SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Ready, Forensicate, Aim

Ready. Forensicate. Aim.

Okay, seriously, don't do that. You know the correct order, right? If not, Chris Pogue spent part of last year presenting on the Sniper Forensics methodology, developed by the incident response team at TrustWave's SpiderLabs, and has what you need. Even if you already know the proper order is Ready, Aim, Forensicate, Sniper Forensics may provide you a new way think about and tackle the OMGigabytes and Terrorbytes of data that we invariably have to work with (or around).

Of course, that's just one of the excellent resources you'll find below. But I've chosen to highlight it because it's becoming increasingly more important to think strategically about how to work through an investigation. Hard drive sizes are getting bigger, and expectations aren't getting any more reasonable.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Five new plugins were recently contributed to RegRipper by Francesco Picasso. These plugins extend Harlan Carvey's original timezone plugin, parse default clients used for Calendar, IM and StartMenuInternet, and parse out Yahoo! Messenger configuration.

Good Reads:

  • Chris Pogue posted Sniper Forensics - Part 1: A Brief History Lesson over on the SpiderLabs blog. Chris spent part of 2010 presenting on this methodology at places like DEF CON and SecTor. Now he's blogging on the subject for all of us who couldn't attend the appropriate Cons. In Part 1, he discusses the principles that form the foundation for the methodology. So browse on over to his SpiderLabs post to sharpen your Occam's Razor, then check out his presentation slides from SecTor (PDF) and DEF CON (PDF) to get a taste of what's to come in some of his future posts. This is definitely something to keep an eye on.
  • Back in December, Brad Garnett posted a helpful review of the book Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit over on his Computer Forensic Source blog. Check it out, and if you have your own thoughts about this or any book, post your own review to Amazon.
  • Also back in December, Tim Mugherini posted an excellent analysis of a piece of scareware on his Security Braindump blog. Not Just Another Analysis of Scareware is both an interesting analysis of a piece of malware, but provides the added benefit of serving as a how-to guide for analyzing malware. Hopefully, the "Part II" he references at the end of the post will be forthcoming in the near future.
  • DFI News has a couple of articles on analyzing Windows Prefetch files that seem worthwhile. I haven't had a chance to read these fully, so check out Decoding Prefetch Files for Forensic Purpose : Part 1 and Part 2 and let us know what you think.


  • The hit squad that assassinated a Hamas leader in Dubai last January used malware planted on the target's computer to intercept communications and learn about his movements and activities. While articles from both The Register and Wired point out the mistakes made by the Mossad team, this is yet another frightening use of malware by advanced actors. Neither article says much about the use of malware, but they both serve to demonstrate strongly how much the digital threat landscape has changed. It's definitely not just about "hacking" anymore. (Note: If you have time to read only one of the two articles, read the article from Wired.)
  • ThreatPost: DOD Report Says Spying Focused on Naval Technology
  • Rapid7 Security Blog: Chinese agencies double cyber attacks on Germany (Note: This isn't purely news. It's part news, part opinion, but all interesting.)
  • SFGate: Court OKs Searches of Cell Phones Without Warrant - The California Supreme Court has ruled that police may search arrestee's cell phones without a warrant, citing U.S. Supreme Court precedent regarding the arrestee's loss of privacy rights. The dissenting voices on the court argued that the old precedents should not be extended to cell phones due to the huge amount of data they can store.


  • Girlie Geek's Blog shines a light on the Scrooge-ly underbelly of the digital forensics game. Don't let this be you.
  • The end of the world as we know it?

Coming Events:

Digital Forensics Case Leads for 20110106 was compiled by Gregory Pendergast, Interim Information Security Officer and jack-of-all-security at Virginia Commonwealth University. If you have an article to suggest for case leads please email it to