SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Python Puts Snakes on the Case

This week, we feature a number of tools and articles that leverage Python to do the heavy lifting. So, if you're looking for scripts and applications to put the squeeze on some of that work load, this may be the article for you. In other news, Brian Krebs alerts us to new malware tricks, Jennifer Granick takes a legal look at recent hacking arrests, and the data center is alive at

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Last week, David Kovar announced the release of analyzeMFT 2.0, a python module for analyzing the Windows Master File Table ($MFT). This new version is object-oriented, and has been structured such that it can be imported "directly into the python interpreter to allow for manual interaction with the MFT." This update, courtesy of Matt Sabourin, "can also be imported into other python scripts that need to work with an MFT." In addition, some new command options have been added. See the announcement for details.
  • William Ballenthin at Mandiant recently released Python-registry, a set of Python modules used for accessing and parsing Windows registry files such as SAM and NTUSER.dat (not to be confused with .reg files). This particular item could also easily be filed under the "Good Reads" section. You can, of course, go straight to downloading the tool from the link above, but I highly recommend you not touch that until you read William's excellent post over on Mandiant's M-unition blog, Tearing Up the Windows Registry with python-registry. His post briefly discusses the structure of the Windows registry file, then provides some Python-registry usage examples complete with code samples.
  • Earlier this week, Sarah Lowman and Ian Ferguson posted Web History Visualisation for Forensic Investigations. This is another item that plays dual roles as cool tool and good read. The article on Forensic Focus, discussing the authors' research into the improvement visualization can provide to both analyst speed and confidence specific to web history analysis, is well worth the read. But it also introduces a visualization tool they've released, called Webscavator. Webscavator is a web application, written in Python and Javascript, that can be run locally on an analyst's computer to help visualize elements of the browser history examination, such as local files accessed, domain names visited, and search engine usage. Webscavator is in the early stages of development, but looks quite promising. I'm looking forward to giving it a spin.

Good Reads:

  • Jennifer Granick has a lengthy post on last week's numerous "hacker" arrests and indictments, entitled "Big Day in Hacker News Brings Prosecutions Grand and Petty." In this post on the Zwillinger Genetski blog, Law Across the Wire and Into the Cloud, Ms. Granick provides some interesting legal perspective on cases such as the Anonymous DDoS of PayPal, the release of AT&T documents that were later distriubted by LulzSec, the compromise of the InfraGard Tampa's website, and Aaron Swartz's (founder of Reddit) download of journal articles from JSTOR. Her perspective in this article might be interpreted as either independent or defense-leaning, depending on your own perspective. One would assume that prosecutors will have a different take on some of the issues Ms. Granick identifies. Nevertheless, the questions she raises seem valid (at least from my limited, i-am-not-a-lawyer, perspective), and one would hope that the prosecution has prepared for them.
  • Earlier this week, Neil Archibald posted a fairly geek-tastic article over on the Cisco Security blog. His post, somewhat innocuously titled Extracting EXE Drop Malware, discusses using Python and Yara to script the extraction of Windows executables embedded in other files such as MS Office documents, Shockwave Flash files, and image files. A comment I saw on Twitter questioned the use of a Yara signature to search for a simple text string (you'll see what I mean), but I think part of the point is to demonstrate the technique, which could also be leveraged for more complex signature searches. Neil then goes on to discuss using a virtual machine and Sandboxie to extract the executable by allowing the exploit to run and capturing the dropped executable. Both methods, of course, are designed to capture the malicious executable for further analysis.


  • Harlan Carvey has announced his upcoming book, Windows Forensic Analysis - 3rd Edition (WFA 3/e), and provided an overview of the content.
  • Krebs On Security: Trojan Tricks Victims Into Transferring Funds - This nasty little piece of malware tricks users into thinking that an erroneous transfer has been made to their accounts, and that they must transfer the money back (to an account the attackers control) in order to get their bank accounts unlocked. See Brian's post for more details.
  • Forget About Big Brother It's Someone Much Closer You Have to Worry About - This study for the Retrevo Gadgetology Report suggests that those worried about the watchful eye of Apple, Google, or the government may also need to start worrying more about family and significant others. In a survey of 1000 respondents in the United States, the study found that over 30% of respondents have or would spy on their significant others' email or call history. It would be interesting, I think, to see how results from other countries would compare, but there's no mention of such a study being planned.
  • Earlier this month, the U.S. Department of Defense released their Strategy for Operating in Cyberspace(PDF).


Coming Events:

Call For Papers:


Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to

Digital Forensics Case Leads for 20110729 was compiled by Gregory Pendergast, forensicator, incident responder, and jack-0f-all-security at Virginia Commonwealth University. When not busy with his day job, Gregory also contributes book and product reviews to Digital Forensics Magazine and


Posted July 29, 2011 at 7:49 PM | Permalink | Reply

Cory Altheide

The Open Memory Forensics Workshop runs in conjunction with the Digital Forensics Research Workshop ( August 1-3rd, 2011, in New Orleans.

Posted July 29, 2011 at 7:59 PM | Permalink | Reply

Gregory Pendergast

Thanks for the update Cory. I've added a link for DFRWS, in case folks don't read the comments.