SANS Digital Forensics and Incident Response Blog

More news on Flame & Stuxnet. Researchers publish findings on Elderwood Gang & the Comment Crew. New & Updated tools for mobile device forensics.

This week's CaseLeads features several findings from security researchers who have been studying Flame, Stuxnet and numerous state sponsored hackers. A couple of vendors have released new tools or updates to existing tools for those into mobile device forensics and malware analysis.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to



  • Santoku for mobile device forensics, malware analysis and application security testing includes tools for development, pen testing, wireless analysis, data carving, metadata analysis and reverse engineering applications.
  • Motorola launched an "Unlock My Device" page which could be useful for forensic examiners. The list of supported devices is currently rather limited but Motorola states they will be adding more devices so this site is worth keeping an eye on.


Good Reads/Listens:

  • Flame - the fire may have started back in 2006. Security vendors analyzing aspects of the Flame malware have determined that it may have been one of a four part suite of programs dating back several years. Researchers currently aren't sure what the other programs may be but they seem confident they aren't Stuxnet or Gauss. A similar article, suggests that a fifth Flame-like derivative was in development around the time Flame was discovered but appears to have been abandoned. Like another study mentioned in this week's blog (see the News section), the researchers found indications that the operators of Flame appeared to have compartmentalized roles and may have been part of a larger, possibly government sponsored organization.
  • Questions arise on the Stuxnet escape theory - At least one expert is calling into question the current popular story as to how Stuxnet escaped into the wild. In an IEEE Spectrum Techwise Conversations podcast, Professor Larry Constantine calls into question some aspects of journalist David Sanger's account. Other experts with Eset, including David Harley, Eugene Rodionov, Juraj Mallcho and Aleksandr Matrosov published yet another theory on Stuxnet escape that agrees and disagrees with several points made by Constantine.



  • There's always a debate about how effectiveness of user awareness training. A city in Taiwan was also having this debate so they decided to try an experiment. Now nearly one in six civil servants will have to sit through a two hour class on internet security after responding to a phishing email sent by the government of New Taipei City.
  • Experts claim two groups are responsible for stealing most US business secrets. Many of those in information security have long claimed that China or groups sanctioned by that government have been engaged in various forms of espionage against the United States an other countries. The Chinese groups are known by several names depending on which researcher is studying them but the two most popular according to a recent report are the Elderwood Gang out of Beijing and the Comment Crew of Shanghai. Researchers who have been studying these groups for years have determined that the number of people employed by the groups number in the hundreds if not thousands based on the diverse capabilities the groups have demonstrated. The number of people engaged leads the researchers to believe that only organized crime or a nation state could fund the effort.




Coming Events:

Call For Papers:


Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to

Digital Forensics Case Leads for 20120921 was compiled by Ray Strubinger. Ray regularly leads digital forensics and incident response efforts and when the incidents permit, he is involved in aspects of information security ranging from Threat Intel to Risk Analysis.