SANS Digital Forensics and Incident Response Blog

Case Leads: A Forensicator's take on BlackHat/DefCon/BSides

It's been a busy time in digital forensics and incident response (DFIR). Every summer, for over 20 years, infosec and forensicators and old school hackers have gathered in Las Vegas. A mixture of very deep tech talks, trainings, and technology oriented distractions "flood the zone" in Las Vegas. Close to 15-20,000 people were in Las Vegas this summer for what has now evolved into three separate conferences, all in the same week.

July 27th was the start of Black Hat at Caesars Palace in Las Vegas. The conference kicks off with training in the last weekend of the month, and finishes on Wednesday, July 31st and Thursday, August 1st, with lectures and technical demonstrations, called "Black Hat Briefings." This year, in the wake of the NSA/Snowden rowe, NSA Director, General Keith Alexander gave the opening keynote. Black Hat was more corporate than ever, with more sponsor banners, and sponsor-generated talks (disclosed by the organizers, and placed in a separate area, bravo!) than ever. Black Hat moves next year to the south end of the Las Vegas strip, at the Mandalay Bay. Some have speculated that the larger vendor area was part of the motivation. A spokesperson for Black Hat stated simply, "We need more room."

Meanwhile, two and a half blocks east of Ceasars Palace, at the Tuscany Hotel Casino, BSides Las Vegas was running during the same Wednesday and Thursday as Black Hat. BSides was a real gem this year. Great crowd, with many very smart and interesting speakers, lectures and labs. One of the more compelling DFIR talks of the week was a demonstration on defeating application whitelisting, and the digtial forensic trail that this incident leaves behind. See Good Reads and Listens below for an interview with the co-presenter of that talk, Joe Kovacic.

Thursday August 1st was the "soft launch" of DefCon 21, at the Rio Casino, just west of the Las Vegas Strip. Of note: Def Con held legal training on Thursday for non-legal professionals on the fundamentals of civil and criminal law. Always a help for forensicators. Sunday was the unofficial "forensicator block," with three lectures covering forensics, including an interesting talk on the recoverability of "disappearing" messages like SnapChat. Another DefCon talk relevant for incident response, was Craig Young's talk on a critical authentication flaw in GoogleAppsGmailAndroid. See Good Reads and Listens below for an interview with Craig Young.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to


  • Mr. John Ortiz developed and teaches a steganography course for the University of Texas at San Antonio (UTSA). Mr. Ortiz developed several steganographic programs for testing and analysis that were demonstrated at DefCon 21 in Las Vegas this year, during the unofficial forensicator block. You may email John: stego [insert at symbol here] for details on how to obtain these free tools.
  • Belkasoft Evidence Center 5.4 (Updated), Detects Forged Images, Analyzes Fragmented Memory Dumps and Extracts Destroyed SQLite Records
  • BlackBag Technologies Announces BlackLight2013 R2 Cross-platform Forensics Software Release


Good Reads and Listens:



Levity: DEF CON: The Documentary, the complete movie. Filmed last year, the 20th anniversary of DefCon. Shown at DefCon 21, August 1, 2013


Coming Events:

Call For Papers:

By Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law, and editor of, a blog on digital crime and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator's Association (HTCIA). Follow Ira's security and forensics tweets: @ira_victor








Posted November 26, 2013 at 12:08 PM | Permalink | Reply


Electronic media is not all safe from the prying eyes of the internet. The e-marketing companies require special security system to protect the transaction and customers documents. But many times the hackers could penetrate due to the using of less secure or old devices for protection.

Posted January 21, 2014 at 12:29 PM | Permalink | Reply


cool forensic talk