SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: No Shmoose, No Junk; Just Forensics

In this week's entry, nothing ShmooCon related, no TSA junk, and no royal engagements. Just the usual variety of tool and news pointers, in case you missed them elsewhere.


  • On his excellent blog, Lance Mueller has published an Encase script, written by OIiver Höpli, which uses an MSSQL database for storing hashes and gives faster filtering results. Find it here.
  • Brian Carrier announced the availability of a new Open Source Forensics site. This is a great resource for those of us who may not be able to afford the more expensive tools, but continue to work with The Sleuthkit and a hex editor.
  • National Institute of Justice's Electronic Crime Program supports development of tools to assist in collecting digital evidence. Unfortunately these tools are generally available to law enforcement only but you can find more info here.

Good Reads:

  • ViaForensics has posted an update of their free iPhone Forensics white paper. There was a note on this blog last week with a brief description as well. This is a very impressive work and gift to the community; Andrew and ViaForensics deserve huge thanks for their work
  • Lee Whitfield has a short article on acquisition of the newer MacBook Air Drives (which use LIF, or low insertion force, connectors) here.
  • Solera Networks, a provider of network forensics capability, has published their 2nd Annual Network Forensics Survey which indicates, not surprisingly, that most companies are aware of the need for "realtime situational awareness and network forensics", but only a small minority have that capability. With the increasing importance of distributed storage and cloud computing, this will continue to be an issue.
  • For those deep into the malware side of forensics, there is a 4 part series on analysis of the ZeroAccess rootkit available. Find it here. Might be an interesting exercise for someone who's recently been through Lenny Zeltser's Reverse Engineering Malware class!


  • HTCIA's 2010 Report on Cyber Crime Investigation points out the need for more law enforcement resources (personnel and training) in this area. Last month the FBI reported progress in the area; its regional computer forensics labs have trained over 5400 officers in FY2009.
  • Frederic Lane has an interesting take on the recent decision by Judge Kimba Wood to take down LimeWire in response to a suit by the RIAA. Forensicators may not have much to worry about though; a "secret development team" is reported to have refined and resurrected Limewire.
  • On the malware front, The Register reports that a rootkit that has been able to penetrate the substantial antimalware defenses of Windows 7 and achieve infection by altering a machine's master boot record.

Coming Events:

    Digital Forensics Case Leads for 20101122 was compiled by G W Ray Davidson, PhD, CISSP, GCIA, GCFA, ETC, assistant professor at Purdue Calumet, SANS Mentor and serial facilitator, and principal at Vigil Inc.

    If you have an article to suggest for case leads please email it to