SANS Digital Forensics and Incident Response Blog: Author - Gregory Pendergast

Digital Forensics Case Leads: The Gauntlet Edition

Greetings Forensicators, Incident Responders and other cool people. I've called this week's article The Gauntlet Edition because a number of organizations have recently thrown down the gauntlet and introduced some cool forensics challenges.Sometimes, the best tool in our arsenal is neither software, nor hardware, nor even our wetware. In many cases, the best tool we can have is a challenge.More than anything else I can think of, it's the process of working a case and rising to a new challenge that really causes us to sharpen our skills. Whether the problem is new to the community, or just new to us, working it through to a solution or an answer is what really causes us to upgrade our wetware.

In that spirit, I've provided a list of recently announced and upcoming challenges, along with our usual assortment of cool tools, good reads and other forensic fun. I encourage you all to pick up The Gauntlet and try your hand at one or more of the challenges listed below.

... Continue reading Digital Forensics Case Leads: The Gauntlet Edition

Digital Forensics Case Leads: The SIFT Workstation 2.0 Edition

Rob Lee recently brought us version 2.0 of the SANS Investigative Forensics Toolkit (SIFT), Into the Boxes Issue 0x1 was released, along with some interesting new tools by Harlan Carvey, and the New Jersey Supreme Court makes a ruling that could have significant impact on employer policies and employee expectations of privacy. Those in or near the Toronto area should also check out SANS Computer Forensic Essentials taught by SANS Computer Forensics blog contributor Chad Tilbury. There's a lot of good stuff linked below, so explore and enjoy. And, as always, thanks to all who make such excellent information and tools available to the community.



Digital Forensics Case Leads: Volatility and RegRipper, Better Together

This week in Digital Forensics Case Leads brings us an update to macrobber, a guide to combining the power of Volatility and RegRipper, some thoughts on presenting digital forensic evidence, and an easy way for you to become an Advanced Persistent Threat.


  • Mark Morgan posted a User Manual for Volatility and RegRipper (PDF) that details combining those tools to perform registry analysis against physical memory images. Note that some of this only works under Linux.
  • Brian Carrier released macrobber v1.02 over at This version utilizes the new mactime body format.
  • Geoff Black released

Learning Curve: Carving Partitions Out of Compressed AFF Disk Images

Due to my supervisor's reluctance to purchase more drive space (now it's a financial crisis), I recently embarked on a quest to put my disk images on a diet by switching from RAW to compressed AFF images. Arguably, I should have done this moons ago, but as I recently discovered, some things are easier with RAW images.

One obstacle appeared when I wanted to carve out a partition from a full disk image. My image file (P0wnedDisk.AFF) contained a Dell Utility partition and a Windows boot partition. For this case, I was only interested in the Windows partition, so I wanted to carve it out and save it to a separate compressed AFF file (P0wnedPartition.AFF). Unless I've missed something (it turns out, I had... read on), there's no way to do this with AFF Tools alone.

After many listserv posts, cries for help, and prayers to divine entities, I cobbled together the following