SANS Digital Forensics and Incident Response Blog

Case Leads: LivingSocial Hack, New Cyber Warriors, analyzeMFT update and more...

This week in Case Leads we have a few software updates and some good reads along with the LivingSocial site being hacked and the US service academies ramping up efforts to groom new cyber warriors.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to


  • David Kovar has updated his analyzeMFT python script. It now reports the MFT record correctly and has improved bodyfile support. You can read more about the updates here and download the latest release.
  • Magnet Forensics has updated their Encrypted Disk Detector. They have added more support for other disk encryption as well as improved support for the disk encryption they already supported. You can read more about it here.
  • Belkasoft has updated their flagship product Belkasoft Evidence Collector 2013. They have over 12 enhancements to further enhance the efficiency of forensic investigations, simplifying the process of obtaining and analyzing digital evidence. They have also included Evidence Reader, an all-new free tool allowing Belkasoft users to pass along evidence collected with the main product. You can read more about it here.

Good Reads:

  • Over at the Delusions of Grandeur blog they have a write up of extracting cached passphrases in Truecrypt using the volatility framework. They used this on the Cyber Defense Exercise 2013. You can read more about it here.
  • Lenny Zeltser has posted a list of his live and recorded webcasts on Malware forensics. He has a links to upcoming webcasts as well as recorded webcasts for anyone who may have missed them. You can read more about it here.
  • Lance Mueller has posted a Enscript to send data directly to Splunk for IR, Investigations and timelines. This EnScript was designed to allow the examiner to simply "tag" those files/folders and send the data directly to Splunk. You can read more about it here.


  • The New York Times reports about the year in Hacking. The article talks about the annual Verizon report which counted 621 confirmed data breaches last year.
  • The New York Times has also reported about LivingSocial, a daily deals site, being hacked. They have reported online criminals had gained access to user names, e-mail addresses and dates of birth for some users and encrypted passwords for 50 million people. The company's databases that store user and merchant credit card and banking information were not compromised in the attack.
  • The U.S. service academies are ramping up efforts to groom a new breed of cyberspace warriors to confront increasing threats to the nation's military and civilian computer networks that control everything from electrical power grids to the banking system.


Coming Events:

Call For Papers:

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to

Digital Forensics Case Leads for 20121130 was compiled by Mark McKinnon (@markmckinnon) CCE, GCFA. Mark is a Software Developer and Instructor at a University in the Midwest where he also practices digital forensics.