SANS Digital Forensics and Incident Response Blog

Digital Forensic Case Leads: Medical Records Get Hacked, #DFIR Index, New and Updated Tools and More....

In this edition of SANS Case Leads we have petabytes of #DFIR tools, reads, news, and levity to stimulate your analytical juices and warm up your processors. Get your dongles out cause' AccessData has updates and we got more breaches to investigate! Dongleless? I got you covered with a brew of Python, Perl and EXE kung foo. If you ain't forensicating, let the bandwith flow on DFIRonline or vote for the next prez on Forensic4cast awards.


  • New AccessData product releases including Forensic Toolkit (FTK) and FTK Pro v4.0.1, FTK Imager v3.1.0, AD ECA v4.3.0 and AD Lab v4.0.1, AD eDiscovery v3.4.0, and AD Enterprise v4.0.1. Check out the release notes and key feature enhancements for all the details. Make sure to check out the new Cerberus and Visualization modules if you haven't already — they're pretty sweet!
  • Mandiant discovered some cool cache data in the Windows Registry generated by the Windows Application Compatibility Database. Depending on the operating system version this data can include file names, size, last modified times, and last execution time. Mandiant released a proof-of-concept Python script, Shim Cache Parser that extracts this awesome forensic evidence from the Windows Registry. More information can be found in the white paper. Python is great!!
  • While I was sleeping, Harlan Carvey was "working on his first cup of coffee" and Perl hacking a new Reg Ripper plugin (tested on 32-bit Windows XP only) that incorporated Mandiant' s findings above. This is a great example how powerful RegRipper can be and to encourage others to help grow the library of RegRipper plugins. Harlan has shared the plugin and it can be downloaded here.
  • HMFT released a simple tool, HMFT, that extracts $MFT from a given drive or a disk image to a file in any location (including removable drive).
  • Digital Forensics Solutions LLC dropped LiME Forensics. LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network.
  • Brent Skumlien released ParseRacWMI a cmd line utility to parse the data available from the Windows 7 Reliability Monitor. This artifact can contain goodies about software installations, blue screen bugchecks, device installs, and unexpected shutdowns. Kudos to Ted Scott for mentioning this treasure trove.

Good Reads (+ Listens + Videos):


  • Lee Whitfield has decided to create Forensic 4cast Magazine, an online magazine for #DFIR nerds. He is currently aiming to publish the first article no later than June. He is welcoming Case Studies, Research, Reviews, interviews, interesting artifacts, hints and tips, etc.
  • If you are unfamiliar with the DFIR Search it's a custom google search that only searches #DFIR blogs, websites, and online resources. Anyways it was updated this week. If you want to know what all it's exactly searching check out the index.
  • Atlanta's Emory Healthcare recently admitted having lost 10 backup disks containing personal data on approximately 315,000 patients.
  • Unconfirmed: FBI seized a server providing anonymous remailer and many other services from colocation facility.


  • First, he warned of the security flaw in Iran's banking system. Then he provided them with 1,000 bank account details. When they didn't listen, he hacked 3 million accounts across at least 22 banks. So that's what you need to do to get some f$%ing attention these days!? Read more about it. I don't know about you, but I would have just got naked at TSA like this guy did to make the point.

Coming Events:

Call For Papers:


About author:

David Nides is a Senior Associate in KPMG's Forensic Technology Services practice in Chicago, IL. He currently plays a lead role developing and delivering KPMG's Incident Response services consulting clients globally in APT, data breach, and other cyber crime investigations. You can follow David on twitter @davnads or at his forensic blog.



Posted April 22, 2012 at 2:22 AM | Permalink | Reply

Tom Yarrish

Um, it's libewf not libewtf''
(although I guess it could be depending on your opinion of the E01 forrmat. :) )

Posted April 22, 2012 at 5:05 PM | Permalink | Reply

Mark McKinnon

This has now been fixed''. Thanks.

Posted April 23, 2012 at 1:00 AM | Permalink | Reply

Mark McKinnon

Just added plugin from Harlan Carvey that can be downloaded.

Posted May 24, 2013 at 7:34 PM | Permalink | Reply


I am interested in finding out if anyone has a specific enterprise or consultancy with regards to Electronic Medical Records and Digital forensics. Particularly for abuse, fraud and utilization and quality assurance investigations.