SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: File Systems, Memory Forensics, and a Pedophile Ring Dismantled

This week, we have a wealth of File System information, new and old, updates to the popular and versatile RegRipper program, and some very promising research in the area of memory forensics.

But the best news, by far, is the success of Operation Rescue in taking down a substantial world-wild child exploitation ring. We applaud the efforts of the UK, Australian, and Europol law enforcement (and any others involved) in taking down this abominable operation and rescuing 230 children from. We extend our thanks for the hard work of everyone involved in protecting the world's children.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to

Fun With File Systems:

I spent some time this week reading some interesting articles, both new and old, on File Systems. A series of posts over on Ars Technica provides an interesting view of the Evolution of NTFS, and our own Hal Pomeranz has posted some good information on the EXT4 File System. The Ars Technica articles are not focused on forensics, but still provide good information relevant to forensic examination.


  • Last week, over on, Harlan Carvey released several new and updated RegRipper plugins. Of particular interest, I think, are a couple of plugins to help detect the presence of malware, based on information from Mark Russinovich and the Microsoft Malware Protection Center (MMPC).

Good Reads:

  • Yesterday, Johannes Ullrich posted Analyzing HTTP Packet Captures over on the Internet Storm Center diary. Johannes proposes a short Perl script solution to the problem of extracting HTTP requests from packet captures and mentions some options for replaying those requests. Be sure to read the comments thread as well for alternative suggestions on tackling the problem. One of the alternatives suggested references a previous Internet Storm Center post, Web Traffic Analysis with httpry by Guy Bruneau.
  • Earlier this month, the European Network and Information Security Agency (ENISA) released a comprehensive paper, edited by Dr. Giles Hogben, entitled Botnets: Measurement, Detection, Disinfection and Defence. The full report can be downloaded as a PDF from the link provided.
  • Lenny Zeltser posted an interesting look at Using Twitter for Public Relations During a Data Breach Incident. Organizations who engage their customer base effectively, whether by Twitter or some other means, will invariably come out looking better than companies who try to hide and minimize data breach reporting. I'm certainly not the first to say this, but it's high time organizations recognize that intrusions are inevitable and that communicating about them effectively goes a long way toward minimizing reputational damage. The real damage occurs when you, as an organization, appear to be be hiding things.
  • Brendan Dolan-Gavitt announced some awesome new memory forensics research geared at more easily/automatically generating Volatility plugins and/or other memory forensics tools: Push the Red Button: Automatically Generating Memory Forensic Tools



  • Eric Huber has started a Facebook page for his blog, A Fistful of Dongles. Check out both the Facebook page, and the blog. As a bonus, Eric recently posted discount codes for his upcoming SANS Forensics 408 (Computer Forensic Investigations - Windows In-Depth) to be held in Morristown, New Jersey May 9-14.
  • Nominations are still open for the 2011 Forensic 4cast Awards. Please take the time to nominate your favorite Forensicator, tool, book, blog, etc.

Coming Events:

Digital Forensics Case Leads for 20110317 was compiled by Gregory Pendergast, forensicator, incident responder, and jack-0f-all-security at Virginia Commonwealth University. If you have an article to suggest for case leads please email it to