SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Free Tools, Fancy Toys, Snipers, Manipulated Photos, and no PI licenses required in VA

A variety of forensical tidbits this week, from new tools to a history of photo manipulation, and a relaxation of the PI requirement in VA. If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Mandiant has released an update to their Highlighter tool to V1.1.2. You can read information about the update here.
  • Dell has extended their digital forensics line to include a mobile offering, consisting of a hardware/software bundle to enable faster evidence collection at incident locations. Check out the toys.

Good Reads:

  • Chris Pogue (@cpbeefcake) has written a Part 4 of his "Sniper Forensics" blog series on "Finding Evil" with some good guidance on helping customers clarify their own goals in an engagement. Check it out on Trustwave's Spiderlabs blog here.
  • The Cryptonomicon blog has an entry with an overview of using Encase and FTK to acquire and analyze solid state USB drives. With all the current discussion of SSDs, more people will be looking into the subject, and this entry provides a good start for process.
  • Today's issue of Digital Forensics Investigator includes some articles worth reading, including an introduction to SIM (the card in mobile phones, not the game character) Forensics describing the basics of SIM card themselves.
  • DFINews also has a solid article on the importance of validation of forensic software. Particularly with the prevalence of open source tools, it's critical that examiners understand the importance of validation, and demonstrate their understanding by practice.
  • The MNIN Security Blog includes a recent post which describes how the author found network socket and connection information in Windows Vista/7 memory. He used that information to contribute a new Volatility plugin, but this post describes how he discovered the information needed.
  • The Columbia Journalism Review has an interview with Hany Farid discussing generalities of detecting photo manipulation. Perhaps equally interesting is the link to Farid's website which gives examples of Photo Tampering Throughout History.


  • The State of Virginia has elected to exempt computer forensics practitioners from private investigator licensing. Text of the amended legislation can be found here. And there was much rejoicing....


  • Mandiant has announced that Richard Betjlich (@taosecurity), formerly head of GE's CIRT and current member of the SANS Forensics Advisory Board, will be joining Mandiant as Chief Security Officer and Security Services Architect. The press release is here.
  • Nominations for the Forensic 4cast Digital Forensics Awards are open. Submit your nominations at
  • The program for the SANS summit - What Works in Incident Response Summit (see below) is being finalized. Chris Pogue will be returning give an update to last years presentation - Sniper Forensics 2.0: Target Acquisition. Stay tuned for more speaker announcements.
Coming Events:

Digital Forensics Case Leads for 20110325 was compiled by G W Ray Davidson, PhD, CISSP, GCIA, GCFA, ETC, assistant professor of Information Technology at Purdue Calumet, SANS Mentor and serial facilitator.