SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: MBR Parser, VSC Toolset GUI, Memory Forensics Cheat Sheet & other goodness......

In this week's SANS Case Leads, we have a python script for parsing the Master Boot Record, a question of USB drive serial number uniqueness, some VSC goodness and some other stuff ;-)

If you have an item you'd like to contribute to Digital Forensics Case
Leads, please send it to


  • Jamie Levy (@gleeda) posted a script that she wrote that parses the MBR in order to help find MBR infectors. Read Jamie's Blog post. Grab the script here.
  • Jason Hale came up with a GUI front-end for Corey Harrell's batch scripts used to rip/examine Volume Shadow Copies, called VSC Toolset
  • DEFT Linux 7.1 was released earlier this month. Read the announcement.

Good Reads:

    • Mike Ahrendt gave some insight into his experience with his Education in Digital Forensics
    • A new blog called Malware Analysis Blog has a tutorial on how to isolate your analysis VM from your host machine. Read about it here.
    • Interesting post on the digfor blog regarding the uniqueness of USB Flash drive serial numbers.
    • Harlan Carvey posted his thoughts on how specializing in sub-disciplines within Digital Forensics is not really such a good idea. Read the post titled Convergence.


      • Chad Tilbury (@chadtilbury) put together a Memory Forensics Cheat Sheet which focuses on the use of Volatility. Grab version 1.0 here.


        Coming Events:

        Call For Papers:

        Joe Garcia is a Law Enforcement Officer with over 18 years of experience, the last 6 of which he has been assigned to conduct computer crime investigations and digital forensic examinations. He holds the GIAC GSEC Gold, GCIH & GCFA Silver and AccessData ACE certifications. You can follow Joe on Twitter at @jgarcia62