SANS Digital Forensics and Incident Response Blog

Case Leads: Backtrack Soon to be Back as Kali, Why Logs Should Really be Reviewed, the Impact of DDoS Against US Banks, Hard Drives with Bad Sectors and Data Recovery

This week's edition of CaseLeads features a teaser from the Backtrack developers, a case study from Verizon which demonstrates the need for regular log review, a report on the impact of the recent DDoS attacks against US banks and an article about challenges in recovering data from hard drives.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to


  • Backtrack will be reborn as Kali. The developers of Backtrack are planning to take the distribution to another level but in order to do that, they realized they needed to build something new. The Backtrack website has a teaser video about the project but for now, the developers quiet on the details

Good Reads:

  • Verizon's security blog recently featured a case study that outlines why organizations should conduct regular log reviews. Data from Verizon's annual DBIR suggests that fewer than 10% of security breaches are discovered through log review. The reason so few breaches are found this way is not because the logs lack indications of a breach but because very few organizations actually bother to review their logs. The case study tells the tale of an employee who was too creative in carrying out his job duties.
  • During the third quarter of 2012, a number of predominantly US based banks were subjected to a series of Distributed Denial of Service (DDoS) attacks. The Ponemon Institute released a paper sponsored by Corero Network Security that surveyed 351 banks about the DDoS attacks. The survey sought information about the impact of the attacks and the actions taken to detect and prevent the attacks. The report is of interest to those that practice Incident Response because it highlights the challenges and defensive technologies concerning these attacks. Highlights from the survey show that more half of respondents had experienced a DDoS within the the last year and that the primary consequence of the attacks has been a loss of IT productivity.
  • Dmitry Postrigan wrote a brief article that highlights the way hard drives were designed to prevent them from returning unreliable data. The article briefly discusses three types of corruption that can hinder data recovery efforts and mentions a couple of options from the ATA/ATAPI standard and SMART extension that could be useful in data recovery efforts. Dmitry also comments on the dangers of certain recovery techniques as they relate to increased media damage and data corruption.


  • The White House and US Congress had a brief flirtation with cybersecurity in 2012 and the topic of was raised again during the recent Secretary of State confirmation hearings. While thin on details the nominee's comments suggest that cybersecurity is being discussed at several levels within the US government and implies that some believe cybersecurity is the greatest threat facing the United States.


Coming Events:

Call For Papers:


Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to This weeks's Digital Forensics Case Leads was compiled by Ray Strubinger. Ray regularly leads digital forensics and incident response efforts and when the incidents permit, he is involved in aspects of information security ranging from Threat Intel to Risk Analysis.