SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Sleeper Malware targets diplomatic entities in Europe & Asia, banking trojan travelling through Skype, DropBox decryption, PE file analysis, and retrieving iPhone VoiceMail

In this issue of Case Leads, Magnet Forensics updates its IEF with new neat features, Analysing PE file with python, retrieving iPhone voicemail with Perl, sleeper APT target diplomats, banking trojans travelling through Skype... Continue reading? this week of Case Leads.

If you have an item you'd like to contribute toDigital Forensics Case Leads, please send it to


  • Magnet Forensics (Formerly JAD Software) has unveiled v5.8 of its industry-leading forensic software, INTERNET EVIDENCE FINDER? (IEF) — including several exciting forensic firsts!! Like DropBox Decryption, Web Video Recovery, Google Maps Tiles & Geo-Location Visualization, Support for NewsGroup Messages and other new artifacts added.
  • BlackLight is a multi-platform forensic analysis tool that allows examiners to quickly and intuitively analyze digital forensic media. BlackLight's core strength is Mac OS X and iOS (iPhone and iPad) data analysis. Latest release (R4.1) is a fine tuning to the major release R4 included Skype analysis, Side-by-side Evidence Analysis, Consolidated Search and File Filter Tool, Virtual Machine Support, Time Machine Support, Secure USB Key Authorization and iOS 6 & Mountain Lion Compatibility.
  • Cellular Mapping, a developer of law enforcement forensics tools, announces an update to its cell site analysis software, the Cellular Analysis Mapping Program (CAMP). The latest version of CAMP, includes features to reduce workload, while also offering an affordable and robust solution to analyse and create custom maps of cell phone activity. CAMP provides the ability to process hundreds of cell phone call detail records in seconds!
  • Sumuri LLC will be releasing their latest version of Paladin this week, and announcing first thru AppleExaminer. The new version is huge upgrade offering, re-written code and the following notable features: new XFCE environment, live progress log viewer, support for (Ex01, SMART, AFF, VMDK, EXT4 and ExFAT) file format and systems, new image converter, new disk manager, image mounter, and inclusion of many of the popular open-source forensic tools.
  • HiddenIllusion published an interesting python-based tool called AnalyzePE. This Tool wraps around various tools and provides some additional checks/information to produce a centralized report of a PE file. It will of course give the md5/sha hashes, do an entropy test and will tell if the file is being packed, or any suspicious behaviour detected and some other nice stuff...

Good Reads:

  • Retrieving data from an iPhone voicemail database. This is a nice readas it'll show how to write a Perl script to retrieve the contents of an iPhone's voicemail database and then display those contents in a nice HTML table that contains the number calling, date & time, duration, filename and if the voicemail is deleted or not.
  • A post on on forensic focus, that go through malware analysis in Windows 8 and test its ability VS malwares and webshells. What makes this post interesting, it starts from the basics to catch the registry keys related and then the infected process.


  • The Shylock, Banking Trojan now travelling by Skype The security firm CSIS recently discovered a Shylock module called "msg.gsm" trying to use the VoIP software to infect other computers. If successful, the malware then sets up a typical backdoor. The module tries to send Shylock as a file, bypassing warnings from the Skype software by confirming them itself and cleaning any generated messages from the Skype history.
  • Kaspersky has published a malware analysis report on newly discovered malware called "Red October As this is a new APT that targets diplomats in Europe and Asia, it has been in the wild since 2007 as they claim and has infected lot of embassies and diplomatic sites. The report will go through a step-by-step approach for the infection and will discuss few details.
  • Critical control systems inside two US power generation facilities were found infected with computer malware, according to the US Industrial Control Systems Cyber Emergency Response Team. The malware was spreading via USB drives, and based on the article, it's not clear if the control system workstations use any form of antivirus protection!?
  • Singapore allows pre-crime strikes against online crooks by granting itself powers to take proactive measures against a potential cyber threat before it disrupts critical infrastructure. Failure to comply with the new law could land an individual with a 10-year prison term and $S50,000 (£25,400) fine.
  • NEW JERSEY Gov. invites vets returning from the Middle East, students and career switchers to compete for cyber residencies at key institutions, by joining a cyber battle this week for a spot at a community college program. The Brookdale Community College CyberCenter, similar to a medical teaching hospital, will assign aspiring network defenders to temporary posts at banks, the FBI and other organizations vital to American life.


Coming Events:

Call For Papers:


About the author:

By Maher Yamout, CCNA, CNDA, ECSA, GCFE. Maher Yamout is an Information Security Officer and Digital Forensic Examiner with the Lebanese Ministry of Finance.
He was involved in cyber-security exam item writing with EC-Council and Prometric. Maher is also member of the High Tech Crime Investigation
Association (HTCIA) Europe-at-Large chapter.