SANS Digital Forensics and Incident Response Blog

Digital Forensic Case Leads: Anon Strikes Again, and Again. Groupon Litigation Threats. DarkMarket Motivations Revealed. The Tutu Has Been Donned

This week's Digital Forensic Case Leads is chock full of forensics nuggets. Links to great forensics tools for encryption detection and memory extraction, plus a how-to for breaking/auditing the OS X Keychain. You will also find an analysis of the Samsung v. Apple patent case from a digital forensics perspective, with IP Attorney Ben Langlotz. And, as our headline promises, news and analysis on the latest alleged attacks by "Anonymous" and their affiliates. Your reporter this week explains how BOTH the Anon group AND the Fed's denials, could both be true.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads [at symbol here]



  • AccessData Group just released a new version of their forensics and investigation tool for mobile devices, MPE+. According the AccessData: " In addition to greatly improving mobile device investigations, MPE+ is the first solution designed to facilitate mobile device discovery for litigation support personnel. With the most intuitive interface on the market and new visualization capabilities, investigators and e-discovery practitioners alike will be able to address mobile device data with more efficiency." This version supports the physical imaging on Samsung Galaxy S2 devices and supports 4800 other mobile devices. Other noteable features include carving SQLite databases from iOS and Android devices for user deleted data, and a "Social Analyzer" that compares SMS, emails, MMS and call logs. Contact the people at AccessData Group to find out more.
  • Magnet Forensics (formerly JADsoftware) has a interesting free forensic investigation tool: Encrypted Disk Detector (EDD). According to the company, "EDD is a command-line tool that checks the local physical drives on a system for TrueCrypt, PGP®, or Bitlocker® encrypted volumes... EDD is useful during incident response to quickly and non-intrusively check for encrypted volumes on a computer system. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled."
  • MemGator: Another free digital forensics tool According to the developer, E5h Forensic Solutions, MemGattor, "is a memory file interrogation tool that automates the extraction of data from a memory file and compiles a report for the investigator...Data can be extracted in relation to memory details, processes, network connections, malware detection, passwords & encryption keys and the registry."


Good Reads/Listens:

  • DarkMarket: Cyberthieves, Cybercops and You. From the publisher: "In this fascinating and compelling book, Misha Glenny, author of the international best seller McMafia, explores the three fundamental threats facing us in the twenty-first century: cybercrime, cyberwarfare and cyberindustrial espionage. Governments and the private sector are losing billions of dollars each year fighting an ever-morphing, often invisible and often supersmart new breed of criminal: the hacker." Due to be released in paperback next month.
  • Breaking into the OS X keychain. From the author of the posting: "There is a design compromise in Apple's keychain implementation that sacrifices some security for a lot of usability...As a result, the root user is able to read all keychain secrets of logged-in users, unless they take extra steps to protect themselves." As we know, most users don't those type of steps. Read the how-to here.
  • Digital Forensic and InfoSec Lessons from Apple v Samsung patent case. Listen to this CyberJungleRadio conversation with Patent expert Ben Langlotz, starting at about 14:30min. There are some very surprising areas of digital forensics discussed by Mr. Langlotz.



Anti-Sec, an off-shoot of the cyber gang known as Anonymous, claimed credit late Monday for obtaining a data base of over 12million Apple iOS UDID (Unique Device Identifier). UDIDs are "burned" into every iPhone/iPad/iPodTouch device. The group's web site claims that the reason they took this data was slap against the Federal Government ("The Feds") and the activities by NSA Chief, Gen. Keith Alexander to recruit hackers at Las Vegas' DefCon conference last month. They want to show that the Feds don't have the interests of the citizens at heart, but rather they think the Feds main goal is tracking the activities of average citizens — a claim Gen. Alexander very publicly refuted in Las Vegas. On Wednesday, the FBI released a statement that refutes the claim that the attackers gained access to an FBI computer for this data. Parsing the statement from the FBI, and the alleged attackers, it is possible that the information came from the systems of an anti-cybercrime non-profit that was founded by a former FBI agent. The group, The NCFTA, or National Cyber Forensics and Training Alliance, has, according the ForbesMagazine, a legal arrangement with the government allows it to hand over information to the FBI.

From Elinor Mills and Greg Sandoval at C| "The U.S. Secret Service is looking into claims that someone stole presidential nominee Mitt Romney's income tax returns and is threatening to release them if he doesn't pay up. Secret Service spokesman George Ogilvie told CNET today that the agency is investigating, but had no further comment."

Discount eCommerce site Groupon threatens to sue small business merchants. According to a report at, some businesses that participate as Groupon merchants are not getting paid by Groupon. This cash flow problem is driving merchants to notify the company they will not honor Groupon-coupons until they're paid.Groupon is threatening legal action against the merchants if they suspend providing services to Groupon users as agreed. A classic contract case, but who's truly in breach? AND ? is there a digital smoking gun? Were orders to slow down or holding back payments transmitted via email, chats, text or other digital means? Have there been internal discussions around responding to merchant complaints about slow payment?

Did diligent email forensics investigation help Samsung to mitigate spoliation? In an intellectual property case that pits Apple against Samsung. We won't get into the IP details in this space?but rather the issue of digital spoliation. Last month, Apple won a motion for adverse inference jury instruction because Samsung failed to properly preserve email discovery evidence. And as of this writing, Samsung won a copy-cat motion, claiming Apple failed to preserve relevant emails. So now, the jury will not hear that both Apple and Samsung may have destroyed email evidence.


Levity, or For the LULZ?

The Tutu Has Been DonnedThe Tutu Has Been Donned

Coming Events:

Call For Papers:


by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator's Association (HTCIA). Follow Ira's security and forensics tweets: @ira_victor.