SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Bulk_extractor how-to, Verizon Report, FTK review, China prime suspect in RSA and other incidents

In this week's edition of Case Leads we have a how-to for Bulk_extractor's find feature, first impressions on the new database options in FTK, an extension for log2timeline for parsing the cache in Firefox, the Verizon data breach report, and statements by current and former US government officials about Stuxnet and China.

If you have an item you'd like to contribute to Digital Forensics CaseLeads, please send it to


  • Bulk_extractor is a tool that is periodically mentioned on the blog. Simson Garfinkel posted a brief how-to that demonstrates the use of bulk_extractor in finding keywords in a disk image. The post explains why bulk_extractor is better (in some cases) than strings and grep (part of the reason is bulk_extractor parses compressed files.)
  • FTK 4.0 by AccessData has received some attention as it now provides the option of using PostgreSQL over Oracle. This article captures some of the first impressions of that switch.

Good Reads:

  • Verizon released its annual Data Breach Investigations Report covering 2011. (There is also an archive of previous year's reports.) The information in these reports can be useful in honing and measuring your organization's approach to security. As an example the reports typically measure or estimate how long it took to penetrate an organization and how much time elapsed before the organization detected the attack. That type of information can be used to gauge a SOC or to establish log retention policy.
  • This could also be filed under "Tools" but it's certainly a good read if your investigation involves Firefox and malware. The article addresses an extension to Kristinn Gudjonsson's log2timeline application that enables it better parse the Firefox cache.



Coming Events:

Call For Papers:


Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to

Digital Forensics Case Leads for 20120330 was compiled by Ray Strubinger. Ray regularly leads digital forensics and incident response efforts and when the incidents permit, he is involved in aspects of information security ranging from Data Loss Prevention to Risk Analysis.