SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Capturing Mac Memory, the Shifting Threat Landscape, Forensics Tool Updates, and Zero Day: A Novel

This week's edition of Case Leads features new and updated forensics tools, a report on changes in attack patterns, a novel from what may seem like an unlikely source and thoughts on timestamp manipulations.

The ability to create a memory image on OS X has been lacking until now. A recently released report suggests that we may get to use that tool sooner rather than later as attacks are shifting away from Windows and becoming more common on OS X and various mobile devices.

We have an update on a tool that may be described as a cross between "strings" and "grep" that also includes a little statistics. A popular Window's utility developer has not only released an update to his suite of tools but has taken the time to write a novel featuring digital forensics. Wrapping up we have some thoughts on timestamp manipulation and potential limitations of existing tools.

As always, if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, please send it to


  • Back in August 2010 I wrote about creating an OS X Incident Response CD. The topic generated interest among our readers in imaging the memory of a Mac. At the time there did not appear to be a way to create a memory image for a Mac as we are with tools and modules available for Windows and Linux. Thanks to ATC-NY, we now have the Mac Memory Reader, a command-line tool for OS X which can create memory images.
  • Simpson Garfinkel and his team have recently released several updates to the Bulk Extractor utility. This tool will parse a file or media image and extract useful patterns of information such as email addresses, domain names, and credit card numbers.
  • Mark Russinovich has recently updated the Sysinternals Suite. This collection of tools brings several useful abilities common in the Unix world to Windows including process listing, displaying logged on users, signature checking, and displaying loaded drivers.

Good Reads:

  • Cisco has released its 2010 Annual Security Report highlighting global security threats and trends. The report suggests that Apple's OS X platform is gaining in popularity with malware authors and that we are at a tipping point where cybercriminals are eyeing mobile devices as softer targets for their activity.
  • Mandiant released its second annual M-Trends report last night in Atlanta. The 2011 report expands on the previous year's work by providing an update on the then unfolding drama at an organization suffering from an Advanced Persistent Threat (APT). Of particular interest — the report describes how the attackers were able to defeat two-factor authentication through the use of proxies.
  • The book will not be out until mid-March but Mark Russinovich of Sysinternals and Microsoft fame has written a book titled, "Zero Day: A Novel." The plot description reads as if it unfolds like a blend of the styles of Tom Clancy and Neal Stephenson.
  • Lance Mueller offers some thoughts on detecting Window's time stamp manipulation.


  • In December 2010, the FTC (Federal Trade Commission) approved Intel's purchase of security software vendor McAfee. If you thought that transaction was unusual, this month Intel hired of the Black Eyed Peas to be their Director of Creative Innovation.
  • Following the attack on its CEO's page, Facebook will offer https to its users. This new feature is found under Account Settings, Account Security.

Coming Events:

If you have an article to suggest for case leads please email it to

Digital Forensics Case Leads for 20110127 was compiled by Ray Strubinger of the Georgia Institute of Technology. Ray leads the digital forensics and incident response team and when the incidents permit, he is involved in various aspects of the Institute's defense-in-depth strategy including Data Loss Prevention, Full Disk Encryption, and Education Awareness.


Posted January 27, 2011 at 2:12 PM | Permalink | Reply

Sandro Suffert

Great stuff, Ray ''" thanks for sharing!
Adding my 2 cents:
You missed the new Harlan Carvey Book on Windows Registry Forensics: