SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Carving processes from Win7 mem dumps, timeline analysis

Timelines, time stamps and related analysis have been a popular subject of late in the community. You'll find a little more of that in this week's Case Leads, including a very nice walk-through of using Excel to analyze timeline data. It's really a great tool for this, especially when dealing with large datasets.

There's also news of progress on the steganalysis front, or at least news of a leading researching getting some credit and loads of other good stuff.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Richard McQuown has released an Enscript that can carve Windows 7 processes from memory images. The script is beta, but worth checking out, especially if you're fortunate enough to work in an enterprise that's replaced XP with Win7.
  • Corey Harrell has an awesome post about Reviewing timelines with Excel. It's been my tool of choice for timeline analysis for more than a year, and Corey's post shows some of the powerful things than can be done. Excellent work Corey.

Good Reads:

  • Digital Forensics Magazine released Issue Five this week and features an article from Rob Lee that explores training options available to Digital Forensics practitioners, along with other articles covering various aspects of DF training.
  • An older post on detecting time stamp changing utilities from Lance Mueller. I should have looked for this prior to making my own post this week in the same vein.
  • Eric J. Huber recently interviewed Dr. Gary Kessler. Huber asked something many of us have talked about or considered, "Is digital forensics a science? Is it an art? Both?" In his answer, Kessler mentioned work by Fred Cohen on information physics. I tracked down a document from Cohen on Information Physics and it is most certainly an interesting read.


  • Yun Q. Shi, professor of electrical and computer engineering at New Jersey Institute of Technology is being honored for his research in steganalysis. According to the NJIT press release, "In 2009, Shi cracked the code that enabled researchers around the world to detect tampering with electronic images."




  • Attention iPhone users, friend of the blog, Tony Campbell, is working on a M. Sc. dissertation in Digital Forensics Profiling and would like the community to help him by completing a survey. The survey is specifically for iPhone users. If you're an iPhone user and can spare a few minutes, please take the survey.

Coming Events:

Digital Forensics Case Leads for 20101104 was compiled by a sleep deprived, burning the candle at both ends and in the middle, Dave Hull. If you have an article to suggest for case leads please email it to