SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Your Password Is Out There, again...

This week's big news is a rash of data breaches at LinkedIn, eHarmony, and that exposed millions of account passwords, and probably other data that the attackers haven't made public. So we have the obligatory links to cover those stories, but also a wealth of interesting new and updated tools. Among these are HexDive, SquirrelGripper, ShadowKit, and a Report Writing cheat sheet from Girl,Unallocated. Also worthy of particular note is Corey Harrell's Compromise Root Cause Analysis Model in the Good Reads section. There's a lot of good stuff to take in this week, especially in the Tools and Good Reads categories, so please read on!

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to

Your Password Is Out There:

Last week's edition of Case Leads was on fire with news about the Flame malware. This week brings us a rash of compromises leaking millions of passwords as LinkedIn, eHarmony, and fall victim to hackers. The leak of these password hashes revealed serious security fail, showing that these sites (and probably others) are storing their customers' credentials and other confidential data insecurely.


  • Process Explorer 15.2 was released. This version integrates AutoRuns functionality and introduces a graphical process timeline, among other cool changes.
  • ShadowKit by David Dym is a relatively new tool for accessing/recovering Volume Shadow Copies. I haven't had an opportunity to try this yet, but it sounds promising. (Thanks to Rob Dewhirst for bringing this one to our attention.)
  • Melia Kelley (Girl, Unallocated) recently posted an excellent Report Writing cheat sheet over on her blog. Many times, and in many locations, new and aspiring forensicators have posted queries in search of guidance in this critical area. Melia's cheat sheet is an easy visual guide to help with the process.
  • Hexacorn Ltd has released HexDive v0.1 (download link at bottom of post). HexDive is aptly subtitled the "Intelligent String Extractor." It aims at bringing some intelligence to the extraction of strings from binary files, and though it's early in development, succeeds quite well. The first layer of that intelligence is that it filters out the garbage strings that one usually encounters when dumping strings from a binary. That alone is worthwhile for accelerating analysis, but HexDive goes a step further by classifying the type of string found. This classification is still a work in progress, but very cool. During a Twitter conversation with the author, he mentioned that HexDive currently misses URL strings, and it's possible it will miss other salient artifacts. But it's quite handy for such a new tool, and needs to be encouraged. If you try it and notice particular string artifacts that it's missing, please let the author know.
  • A Perl Script Plays Matchmaker with ExifTool and SQLite - Cheeky4n6Monkey has developed SquirrelGripper (you have to read this just for the explanation of the name!), a Perl script that sends ExifTool output to a SQLite database for easier analysis.
  • Jesse Kornblum recently released md5deep 4.1.1 and ssdeep 2.8 to fix bugs in those tools.
  • AccessData released FTK 4.0.2, which includes support for the new EX01 evidence format, as well as decryption support for YAFFS 1 & 2 and iOS. See the Release Notes(PDF) for full change list.

Good Reads:

  • Jason Fossen recently posted Windows Exploratory Surgery with Process Hacker over on the SANS Windows Security Blog. There, he makes available the PDF version of slides he's used in recent presentations by the same title. However, I use the term "slides" loosely; the PDF contains 36 pages of excellent text that cover key Windows details in the context of malware analysis.
  • The Consortium of Digital Forensics Specialists (CDFS) posted an update on their work in progress earlier this week. The organization is still young, and much of its work is still behind the scenes, but the stuff they are working on is well worth keeping an eye on.
  • Corey Harrell posted his Compromise Root Cause Analysis Model, which is both a process and a way of thinking that can go a long way toward helping to answer the key questions "How did a compromise occur?" and "When did it occur?"


Coming Events:

Call For Papers:

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to

Digital Forensics Case Leads for 20120609 was compiled by Gregory Pendergast, forensicator, incident handler, and jack-of-all-security at Virginia Commonwealth University. Greg also contributes book and product reviews to Digital Forensics Magazine and