SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Data Extraction, Cyber Threat Reports, APTs and Duqu, a Stuxnet Variant

This week's edition of Case Leads features updates to applications for bulk data extraction and processing mobile devices. We also have a couple of reports from the researchers at Georgia Tech and Microsoft that address emerging and current cyber threats. We close out this week's Case Leads with a few suggestions on how to address APTs and reports on the emergence of a Stuxnet variant named Duqu. As always, if you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to

  • A new version of bulk_extractor has been released. This tool can scan a disk image, file, a directory of files, or network packet captures and extract useful information without parsing the file system or its structures. The output of bulk_extractor is stored in such a way that can be easily inspected, parsed, or processed with automated tools. Bulk_extractor will also create histograms of its findings that may be useful in identifying important features. The tool is able to take advantage of multiple cores and it has the ability to detect and process compressed data even if that data resides in unallocated space.
  • Version 3.6 of the Oxygen Forensic Suite was recently released. This version allows data to be extracted from mobile devices even after the license expires. This latest version added support for a number of new mobile devices, applications, and OSs.

Good Reads:

  • Simson Garfinkel, the creator of bulk_extractor gave a presentation on the tool that provides a nice overview of the design, history and future direction of the application.
  • Microsoft released the 11th edition of its Security Intelligence Report. According to the 100+ page report very few incidents involve zero-day attacks and users are their own worst enemy when it comes to malware infections. According to Microsoft, nearly half of the malware incidents are user facilitated.
  • Eric Huber offers a few views on the current state of the APT and what the US and other countries should consider doing about the problem.



Coming Events:

Call For Papers:

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to

Digital Forensics Case Leads for 20111020 was compiled by Ray Strubinger. Ray regularly leads digital forensics and incident response efforts and when the incidents permit, he is involved in aspects of information security ranging from Data Loss Prevention to Risk Analysis.