SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: First ICS HoneyPot, IEF EnScripts, Android Forensics, Unit 61398 - The APT1 guys, CALEA Act and more...

In this issue of Case Leads, we will see the first Industrial Control System Honeypot, test some useful IEF EnScripts for EnCase, an article on APT1 hackers resuming their attacks on US targets, What about the CALEA Act, Android Forensics tips and tricks, voice descrambling DIY... Continue reading? this week of Case Leads.

If you have an item you'd like to contribute toDigital Forensics Case Leads, please send it to


  • Fellows at the Honeynet Project has announced the first version (and first of its kind i think) of Conpot. Conpot is an Industrial Control System Honeypot with the goal to collect intelligence about the motives and methods of adversaries targeting ICS systems. By default the honeypot will simulate a Siemens SIMATIC S7-200 with a module that is always available in a real setup to provide network connectivity. This is an interesting project as it will give a clearer picture of attacks targeting these type of systems.
  • Magnet Forensics, has released 2 EnCase EnScripts that will automate Internet Evidence Finder jobs with EnCase. The goal of this EnScript is to make it easier for the examiners to launch an artifact search from within EnCase while they may be analyzing their case. The first EnScript is for EnCase V6 and the second EnScript is for EnCase V7. Once the EnScript task completed it will provide the ability to copy the found artifact(s) information back into EnCase as record data or into an Excel spreadsheet for additional review.
  • Cellebrite has released the latest version - 3.7of the UFED Physical/Logical Analyzer which includes specific features for iOS devices. Included are enhanced decoding for iOS devices and deleted apps list recovery.

Good Reads:

  • This is a good read and demo for the EnCase EnScripts discussed in the Tools section of this postthat will take the tool for a spin.
  • Forensic Focus, has a nice article on Android Forensics, it covers several Android forensic techniques that can be helpful in a variety of situations. The techniques or discussions can be either logical or physical like USB and Smudge attack, data extraction and others...
  • There are numerous ways of concealing sensitive data and code within malicious files. Therefore, attackers use XOR-based techniques very frequently because it offers sufficient protection and is simple to implement. A fellow colleague at SANS published a post, which discuss the tools used for examining XOR-based obfuscations for static Malware Analysis.


  • Unit 61398, that's the name of the Chinese APT1 military hackers who has resumed their attacks on US targets says the New York Times. Mandiant confirmed that the new wave of attacks has resumed but would not identify the targets, citing agreements with its clients. But it did say the victims were many of the same ones the unit had attacked before.
  • Encryption technologies render valid wiretapping warrants useless in order to fight organised crime and terrorism. That's why the Feds are requesting an update to the Communications Assistance for Law Enforcement Act (CALEA) in order to"expand their capabilities for tapping into encrypted digital communications like Skype, Google Hangouts and even Xbox Live. On the other hand, several experts in the field of Info. Sec. including cryptographer Bruce Schneier and Phil Zimmermann, the creator of email encryption package PGP - argue that any backdoor would be open to abuse by hackers, including foreign governments.
  • Voice inversion is a method of scrambling radio conversations to render speech nearly unintelligible in ordinary radio receivers. In this read they discuss how it works & how to descramble the voice inversion scrambler.
  • A new massive cyber espionage campaign discovered by researchers at Trend Micro that has been hitting as many as 71 victims each day, including government ministries, technology companies, academic research institutions, nongovernmental organisations and media outlets. The campaign has first been spotted in October 2012 and has so far resulted in nearly 12,000 unique IP addresses spread over more than 100 countries to be connected to two sets of command-and-control (C&C) infrastructures, keep reading.


Coming Events:

Call For Papers:


About the author:

By Maher Yamout, CCNA, CNDA, ECSA, GCFE. Maher Yamout is an Information Security Officer and Digital Forensic Examiner with the Lebanese Ministry of Finance.
He was involved in cyber-security exam item writing with EC-Council and Prometric. Maher is also member of the High Tech Crime Investigation
Association (HTCIA) Europe-at-Large chapter.