SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Thefts, Breaches and Google talking about piracy

In this version we have several data thefts/breaches, and Google talking about piracy. Several tools have been updated and some good reads along with a little levity and training/conferences as well as call for papers.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to


  • Autopsy 3 second beta - is now available. The new major feature is hash database support. There were many other behind the scene changes, including a new database design and other performance improvements. This is still a Windows-only release
  • MFT_Cookie_Cutter - a simple application that tries to extract the embedded data held within Google Analytics Cookies. Showing Search terms used as well as dates of and the number of visits. Check out the other tools there as well.
  • Harlan Carvey updated his perl script which can be used for WiFi geolocation.
  • Many Windows Sysinternals tools have been updated check out their site for more details.

Good Reads:


  • Computer with information on four million patients stolen in California. The desktop computer that was stolen last month and was not encrypted contained personal information on more then four million patients dating back to 1995. Officials are stating that the data did not include any financial records, social security number or health plan identification numbers.
  • Data breach hits Virginia Commonwealth University. Personal and confidential information for more the 176,00 current and former students and employees may have been stolen. The staff first discovered suspicious files on a server on October 24, 2011. After taking the server offline they found that an intruder had access to it for 56 minutes on October 19, 2011.
  • Romanian Hacker Arrested for NASA Breach. Romanian police have arrested a 26-year-old hacker accused of infiltrating several NASA servers last year and tampering with data belonging to the U.S. space agency. Robert Butyka, who goes by the online name "Iceman," hacked into multiple NASA servers on Dec. 12, 2010, modified, damaged and restricted access to data. The security breach cost NASA about $500,000 in damages.
  • Google argues against U.S. online Piracy bill. A U.S. House of Representatives bill would allow a private party to go straight to a website's advertising and payment providers and request they sever ties. "A corporation, a copyright 'troll,' or anyone with an axe to grind could send a notice... without first involving law enforcement or triggering any judicial process," Google policy counsel told a House Judiciary Committee hearing.


Coming Events:

Call For Papers:

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to

Digital Forensics Case Leads for 20111117 was compiled by Mark McKinnon GCFA, CCE is Principal of RedWolf Computer Forensics where he has written many tools that are used throughout the Computer Forensic Community. You can follow Mark on twitter @markmckinnon.