SANS Digital Forensics and Incident Response Blog

Case Leads: The Digital Forensics Case of the Decade? Digital Forensics at US Border Crossings; Serious Flaw in Enterprise Firewalls? The Feds Re-examine DFIR As Data Shifts To The Cloud

The digital forensic and ediscovery case of the decade could describe the litigation between Facebook and a man that claims he has a contract and emails from Harvard Student Mark Zukerberg for 50% ownership of "The Face Book" as an early-stage investor. There are more questions than answers in this case right now, among them: Where were these emails during the Winklevoss case, and why didn't they appear during discovery for that case?

In other forensic news: What do we need to know when crossing the US border with sensitive or confidential information that could be imaged from laptops, and smart devices? In incident response news: Are major firewall companies so focused on "cloud computing" and "social networking" that their products lack fundamental protection from malformed packet attacks? The researchers at NSS Labs released an eye-opening report that claims many enterprise firewalls are vulnerable to these old-school attacks.

And, the Feds are re-examining forensic investigation procedures for the GSA and Ag Department as they migrate emails to a cloud services provider.


  • Law Enforcement, intelligence teams can save time with Dell's new mobile digital forensics solution. Spektor OS, and Dell team up with a digital forensics "jump kit." Read more in Kit puts digital forensics into the field.
  • Investigators that have to look at Twitter messages will find this very handy dissection guide useful: It's called "map-of-a-tweet"

Good Reads/Listens:

  • Federal lawyers and record managers are watching closely how the General Services Administration, the Agriculture Department and others move their email and collaboration services to private sector cloud computing providers. When the government faces a lawsuit, will the agency be able to find and provide the information the lawyers or the court requires? Will the agency have access to their data and all the meta data that surrounds emails or other documents stored in the third-party cloud? More at Federal News Radio
  • Just how broken are SSL certificates? "Right now, it's just an illusion of security," said Moxie Marlinspike, a security researcher who has repeatedly poked holes in the technical underpinnings of SSL. "Depending on what you think your threat is, you can trust it on varying levels, but fundamentally, it has some pretty serious problems." Read more at The Register.
  • More SSD forensic challenges for mobile device forensics as Moxie Marlinspike's WhisperCore brings full disk encryption to Android smart devices.
  • Lock security expert, attorney, and regular DefCon speaker, Marc Weber Tobias: Welcome to the U.S., We'll Take Your Laptop Now.


  • French "hacker" and alleged Anonymous member arrested after bragging on TV.
  • The Digital forensic and eDiscovery investigation of the decade? That's what some are saying about a new Facebook lawsuit. Here's What Happens Next — And Who Is Likely To Pay.
  • Child-porn images allegedly found on ICE chief's home computer; images allegedly exchanged via AOL's email servers, and not part of an ICE investigation.
  • Tackling insider fraud and incident response in a world of fragmented efforts that are unable to keep pace with the methods used to circumvent controls. Read more in this Bank Security Portal story.
  • We've all heard of "the Trojan did it" defense. That's when a cybercrime is denied by a claim that malware infected a machine a remote actor did the action that caused an arrest. NSS Labs this week released a bomb-shell report that questioned the basic security of major firewall vendors.
  • Calls for revisions to an auto accident privacy law. Originally intended to protect citizens, but is it being used to block government transparency?


  • It's an open secret that some jurisdictions use traffic tickets and quotas as an illegal tax, but now there's proof: Officers who alleged LAPD traffic ticket quota system win $2-million judgment from City of Los Angeles
  • A tech bargain hunter thought he snagged a 500GB SSD at a great price. Instead he got fraud-laced hardware and firmware hack of an 128MB thumb drive inside a 2.5" case. You won't believe this story.

Coming Events:

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to

Digital Forensics Case Leads for 2011 April 14 was compiled by by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator's Association (HTCIA). Follow Ira's security and forensics tweets: @ira_victor .