SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: PFIC 2011 Report, DNS forensics, Massive Flaws in Amazon EC2?

The Paraben Forensics Innovator's Conference was held last week in Park City, Utah. Your SANS Digital Forensic blogger attended the event, along with over 300 fellow, forensicators and lawyers. With information security events like BlackHat, and DefCon drawing thousands, this is yet another small event that has many advantages over the larger conferences.

At these smaller conferences you really get a chance to spend time with the same people. At PFIC, one of the attendees I met had an interesting incident at the office, and we were able to spend the time to discuss the case. And, these smaller events allow for more comparing of notes from different sessions over lunch. It's so much more difficult to get to really know someone at large conferences, with so many sessions and so many vendor events. Even the lunch events are like an army chow line at the large events. PFIC is in a small hotel, and you really get a chance to talk and interact often with the speakers.

The keynote speaker was the most interesting I have heard in quite some time. It was with Jeffrey "Skunk" Baxter of the Doobie Brothers. He is now working with the defense community to bring a fresh, out of the box approach to counter-terrorism and national defense. Another plus at PFIC was the depth of the expert witness bench. Speakers included team members that worked on the precedent-setting Victor Stanley case, and the Coleman Morgan Stanley case.

I encourage readers to think about attending next year. The URL for the conference is


  • From PFIC: The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examiners, digital forensics researchers, students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. Find out more at
  • From PFIC: Using Predictive Coding To Speed Digital Forensics and eDiscovery with Orcatec. This technology uses predictive coding in an attempt to provide accuracy, consistency and transparency, and dramatically reduces the time and cost of first-pass data review versus traditional "dirty word" lists. I wrote more about this topic in this blog posting.

Good Reads:

  • Put this one in the "Good Listen" category. In the event you missed this in last week's Case Leads: I recently interviewed Mark Bowden on Cyber Jungle Radio. Bowden is the author of "WORM: The First Digital World War". He also wrote "Blackhawk Down". The interview begins at about 14 minute mark of this week's show. I found the book to be a very good, fast read. The efforts by a group of unpaid information security and incident response professionals was very fascinating to read about, and to learn from. Reading this book will inspire many white hats to take on the black hats. The book also dispels the common myth that information security professionals create malware because otherwise we would be out of a job. This book shows how a dedicated group of information security professionals, many spending their own time and money, took on a the giant task of stopping a series of large scale attacks against some of the world's biggest information assets. There is an item in the news section related to a DNS attack take down that has some of the same elements of incident response that are covered in this excellent book.


  • New research has exposed some serious vulnerabilities in Amazon's Elastic Computing Cloud (EC2). It appears that several security vulnerabilities in the misuse and mismanagement of the AMIs (Amazon Machine Images). Among other concerns, vulnerabilities were found regarding credentials such as passwords, SSH keys and even Amazon AWS keys being left on an AMI presenting hackers with the opportunity impersonate a user or Amazon itself and steal confidential information. Jeff Hudson, CEO of Venafi equates this to an easier understand scenario. "Like generous souls giving their old jacket to a shivering passerby — only to find that they left their driver's license, passport, and credit cards in the pocket — these members published their AMIs without removing sensitive data such as SSH keys and the private keys associated with digital certificates." Hudson notes that while developers and administrators probably should have been able to use common sense to figure out these pitfalls he's not surprised that they didn't. "Enterprises have deployed thousands and ten thousands of digital certificates and SSH keys. The keys are deployed on various platforms in various business silos; they're obtained from multiple vendors and certification authorities (CA). Without any management tools, administrators have become used to ignoring them. In fact, server administrators often don't even realize that a private key installs with the server's digital certificate and that this key must be protected, which explains why the administrators so blithely left them in the AMIs."
  • Republic Wireless Officially Unveils $19/Month Service: Unlimited Everything, No Contracts. How do they do it? VoIP and other services over WiFi. What are the forensic implications of this shift in the mobile space? Sounds like a topic for a future SANS Forensics posting. Read more about the service here.
  • Biggest Cybercriminal Takedown in History? That's what Brian Krebs calls it. Huge incident response story buried in this story makes this entry a must-read.


  • Star Trek Meets e-Discovery: The Ferengi Vendors. Scroll down and play the "Star Trek eDiscovery" Video. Click Here.


Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to

Digital Forensics Case Leads for 11, Nov 2011 was compiled by by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT, CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator's Association (HTCIA). Follow Ira's security and forensics tweets: @ira_victor.