SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: The Community Needs You

I don't know. I don't know. I don't know.

That little phrase, more than most others in the English language, has an amazing potential to be either mindbogglingly empowering or cripplingly demoralizing. A great deal of the difference depends on emphasis. Do you dwell on the fact that you don't have the knowledge and don't have "the time" to find the answer? Or do you focus on the opportunity to gain knowledge and make new discoveries? Do you hesitate or hold back because there are things you don't know? Or do you have a good grip on the fact that none of us know everything (or even most things)?

The answers to those questions have a lot to do with how and whether you decide to contribute to the digital forensics community (or any community). So I've focussed this week on using the various links I've compiled to illustrate how people can begin contributing to the community in ways that don't necessarily require advanced knowledge, new research or significant time commitments. All of those this are desirable, of course, but aren't available to everyone who may want to make a contribution.

Of course, one of the easiest ways to contribute is to send us links to articles, tools or podcasts that you think are worth a mention. If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to

Helping the Community:

  • This week, Verizon Business announced the availability of their VERIS (Verizon Enterprise Risk and Incident Sharing) Community Application. This is a public implementation of their VERIS Framework, used for collecting useful and shareable data regarding data breaches and other intrusions. As I mentioned in a previous Case Leads article, Verizon uses the VERIS Framework to collect and analyze the data they share in their Data Breach Investigations Reports (DBIR). The VERIS Community application will allow users/participants to help the information security community by sharing anonymized information about data intrusions. If a significant number of us look into this and participate, we could substantially grow the collective threat intelligence available to the community. Check out the announcement from Wade Baker to find out more about the project and about the services/data Verizon plans to make available to participants and the community.
  • Once you've checked out the announcement above, also take a look at Dennis Fisher's write up over on ThreatPost: Verizon Debuts New App to Gather Anonymous Attack Data.
  • Help forensic researchers when and where you can. As we mentioned last week, a friend of the blog, Tony Campbell (of Digital Forensics Magazine fame), is working on his M. Sc. dissertation on Digital Forensics Profiling. If you're an iPhone user, please take a few moments to take his short survey and help him along. Please pass this on to any iPhone users you know, as the survey is not specific to Digital Forensics practitioners.

Good Reads:

Another easy way to contribute to the community is to provide feedback and post questions. Comment on existing blogs for example, or take the time to ask/answer questions on newsgroups and forums.

  • Avoid the Knee Jerk Reaction is an insightful post by Christopher Glyer over on the Mandiant blog. It has been up for a while, but I just happened across it this week. Christopher cautions readers about three pitfalls to avoid when responding to security breaches, especially when combating APT intrusions. However, I think you'll find that most of his advice applies even when responding to more common threats. In particular, it's important to "scope" the problem as thoroughly as your resources permit before moving to remediation. Otherwise, you risk reacting to multiple infections/intrusions as isolated events when they may be components of a single attack. If you don't take the time to understand how (or whether) individual events relate, you lose valuable intelligence regarding who your attackers are and what threats your organization really faces.
  • Earlier this week, our own Chad Tilbury posted an excellent How-To on performing memory analysis with Mandiant's Memoryze and Audit Viewer tools. Aside from being an excellent tutorial, Chad's article demonstrates something we all recently re-learned when reviewing the results of our recent Reader's Survey: sharing with the community does not have to be about providing new, exciting or advanced research. Clear tutorials and documentation about tool usage and forensic fundamentals are also greatly needed and desired. Keep that in mind if you're looking for ways to make your own contributions. There is significant room for contribution in that area.
  • Looking for a job and need to perform some pre-interview reconnaissance? Lenny Zeltser gives some tips on How to Research in Preparation for an IT Interview.

Podcast Goodness:

If writing isn't your thing, podcast. Granted, not everyone should launch a regular podcast. But there are ways to contribute to existing podcasts: donate money for tools/bandwidth, send the podcaster suggestions for topics and, if you're up for it, offer to be a guest on one of the podcasts.

Coming Events:

Digital Forensics Case Leads for 20101115 was compiled by Gregory Pendergast. If you have an article to suggest for case leads please email it to