SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Got Malware?

This week on Case Leads, it's mostly about the malware. A new tool called Maltrieve will help retrieve it for analysis, articles on Java *.idx files and NTFS artifacts can help us find it post-mortem, and security software companies get pwned by it. Joking aside though, if you're scoffing at Bit9 this week, you should better spend that energy getting your own house in order.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to


  • Maltrieve - Kyle Maxwell has released Maltrieve, a Python script that reaches out to known malware sites, based on a small but growing list of meta-sources, and downloads all of the malware it can obtain. The project began life as a fork of mwcrawler, but has since become a nearly total rewrite. In future versions, Kyle also plans to add support for custom, user-supplied download sources. This is a great tool to add to your malware research arsenal.
  • is a Python script for parsing Google Chrome Session and Tabs files. It's not new, but I don't recall having seen it mentioned anywhere. This tool proved most helpful in a recent investigation, as did the author, Alex Caithness of CCL Forensics. My initial run of the tool successfully parsed the 'Current Session' file, but errored out on the other Session and Tabs files (due to some invalid XML characters in the evidence files). Luckily, Alex was able to respond to my error report quickly, and recently released a fix. Also, check out Alex's related blog post, Chrome Session and Tabs Files (and the puzzle of the pickle), for details on the data structures in those session files.

Good Reads:

  • Over on the WindowsIR blog, Harlan Carvey has been digging into Java *.idx files as a means to finding the Initial Infection Vector (IIV) in a malware compromise. Check out Parts Un, Deux, and Trois of his BinMode: Parsing Java *.idx files series. Of course, Harlan isn't the only one working on this. There are other helpful posts and sources. But Harlan liberally links to many of these sources, so I'll leave it as an exercise for the reader to follow Harlan's lead further down the rabbit hole.
  • In the last week or so, David Cowen has made a couple of interesting posts on NTFS Forensics over at the Hacking Exposed Computer Forensics blog. The NTFS Forensic Triforce and NTFS Triforce - A deeper look inside the artifacts provide information about $MFT, $LOGFILE, and $USNJRNL, and specifically how these three artifacts can combine to provide the history of a file's life on the file system. This information has a wide range of uses from tracking malware activity to locating data tampering and exfiltration.
  • FireEye has an interesting write-up on the payloads carried by exploits against the newly announced Adobe Flash Player 0-day flaw. Among the interesting parts of this, FireEye researchers found that the malware created a Registry key with a large of amount of XORed data, which was subsequently found to contain an executable file.


  • Security software company Bit9 announced that some of its systems were compromised in an attack, and that one of its digital certificates was used to sign malware that was then used against at least three of its customers. Details are fairly sparse at this time, but Bit9 does say that the affected systems were compromised because the company failed to install its software on those machines. Bit9 maintains that its software was not compromised. Brian Krebs also has a good write up on the issue.
  • Adobe announces updates for latest 0-day vulnerability.
  • Microsoft, Symantec Team, Topple Bamital Botnet - Dark Reading
  • Bush family email hacked, and The Register is always good for a cheeky headline.


Coming Events:

Call For Papers:


Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to Digital Forensics Case Leads was compiled this week by Gregory Pendergast, forensicator, incident handler, and jack-of-all-security at Virginia Commonwealth University.