SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Identifying TrueCrypt volumes with Volatility, Malware that can sneak into VM's and more....

In this week's SANS Case Leads, Malware that can sneak into Virtual Machines, watch those LastWriteTime timestamps, new tools, identifying TrueCrypt volumes with Volatility and much more??

If you have an item you'd like to contribute to Digital Forensics Case
Leads, please send it to


  • Joachim Schicht posted a utility that can manipulate the LastWriteTime timestamps called SetRegTime here.
  • Sumuri has released Version 3.0 of Paladin.
  • Santoku. is a Linux distro aimed at Mobile Forensics, examining Mobile Malware & Mobile Security. It is based on the OWASP MobiSec distro. Here is a list. of some of the tools included in Santoku

Good Reads:

  • Harlan Carvey discusses how if you have an analysis process, the SetRegTime utility should not have a major impact on your examination, especially if you are using Timeline Analysis. Read it here.
  • Over on the A Fistful of Dongles Blog., Eric interviews FBI Special Agent Eric Zimmerman. SA Zimmerman discusses some of the tools that he created that are available to LE and Military personnel.
  • Bridgey the Geek (@bridgeythegeek) had this excellent post. on how to identify mounted TrueCrypt volumes using Volatility.

News Items:

  • Crisis Malware that can spread to VM's: <a href= ""
  • Matt Inman (of The Oatmeal fame), started a fundraiser to have a museum dedicated to Nikola Tesla. Story on ArsTechica.

Coming Events:

Call For Papers:

Joe Garcia is a Law Enforcement Officer with over 18 years of experience, the last 6 of which he has been assigned to conduct computer crime investigations and digital forensic examinations. He holds the GIAC GSEC Gold, GCIH & GCFA Silver and AccessData ACE certifications. You can follow Joe on Twitter at @jgarcia62