SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Registry Decoder 1.1 released, FOR 558 Reviewed, OpenIOC Debuts

This week, we've got news, reviews, tools and all kinds of digital forensic goodness in store. A new version of the excellent Registry Decoder tool has been released! Along with that, we've got links to a review of a SANS Forensics course, and other news. So, sit back, relax and read this week's Case Leads. If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to


  • Registry Decoder 1.1Andrew Case announced a couple of days ago that the new version of Registry Decoder was out. It's chock full of new features, such as support for Encase E01 and split images, full wildcard searching, command line support, and lots more. If you haven't tried this excellent, plugin based tool, you need to give it a try.
  • Digital Detective has a new user manual out for Netanalysis.

Good Reads:

  • SANS FOR 558 Review. I was fortunate to attend FOR 558, Network Forensics at SANS Chicago a couple of weeks ago with my good friend, Brad Garnett. He did this review on his Digital Forensic Source blog soon after completing the class and he echoes my own thoughts on the course. If you've considered taking the class but haven't decided yet if it's for you, you should read this review. By the way, our instructor was Paul Henry and we both found him to be an excellent instructor as well as a really good guy.
  • Put this one in the "Good Listen" category. Ira Victor recently interviewed Mark Bowden on Cyber Jungle Radio. Bowden is the author of "WORM: The First Digital World War". He also wrote "Blackhawk Down". The interview begins at about 14 minute mark of this week's show. Ira had this to say about the book: "I found the book to be a very good, fast read. The efforts by a group of unpaid information security and incident response professionals was very fascinating to read about, and to learn from. Reading this book will inspire many white hats to take on the black hats. The book also dispels the common myth that information security professionals create malware because otherwise we would be out of a job. This book shows how a dedicated group of information security professionals, many spending their own time and money, took on a the giant task of stopping a series of large scale attacks against some of the world's biggest information assets."
  • Eric Huber has a new post up on his A Fistful of Dongles blog. In addition to having the best name for a blog ever conceived, his blog always has excellent content.
  • Interesting new post up on the Windows Incident Response blog: DF Analysis Lifecycle. Harlan always has thought provoking articles on his blog and this one is no different.
  • Volatility 2.0-Advance Memory Forensics with video demonstration on The Hacker News site. Memory forensics and Volatility are always cool.


  • Issue 9 of Digital Forensics Magazine is out. Plenty of good reading in there this month, including "Big Brother Forensics", Geolocation data use in forensic investigations, using Wireshark to find malware and much more. I highly recommend this excellent magazine.</li>
    <li><a href=>Mandiant</a> announced this week that their new site for <a href=>The Open IOC Framework</a> has gone live. This interesting project is meant to help provide a framework for the sharing of threat intelligence. Definitely worth a look!

Coming Events:

Call For Papers:

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to

Digital Forensics Case Leads for 20111105 was compiled by Ken Pryor, GCFA. Ken is a police officer and does computer forensic investigations for his and several other law enforcement agencies in his area. He is also an adjunct instructor for Lincoln Trail College in Robinson, IL, teaching computer forensic and related courses.