SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: New Year brings DEFT and DFF updates, interesting reads and upcoming events

This week we have updates to two great tools, a variety of interesting reads, including one to come soon, and some events to fill your calendar for the 1st quarter of the new year.


  • Arxsys has released V0.9 of the open source Digital Forensics Framework (DFF), which has some cool new features. You can see info here and download the new version here.
  • DEFT V6 is also out with some additions - You can see info on the new version here. and the iso is downloadable here. The virtual appliance and dd image for the USB stick should be available next week - check here for status.

Good Reads:

  • With iPads appearing everywhere, and iPhones now available on Verizon, iOS forensic analysis is fast becoming an important skill to have. Sean Morrisey has written a book on the subject, and Christiaan Beek has a nice review on his blog.
  • Eric Huber has an very interesting interview with UNIX security guru and SANS digital forensics team member Hal Pomeranz on his blog.
  • Ever start an investigation with an idea of what you'll find, and come up empty handed? David Cowen has some good reminders of some sanity checks when you don't see what your experience leads you to expect.
  • Even investigators need to stay out of trouble. Jesse Kornblum lists 4 cardinal rules to keep investigators out of hot water. Are there others you can add?
  • Jesse also has information on some scenarios developed by Simson Garfinkel which can be used by those of us who teach forensics, or who just want to keep our skillz up to date. Follow the Computer Forenscis Tool Testing mailing list for developments on this subject.
  • NetWitness continues their series on forensics and reversing with an entry on deep JavaScript analysis.
  • And in the "coming soon" category, Harlan Carvey's "Windows Registry Forensics" is scheduled for publication at the end of this month.


  • The FBI has opened the newest Regional Computer Forensic Lab in Orange County. The press release and links to other information are here. There are now 16 of these important centers across the country.??
  • Relying on US Supreme Court precedents, the California Supreme Court has ruled that cell phones can be searched without a warrant. The text of the controversial opinion is here, and a Google search will reveal quite a reaction from various quarters. Given the information available on a smart phone, including links to information in other locations, including the cloud, this will be an interesting development to watch.
  • Down under the Coming Events section, you'll see mention of the U.S. DoD Cyber Crime Conference. We're pleased to announce that a number of SANS instructors are on the agenda to present at DC3, some are presenting multiple times. For more details on who is speaking about what, check out the Forensics Speakers flyer.

Coming Events:

If you have an article to suggest for case leads please email it to

Digital Forensics Case Leads for 20110113 was compiled by G W Ray Davidson, PhD, CISSP, GCIA, GCFA, ETC, assistant professor of Information Technology at Purdue Calumet, SANS Mentor and serial facilitator.