SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: A Matter of Time

Time is of the essence this week. Several good resources expanding and extending the area of timline analysis have hit the interwebs, and you'll find them featured below in the Good Reads sections. In the news, Brian Krebs drops the names of other organizations penetrated by the RSA attackers. Meanwhile, NetAnalysis gets an update and Mandiant adds another free tool to our analysis arsenal.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • NetAnalysis 1.53 was released earlier this month. This is a fairly major upgrade that adds support for Firefox 7, Google Chrome 14, Internet Explorer 9, and more.
  • The good people at Mandiant have added another free tool, ApateDNS, to our analysis and response arsenal. ApateDNS is a small, phony DNS server that allows incident responders and malware analysts to quickly identify the command & control domains a piece of malware will use by logging the DNS queries and enabling the analyst to fake the DNS responses. Steve Davis explains the tool in his M-unition blog post.
  • Harlan Carvey recently created a list of free, open source tools that will be worth a periodic check, at a minimum. Harlan categorizes and describes a number of FOSS tools that are frequently useful in DFIR. Keep an eye on this list as Harlan discovers and adds new tools.

Good Reads:

  • Yesterday, Dave Hull posted an excellent article on "atemporal timeline analysis." He explains how to use inode numbering to pivot around known events of interest in order to identify related file system events that may not be observable simply by looking at the MACB times.
  • Earlier this week, Rob Lee gave a free 1-hour webcast on Super Timeline Analysis, sponsored by HTCIA and SANS-COINS. The archived webcast and presentation slides are available on the SANS portal (free portal account required). While the slides are informative in and of themselves, you'll definitely want to listen to the webcast recording.
  • Andreas Schuster posted Timers and Times yesterday, following-up on and extending recent work by Jamie Levy and Michael Hale Ligh. Andreas discusses decoding DueTime from the KTimer structure in order to "extend a timeline into the system's future." The ability to parse and analyze these structures in memory could help identify time bombs or other scheduled events that may not be apparent by other means.


  • Earlier this week, Brian Krebs posted an article, "Who Else Was Hit by the RSA Attackers?" In the article, he enumeraties 176 other organizations (with a few caveats) that were presumably compromised by the same attackers who compromised security vendor RSA.

Coming Events:

Call For Papers:


Digital Forensics Case Leads for 20111028 was compiled by Gregory Pendergast, forensicator, incident responder, and jack-0f-all-security at Virginia Commonwealth University. If you have an article to suggest for case leads please email it to


Posted November 4, 2011 at 2:26 PM | Permalink | Reply

Bill Dinnigan

I'm receiving a 404 error when I try to follow the "free, open source tools" link in the tools section above.

Posted November 4, 2011 at 7:35 PM | Permalink | Reply

Dave Hull

Thanks for pointing this out. I've corrected the link.