SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: A MiniFlame Has Been Lit, Learning a Language and New and Updated Tools.

In this week's SANS Case Leads, new tool pyMFTGrabber is out, a MiniFlame has been lit, learning a language and more.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to


  • The Sleuth Kit (TSK) 4.0 is out here.
  • The Autopsy Forensic Browser is now at version 3.0
  • pyMFTGrabber. grabs the MFT off a live, running NTFS system and sends it to a waiting netcat listener.. Here is a demo video on YouTube. showing the usage of this tool

Good Reads:

  • Harlan Carvey writes about his motivations behind creating Forensic Scanner. Read it here.
  • Researchers at Kasperky Lab have discovered a new nation-state sponsored malware and are calling it MiniFlame.. This malware has ties to 2 other previously discovered espionage tools, Flame and Gauss.
  • Over on the Journey Into Incident Response blog, Corey has posted an article titled "So You Wanna Be A DFIR Blogger". He shares his thoughts on what it takes to maintain a successful DFIR-related blog and gives some insight into what he learned in creating & maintaing his.

News Items:

  • Looks like the Tesla museum is going to be built at Wardenclyffe. The property on Long Island (NY) has already been purchased.

Other Bits

  • There are those of us who have been attempting to or wanting to learn a programming language in an effort to help not only our examinations, but also the Digital Forensic Community at large. I just so happen to have fallen on the Python side of the fence, for no reason other than it seems to be a bit more structured than Perl and would probably be a bit easier for me to learn. I could care less about the Python/Perl "war". That said here are some links/things that can help you in your desire to learn programming.
  • New book due out titled Violent Python by TJ O'Connor. I do not know the author, but the product description mentions "This book demonstrates how to write Python scripts to automate large-scale network attacks, extract metadata, and investigate forensic artifacts." Might be helpful to those of us out there looking for a little nudge in getting ideas in writing our scripts.
  • Check out Coursera from time to time. They have programming classes (free, registration required). I, and a few others, are currently enrolled in the "Learn to Program: The Fundamentals" course, which happens to use Python 3. I like the class so far and am planning on taking the follow up course.
  • Finally, if anyone is interested in learning Python I have assembled a few Python related resources and I'm willing to share them. Just send me a DM and I'll share the Dropbox folder with you.

Coming Events:

Call For Papers:

Joe Garcia is a Law Enforcement Officer with over 18 years of experience, the last 6 of which he has been assigned to conduct computer crime investigations and digital forensic examinations. He holds the GIAC GSEC Gold, GCIH & GCFA Silver certifications. You can follow Joe on Twitter at @jgarcia62