SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: log2timeline, DFIR dogs, and cybersemantics

This week brings us a new version of log2timeline, Cindy Murphy explaining how we're all like dogs (it's not a bad thing, I swear), and Kyle Maxwell wading into the murky semantic waters of APT, cyberwar, and hackers. Just to tweak Kyle, I'll dub that part cybersemantics. You can also learn what Facebook turns over to law enforcement when subpoenaed, and find out how one hacker got himself "busted" (you'll get the joke later) by his own GPS data.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to


Good Reads:

  • Prey Drive - Guest post by Cindy Murphy on A Fistful of Dongles - Cindy extends Eric Huber's "Border Collie" analogy to creatively explore how the world of dogs can inform how we approach both our careers and our work. But you'll have to read for yourself to find out what you may have in common with a hunting dog.
  • Semantic change: APT, Cyberwar, and Hacking - Kyle Maxwell has some interesting thoughts on the words we use. I tend to agree with him, especially regarding the phrase APT (it really does need to die). Others will disagree on one or more points. But the more important point, I think, is that we need to mindful and careful of the words we use to describe things. They have meanings, both denotations and connotations, and sometimes need to be re-evaluated. There was nothing wrong, originally, with the phrase Advanced Persistent Threat (APT). But no matter how you might rage over the loss of that original intent, it is still lost to the FUD and misinformation of the marketing machines. And perhaps, more importantly, as Kyle points out, the phrase no longer serves a purpose. It is no longer needed.


  • Can police still search electronic devices after case? - Utica Observer-Dispatch ( - This New York case questions whether police may legally search electronic evidence again after a case has concluded. A man who was serving a 6-month sentence on child pornography charges requested his digital camera be returned in early 2010, after his case had concluded. Police performed a last minute search of the device and found evidence that the man had recorded himself molesting a 10-year-old boy. He is now serving an 18-year prison sentence. His lawyer has appealed, contending that police needed a new search warrant for the search, as the case to which the prior warrant applied had already been concluded. The prosecutor contends that the camera was still being held pursuant to a search warrant, and that a new warrant was therefore not required. The prosecutor went on to argue that the police have an obligation to ensure they do not give back contraband, and that police were therefore obligated to search the camera prior to returning it.
  • Medicaid hacked: Utah Department of Health has 181,000 records compromsied, including 25,000 SSNs.
  • Anonymous hacks UK government sites over 'draconian surveillance' - Yes, it's news, I suppose. But shame on you, ZDNet, for using the word "hack" to describe a denial of service attack. Just for the sake of a headline.
  • Even worse than SOPA: New CISPA cybersecurity bill will censor the Web - - This article contends that the Cyber Intelligence Sharing and Protection Act (CISPA - H.R. 3523) currently making its way through the United States House of Representatives goes even further than the SOPA and PIPA bills in the authority it would give to the U.S. government to monitor and block internet communications, "as long as the government believes they have reason to suspect wrongdoing." The article itself is light on substance, and its heavy use of the word "censor" rings of FUD to me (though I haven't studied the bill), but it may be worth a look as a starting point. For a generally more balanced and comprehensive overview, check out Kyle Maxwell's "Cyberintelligence legislation: not just CISPA" over on his Overhack blog.
  • Here's what Facebook sends the cops in response to a subpoena - ZDNet - The title is pretty self explanatory, but it's interesting to see that what Law Enforcement gets is pretty much everything, in a surprisingly tidy report. It's disturbing, though, that the Boston Police thought nothing of releasing the document in full, without consideration of the collateral privacy damage done to people other than the criminal. I'm sure that was unintentional, but they presumably did redact other case evidence. Props to The Boston Phoenix for making an effort at their own redaction before running the original story.


Coming Events:

Call For Papers:


Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to

Digital Forensics Case Leads for 20120416 was compiled by Gregory Pendergast, forensicator, incident handler, and jack-of-all-security at Virginia Commonwealth University. Greg also contributes book and product reviews to Digital Forensics Magazine and