SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: ReFS, Ex01, and DFIROnline

This week's cornucopia of forensic goodness so thoroughly defies summary that I nearly gave up writing an introduction. But a few things do merit particular emphasis. First, the second DFIROnline meetup takes place tonight at 20:00 EST. Luminaries Harlan Carvey and Eric Huber will be presenting. Before then, however, you may want to take some time to read up on how Microsoft and Guidance Software will soon be changing our lives. Microsoft has published some information on its new ReFS file system, while Guidance Software has released details for its new EnCase Evidence File Format v2 (Ex01). Both of these will inevitably require some adjustment in the months and years ahead.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to


  • The next DFIROnline meetup will be held Jan 19, at 20:00 EST. Harlan Carvey will present "Malware detection within an acquired image", and Eric Huber will present "The Advanced Persistent Threat or: How I Learned to Stop Worrying and Love DF/IR." Recordings of previous meetups are also available.
  • Nominations for the 2012 Forensic 4cast awards are now open. Please take the time to nominate your favorites and help to recognize the people who contribute so much to the DFIR community.


  • Our own Dave Hull has released several interesting Python scripts recently that apply statistical analysis to Sleuth Kit fls output, in a unique attempt to identify malware within a file system. These scripts were all mentioned separately in some of Dave's recent posts, but I thought it worthwhile to pull them all together here to draw more attention. You will also want to read the related posts, if you haven't already: Atemporal Time Line Analysis in Digital Forensics, Outlier Analysis in Digital Forensics, Digital Forensics: UID and GID Distributions, and Metadata Distributions in Computer Forensics.
  • Michael Ahrendt recently released an interesting looking "Automated Triage Utility," written in the AutoIT scripting language. It is a GUI-driven data collection utility designed for live system response. In this regard, it reminds me a lot of Monty McDougal's Windows Forensic Toolchest. They differ in UI and programming language, but aim at the same objective.
  • Many of us use a virtualized instance of Windows XP for various analysis purposes. However, as Lenny Zeltser recently pointed out, licensed copies of Windows XP are becoming increasingly rare. In his post Using Free Windows XP Mode as a VMWare Virtual Machine, Lenny explains how to obtain a free virtualized instance of Windows XP from Microsoft (assuming you already have Windows 7 Professional, Enterprise, or Ultimate on your base system) and convert it from Virtual PC to VMWare if desired.
  • During a recent browser history examination, a user's search history became particularly relevant. In trying to make sense of some of the URL parameters, I happened across Google Search URL Parameters — Query String Anatomy by Ann Smarty over at BlueGlass Interactive. While the table she provides is not complete, it did prove most helpful in dissecting the Google Search URL string. If anyone else has useful references on this matter, I would appreciate hearing about them in the Comments section.

Good Reads:

  • University of Illinois recently released a detailed investigation report(PDF) regarding anonymous emails allegedly sent by its Chief of Staff to the University's Senates Conferece. The report is an interesting read, and also serves as a potentially useful model for those looking for report samples and templates.
  • Earlier this week, on the Building Windows 8 blog, Microsoft provided some of the first details regarding their new ReFS (Resilient File System) - Building the next generation file system for Windows: ReFS. While the post doesn't provide nearly the level of detail forensicators will eventually need, it is a good and relatively deep introduction to Microsoft's newest file system. According to the post, ReFS will first be implemented as a storage file system for Windows Server, then for clients, before ultimately becoming a bootable file system for both server and client.
  • Erika Noerenberg recently posted a brief head-to-head review of four Network Forensic Analysis Tools that is worth a read. She shares her impressions and experiences while testing NetWitness Investigator (freeware version), Xplico, Solera DeepSee, and NetworkMiner. Specifically, her comparison of features will prove helpful if you're looking for the right tool for your particular job.


  • Last week, Guidance Software released the technical details for their new Encase Evidence File Format v2 (Ex01). Registration is required to download the whitepaper, or it can be downloaded from their Support portal if you already have a support account.
  • AccessData has announced dates for their FTK 4 World Tour, and registration for some dates is now open. If you're looking for a preview of the new version, here's your chance.

Coming Events:

Call For Papers:


Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to

Digital Forensics Case Leads for 20120119 was compiled by Gregory Pendergast, forensicator, incident handler, and jack-of-all-security at Virginia Commonwealth University. Gregory also contributes book and product reviews to Digital Forensics Magazine and


Posted January 19, 2012 at 7:44 PM | Permalink | Reply


w00h00''. tonights talks look tasty!!!! can't wait!

Posted February 21, 2012 at 7:23 AM | Permalink | Reply


I learnt Building Windows 8 blog on the issue of Resilient File System and it happens to be of help. It is good for better understanding of the issue.