SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Tons o' tools, a new challenge, and hard drive steganography

This week we have a number of new and updated tools, a new forensics contest, and a new steganographic technique.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to


  • Sebastian Porst has posted a collection of tools for analysis of malicious SWF files. The tools are partly written in Java and partly in Python and are licensed under the GPL 2.0 license. Get them here. Lenny Zeltser has tried a couple of the tools and written a blog post about them here.
  • Paraben has updated P2 eXplorer Free and P2 eXplorer Pro to V3.1. For a list of differences between P2X Free and P2X Pro, see the document here.
  • Mario Piccinelli has released iPBA (iPhone Backup Analyzer), a free tool which allows an investigator (or any other user) to read configuration files, browse archives, explore databases and otherwise investigate the backup folder of an iOS device. It's written in Python, released as open source software, and available here.
  • WinHex, X-Ways Forensics and X-Ways Investigator have been updated to V16. Check out this site for more info.
  • The PenTestIT site has posted a couple of tools for detecting TrueCrypt volumes on hard drives and .dd images. Check out TCHunt and TCDiscover, respectively.
  • PenTestIT also has a simple GUI tool for extracting basic file metadata here.
  • And speaking of tools, Jonathan Krause maintains a list of free forensic tools at this site. If you know of tools that should be added, be sure to drop him a note. And bookmark the site for your own use!

Good Reads:

  • Richard Drinkwater has a blog post on carving SQLite databases from unallocated clusters. These filetypes are often used to store information for browsers and other OSX and iOX files, but they can be problematic because though the file has a header, there is no footer, and the file length isn't stored within the file. Richard's blog post is here.
  • Ondrej Krehel has a nice article on how to create a network forensics appliance using open source software. It doesn't give detailed build instructions, but rather a good list of tools that might be appropriate for inclusion, and some issues to consider as you build your own. The article is here.
  • Eric Fulton, Jonathan Ham, and Sherri Davidoff have posted a new forensics challenge. Download the packet capture and see if you can answer the questions. Deadline for submissions is 31 May, and preference is given to those who can produce elegant tools for the community. Even if you're not a coder, it's always good to get practice; check it out here.


  • It is "common knowledge" that China is one of the greatest threats to the computer infrastructure of the rest of the world. However, China itself may not be as invincible as some might think. Dillon Beresford has spent quite a bit of time investigating the security of China's infrastructure, and discussed his findings in an interview with Threatpost. Catch the interview here.
  • Laws concerning computer crime can vary from state to state. There is a good collection of state-specific information, including classification of criminal activity and intent requirements at this link.
  • The Register is reporting that researchers have developed a way to stealthily store 20Mb worth of information on a 160Gb hard drive, using a cluster based covert channel. Check out the Register story here, and see the original scientific paper here.


  • For this weeks dose of levity, check out some of Lee Whitfield's comments in his interview with Andrew Hay, here.
  • And at this link, in the first comment, Harlan Carvey answers the age old question of what is the best computer imaging and analysis tool available.

Coming Events:

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to

Digital Forensics Case Leads for 20110430 was compiled by G W Ray Davidson PhD, CISSP, etc etc, assistant professor of Computer Information Technology at Purdue University and SANS serial facilitator.