SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: There Is No Theme

There is no theme. This week's content is so varied, that I have forgone my usual attempt at creating and sticking to a theme for the week. Instead, I'll take this opportunity to give a couple of shout-outs, first to Basis Technology and Brian Carrier for putting the The Sleuth Kit and Open Source Digital Forensics Conference, which I had the pleasure of attending last week. Secondly, props to Mandiant for putting on MIRcon again this year. Last year's event was quite good, and I'm sure this year will be even better. But I mention both of these because they are free or low-cost conference options that make it possible for those with little or no budget to still attend, learn something, and network. And the quality of both events is exceptional, especially compared to the price. So, thanks to all who make those events possible and make them affordable.

That said, let's jump into the fray with this week's collection of tools, articles, and news. And, as always, if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Last week, at The Sleuth Kit and Open Source Digital Forensics Conference, Simson Garfinkel announced the release of bulk_extractor v1.0. While the tool has been around for a little while now, this was the first I had heard of it. bulk_extractor uses a truly unique approach to processing disk images and extracting artifacts. Rather than parse the file system and file system structures, bulk_extractor processes the disk image (or "any file or directory of file") as a stream of blocks and extracts information. According to Simson's presentation, this approach dramatically reduces the amount of time required to fully extract data from a disk. Time savings is great, but bulk_extractor also produces histograms of pertinent data that make it easy to identify most and least frequent appearances of items such as email addresses. I have yet to try this out, but it sounds quite promising. Check out the bulk_extractor page over at for more details.
  • Architecture Technology Corporation (ATC-NY) recently released their free utility, Dropbox Reader v1.0. Dropbox Reader is a set of Python scripts that parse Dropbox's sqlite configuration databases on Windows, Mac and Linux systems. The tools are promising, but I encountered one or two errors in my early testing, and I've seen others on Twitter mention quirks and issues as well. Of course, if you do find a bug, do the right thing and report it to the developers. They had a fix for my particular bug back to me within 20 minutes, which is impressive. You may also find some of their other utilities and products useful as well.
  • Thanks to Lenny Zeltser for bringing peepdf to my attention. Peepdf is a Python tool used to analyze PDF files in order to determine whether a given file may be malicious. Lenny also has a good post on the use and installation of peepdf over on his blog.
  • While it's not strictly a forensics tool, I think it's still worth mentioning that "John the Ripper" got an update today. Its major feature change is a significant speed improvement. Review the release notes for details. It's also worth noting that Rapid7 is now sponsoring the development of "John the Ripper," and will be integrating it into upcoming versions of the commercial Metasploit offerings. Dark Reading has that story.

Good Reads:

  • Josh Goldfoot, Senior Counsel for the Computer Crime and Intellectual Property Section of the U.S. Department of Justice, has written an excellent article, The Physical Computer and the Fourth Amendment(PDF), that discusses how are conception of computer artifacts, and the metaphors we use to discuss them, can have huge (and potentially detrimental) impact on the practice of digital forensics. At particular issue in this article are two perspectives which Mr. Goldfoot calls the "container" and "physical" perspectives. The "container" perspective treats the various artifacts (e.g. files, folders, etc) on a computer as separate items to search/seize, which could impose significant obstacles to our ability or process digital evidence. This perspective has the admirable but ultimately unworkable goal of limiting digital media examinations to only those artifacts or containers that are relevant to the particular case at hand. The "physical" perspective, which Mr. Goldfoot advocates, treats the media in question (hard drive, cell phone, etc) as a single piece of physical evidence that is open to full examination, just as other objects of evidence ("drugs, blood, or clothing") would be when legally obtained. The paper is well worth the read by anyone working in computer forensics, as the outcome of this question could significantly affect the way we work. (Thanks to Ovie Carrol for spreading the word about this one.) -
  • Harlan Carvey has a thoughtful and interesting post on Defining "Forensic Value," over on his Windows Incident Response blog. The key question is, what makes a forensic artifact, tool, or process valuable? Both the post and the comment thread are worth reading and thinking about.
  • David Nides recently blogged about automating forensic tasks. In this post, David discusses the process of creating a Windows batch file to automate the process of mounting a forensic image, modifying the permissions of the "System Volume Information" folder, and launching RipXP to extract data regarding all USB devices connected to the imaged system. David provides the full script at the end of the post, but the explanation of the process and the accompanying video walk-through are worth the time. The batch file can, of course, be easily modified and extended to extract different information or perform other tasks. And the video will be helpful to those unfamiliar either with scripting in general, or with the Windows batch command language specifically. David also mentioned that David Kovar will be porting the work to Python and that they will be collaborating on further automations. All-in-all, it sounds promising.
  • Our friend, Lenny Zeltser, also blogged today on The Critical Role of the Security Incident Response Coordinator. This is a short read on the key skills and responsibilities for the Incident Response Coordinator role. If you're building, or need to build, an Incident Response Team, this is definitely worth reading and thinking about. The post also links to several other items that will be of interest.



  • The FE Side - Frustrated Examiner - from the Girl, Unallocated blog. Digital Forensics cartoons. You've gotta love this. I hope there's more to come. :-)
  • Dilbert gets thrown into the world of Black Hat SEO.

Coming Events:

Digital Forensics Case Leads for 20110623 was compiled by Gregory Pendergast, forensicator, incident responder, and jack-0f-all-security at Virginia Commonwealth University.

If you have an article to suggest for case leads please email it to