SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Incident Response Hits The Mainstream; Powerful Tech Fighting CP; Acquisition Errors Can Cost Case

Incident Response Lead Story:

Why it pays to have incident response in a Wikileaks world.

The Wikileaks story is having a ripple effect that shows no sign of abating. As of this writing, according to a spokesperson for PandaSecurity: the following web sites have been attacked in the name of defending the actions of Wikileaks:

  • The web sites of MaterCard, Visa, PayPal,

  • Senator Joe Lieberman's website was taken down for 12 minutes (the first .gov site to be attacked)
  • Sarah Palin's website was taken offline by a small group of Anonymous attackers
  • The group sent spam faxes to Joe Lieberman's office and to PostFinance
  • PostFinance ( a Swiss Bank) was attacked the hardest, leaving customers without the ability to conduct online banking
  • Te website of the lawyer representing the 2 girls who were allegedly assaulted by WikiLeaks founder Julian Assange
  • The group took down Assange's Swedish prosecutor's website

Obviously the incident response teams from the financial services companies are working to restore services. Most of the attacks are more for show, and not targeting the back-end processing systems. The BBC is reporting that a "downstream" processor is reporting that they cannot process MasterCard charges. There are some unconfirmed reports in blogs that the Wikileaks support hacking groups have released batches of MasterCard numbers.

It is not a stretch to think that this week and next, incident response and info security executives are going to be going to their bosses to ask for more budget for incident response tools and staff. The open question is how many of those firms will think that data breaches and "hacker attacks" only happen to someone else.

Minute by minute updates by PandaLabs threat researcher Sean-Paul Correll is full of interesting incident information.

Computer Forensics Lead Story:

Kevin Ripa, a forensics expert with Computer Evidence Recovery, spoke with me about the repercussions of mishandling the initial acquisition of computer forensic data by law enforcement, and other related topics. Kevin Ripa doesn't pull punches. That has earned him the enmity of many members of law enforcement. Recorded for The CyberJungle Radio program at The Paraben Forensic Innovator's Conference in Park City Utah, Nov 2010. The sound quality is not studio quality.

The clip is about 10 minutes long, you may download the MP3.

Note to readers: If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


- Analyzing financial data, employee records, and purchasing systems for errors and fraud

- Interactively analyzing network events, web server logs, and system login records-

- Importing email into relational or text-based databases- Embedding controls and fraud testing routines into production system

This free open source tool (WIN/LIN/MAC) can be used by investigators looking for indications of fraud and other out-of-norm behaviors by inside attackers. In light of the insider attack by PFC Manning that ended up on Wikileaks, looking at tools that help detect insider "out of norm" behavior make more sense than ever.

Good Reads:

A Major Leap Forward In E-Discovery: An Interview with Randall Burrows, Vice President and General Manager of Xerox Litigation Services.


  • Keyword searches not good enough for e-discovery, experts say: Lawyers are using old search technologies that don't find all of the relevant documents.
  • Fed Supercomputer Tracks Child Porn Sharers.
  • Warrantless tracking of car rentals, credit card sales, and even supermarket club cards: Researcher Christopher Soghoian discovered law enforcement uses something called a "hotwatch order" that allows real-time surveillance of purchases and movement.
  • Virginia's Attorney General issues guidance to teachers viewing cyberbullying data on mobile devices; no mention of proper forensics. What could go wrong? Read more in this story from The Daily Progress, and the report from the AG.


  • US Air Force studies fruit-flies to build killer insect swarm drones: Tiny UAVs land on you and BLAM - you're dead.

Coming Events:

by Ira Victor, G7799, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of The CyberJungle radio program, the news and talk each week on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of High Tech Crime International Association.