SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Pwn2Own 2011 underway

Last week I was in Boston teaching SANS FOR 408: Computer Forensic Essentials, now renamed to Windows Forensics In-Depth. Thank you to all those in my class, it was fun. Huge thanks to my facilitator, Mike.

I mention the course here, because I had a mix of students from experienced veterans to those brand new to the field. The course offers something for everyone. My favorite part of the week was the last day's challenge exercise where students are divided up into teams and work a case and then have an opportunity to present their findings at the end of the day. I had more than a handful of law enforcement in the room and though they quickly cracked the case, they didn't want to present. They did play the attorney role very well during the "mock trial" and I think it really gave the students an idea of what they may be facing when and if they ever have to go to court.

In this week's case leads, some items I pulled from the DFIR mailing list, including an announcement about Volatility and support for Linux and an older, but still valuable post from Anton Chuvakin on discovering compromised systems.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


Good Reads:


Coming Events:

Digital Forensics Case Leads for 20110310 was compiled by Dave Hull, forensicator, IRer and Community SANS instructor. If you have an article to suggest for case leads please email it to