnet you may have faced "termination."


  • For our UK readers near Wembley, if you recently visited IKEA and came home loaded with cat fur, we have the reason. Spend the next four minutes and seven seconds discovering what happens when 100 cats are released in an IKEA.
  • Should you ever lose a pet, be careful who you ask for help.

Coming Events:

Digital Forensics Case Leads for 20101014 was compiled by Ray Strubinger of the Georgia Institute of Technology. Ray leads the digital forensics and incident response team and when the incidents permit, he is involved in various aspects of the Institute's defense-in-depth strategy including Data Loss Prevention, Full Disk Encryption, and Education Awareness. If you have an article to suggest for case leads please email it to