SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Open Source Forensics Edition

This week, the Open Source Digital Forensics Conference and the Open Memory Forensics Workshop were both held in Chantilly, VA, and the wealth of tools and knowledge coming out of these conferences was simply staggering. Of course, not everything this week revolved around, or arose out of, the Open Source Digital Forensics Conference. But there certainly seems to have been some sort of cosmic alignment, because this week brings more new tools and tool updates than you can shake a memory stick at.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to


  • libvshadow - Joachim Metz presented some excellent research on Volume Shadow Snapshots, and also introduced a new library and tool that will allow examiners to mount and examine Windows Volume Shadow Copies from a Linux or OS X analysis workstation. The tool is exciting, and the research is outstanding. Before you download the tool, be sure to check out his paper and his OSDFcon presentation slides. There are apparently some quirks in the operation of the Volume Shadow Service on Windows that may make it more desirable to analyze the shadow copies on an alternate platform.
  • The Sleuth Kit v4.0 was released this week during the Open Source Digital Forensics conference. The biggest new feature, which is currently available on Windows only, is the introduction of The Sleuth Kit Framework. The Framework makes TSK much more extensible by allowing the creation of modules to perform various functions during TSK processing. For example, TSK 4.0 ships with a handful of useful modules such as hash calculation, hash lookup, entropy calculation, RegRipper, ZIP file extraction, and extraction via name signatures. The Framework introduces the concept of pipelines, wherein evidence images/drives processed by The Sleuth Kit can be passed to any of these framework modules during the execution of the appropriate pipeline to automate functions beyond those built into TSK. Other notable changes include multithreading support and support for libewf v2, just to name a couple. For more change details, see the TSK history page and news file.
  • Like The Sleuth Kit, Autopsy v3.0 was also supposed to emerge from beta during the Open Source Digital Forensics conference. However, a few last minute bugs apparently manifested during demos. The last time I heard mention of it during the conference, Brian Carrier was still anticipating release this week, so keep an eye on it. Regardless of the exact date, it shouldn't be long now. Like the TSK Framework, Autopsy 3.0 is currently Windows-only. The new focus on Windows support is due to the project's goal of increasing TSK/Autopsy acceptance and adoption among practitioners, many of who run Windows as their analysis systems.
  • Tapeworm v1.0 - OSDFCon also saw the official release of Tapeworm, a new Virtual Machine distribution (similar to SIFT and REMnux) that is geared toward automating many of the pre-processing tasks that examiners have to undertake in order to extract usable data from disk images. The distribution offers a GUI front-end to automate a number of tasks, including the execution of bulk_extractor, RegRipper, Log2Timeline, and EXIF extraction, among other things. You can view a screen shot of the GUI and proceed to the download page.¬ One peculiarity is that you have to email Tapeworm Support to receive a password to download the virtual machine. Doug Koster, the presenter at OSDFcon, indicated that this was because they wanted to keep track of the number of users. But I don't see why that can't be done through simple web statistics. To each their own, I suppose.¬ Tapeworm is the brain child of Doug Koster, and the development has been a joint project between TASC Forensic Services and Champlain College's Leahy Center for Digital Investigation (LCDI).
  • SIFT Workstation v2.14 - It seems SANS and Rob Lee recently snuck out an update (v2.14) to the SIFT workstation this week as well. It adds libvshadow and several other useful libraries by Joachim Metz, findaes, densityscout, as well as updates to libewf, log2timeline, Volatility, and bulk_extractor. Of course, that's still only a partial list. Download it and check it out.
  • CAINE v3.0 - Not to be outdone, the makers of the Computer Aided INvestigative Environment Live CD released CAINE v3.0. It adds The Sleuth Kit v4.0, MATE Desktop Environment v1.4 + LightDM, iphonebackupanalyzer, exiftool, sqlitebrowser, and more.
  • GRR Rapid Response Framework - Although Basis Technology put on the Open Source Digital Forensics Conference, the non-government entity with the most representatives may well have been Google. They came in force and offered some excellent presentations and tools. I've already mentioned Joachim's libvshadow. But the Googlers also presented, GRR Rapid Response, an open source framework for performing remote live forensics. The project is still in Alpha phase, but is available for testing and experimentation by users. It features client agents for Windows, Linux, and OS X, Volatility integration for remote memory forensics, and "secure comms infrastructure designed for Internet deployment." This seems like a very promising tool that could help put mature incident response in the hands of SMBs and other organizations that lack significant IT budgets. You can also download the presentation slides for the OSDFcon talk from the downloads section.
  • Forensic Scanner - For over a year now, Harlan Carvey has been working on, and occasionally speaking about, a Forensic Scanner that builds on his RegRipper concept but extends it beyond the registry to digest other artifacts. This year, we not only got to hear about the idea, but we now get to download it. As with RegRipper, the idea is to automate tedious artifact collection and reporting processes, to use the scripts to embed human intelligence, and to enable knowledge transfer from analyst to analyst. Forensic Scanner is intended to run against a mounted disk image, and the UI could not be simpler. The current release comes with 44 plugins, but these are simple Perl scripts that can easily be used as templates to create and share your own plugins.
  • pyIOC - Jeff Bryner (@p0wnlabs) recently announced his pyIOC tool suite, which is a client/server system for maintaining and distributing IOC files (see if you're unfamiliar with those). The pyIOC client pulles IOC (Indicator of Compromise) files from the pyIOC server, the scans the client machine for the described indicators. This capability goes above and beyond the capabilities of the IOC Finder tool developed by Mandiant by supporting platforms other than Windows and by creating a distribution point for the IOC files. This seems to be an open source step toward Mandiant Intelligent Response (MIR).
  • bulk_extractor v1.3 - Leading up to OSDFcon this week, Simson Garfinkel of the Naval Postgraduate School released bulk_extractor v1.3. This new version adds support for five new data formats, including Windows PE and Linux ELF scanners, as well as better Unicode support and limited file carving. bulk_extractor also comes with the CDA cross-drive analysis tool ( requires python 3.2), which allows for comparison of bulk_extractor results from multiple drives, which is a helpful way to find commonalities and linkages across evidence drives. Get bulk_extractor 1.3 as well as Simpson's presentation slides from the bulk_extractor download page.

Good Reads:

  • Practical "Looks Like" Similarity - Jesse Kornblum has an interesting post, along with proof-of-concept Python script, on programmatically detecting similarity in image files. This is an area where traditional hashing and fuzzy hashing don't directly apply, because visually similar image files can have very different bits, and so very different hashes. Jesse has built on previous research to create a script that can store image signatures (or hashes, used loosely) and compare them to new files as needed.
  • As we mentioned last week, the Month of Volatility Plugins (MoVP) comes to a close this week over on the Volatility Labs blog. There are too many good posts and plugins to pick from, so make some time and go review them all.



  • Hakin9 magazine was epically trolled when security researchers submitted a hilariously nonsensical article — Nmap: The Internet Considered Harmful - DARPA Inference Cheking Kludge Scanning (PDF)— which Hakin9 failed to notice and proceeded to publish as part of their NMAP Guide ebook. Read the story summary at The Register for background, then dedicate some time to this must-read troll.
    (Hakin9 has also published a statement apologizing for the mistake that led to the article being published, but not before threatening Fyodor with legal action if he did not remove the article from Amusingly, on the same day, they also asked him to contribute an article to the magazine.)

Coming Events:



Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to

Digital Forensics Case Leads for 20121005 was compiled by Gregory Pendergast, forensicator, incident handler, and jack-of-all-security at Virginia Commonwealth University. Greg also contributes book and product reviews to Digital Forensics Magazine and

Find us on Google+