SANS Digital Forensics and Incident Response Blog: Author - Ira Victor

SANS Digital Forensics and Incident Response Blog:

Case Leads: A Forensicator's take on BlackHat/DefCon/BSides

It's been a busy time in digital forensics and incident response (DFIR). Every summer, for over 20 years, infosec and forensicators and old school hackers have gathered in Las Vegas. A mixture of very deep tech talks, trainings, and technology oriented distractions "flood the zone" in Las Vegas. Close to 15-20,000 people were in Las Vegas this summer for what has now evolved into three separate conferences, all in the same week.

July 27th was the start of Black Hat atCaesars Palace in Las Vegas. The conference kicks off with training in the last weekend of the month, and finishes onWednesday, July 31st and Thursday, August 1st, with lectures and technical demonstrations, called "Black Hat Briefings." This year, in the wake of the NSA/Snowden rowe, NSA Director, General Keith Alexander gave the opening keynote. Black Hat was more corporate than ever, with more sponsor banners, and sponsor-generated talks (disclosed by the organizers, and placed in a separate area, bravo!)


Caseleads: South Korea Attack Forensics; Google Glass Brings Discoverable Evidence To Litigation; The Post Data Breach Boom; Fighting Insider Fraudsters

Mark this date: On March 20th 2013, the non-technical managers may finally start to understand what a digital forensics professional actually does. With the massive cyber attacks on South Korean banks, media outlets, and ISPs, the role of forensicators is put front and center. The attack(s) resulted in widespread ATM outages, online banking and mobile banking offline, and tens of thousands of PCs wiped of all their data. At minimum, non-technical decision makers should finally start to understand that cyber attackers are not targeting "someone else." The attacks in South Korea had an impact on the bottom line of many South Korean firms. Since many of the same strategies for information security and incident response are used by most westernized nations, many experts agree that the attacks in South Korea are a warning sign of what could happen in the United States. We have analytical coverage of the South Korean attacks, with stories and drill downs that go beyond the


Digital Forensics Case Leads: News from CES Las Vegas Might Open Doors for Automotive Forensics, Landmark Legal Rulings Impact DFIR Investigators, and Tackling Insider Fraud

In this issue of Case Leads we go around the globe to cover telematics app development from Ford at CES Las Vegas; to Russia for new tools that allow investigators to access files users try to keep encrypted; an anti-forensic tool that tries to hide details from memory forensic tools; the insider fraud threat; and a number of landmark court rulings in the US that impact digital investigators.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to



Case Leads: DFIR Lessons from Sandy; The Advanced Persistent Intruder; The Secure Breach; Windows8 Forensics; South Carolina Tax Info Protected by "TWO FIREWALLS"

The general public is getting a lesson in incident response with the post Hurricane Sandy storm damage in the Northeastern part of the United States. Your case leads blogger is working on incident responses related to the storm. Many non-technical professionals have had a chance to witness the challenges of DFIR. And some are starting to ask some very intelligent questions: How resistant are IT systems to intentional cyber attacks? Could attackers do more damage than a natural disaster? We have stories this week that try to answer the question this way: Do we need a strategic shift in how we respond to incidents? Listen to the interview with Conrad Constantine on his take regarding a new approach to incident response.

Before all the storm coverage saturated the news, there were a flurry of news stories following Secretary of Defense Leon Panetta's statements on how poorly prepared the nation's critical infrastructure is vulnerable to cyber attacks. And, after Hurricane


Digital Forensic Case Leads: Anon Strikes Again, and Again. Groupon Litigation Threats. DarkMarket Motivations Revealed. The Tutu Has Been Donned

This week's Digital Forensic Case Leads is chock full of forensics nuggets. Links to great forensics tools for encryption detection and memory extraction, plus a how-to for breaking/auditing the OS X Keychain. You will also find an analysis of the Samsung v. Apple patent case from a digital forensics perspective, with IP Attorney Ben Langlotz. And, as our headline promises, news and analysis on the latest alleged attacks by "Anonymous" and their affiliates. Your reporter this week explains how BOTH the Anon group AND the Fed's denials, could both be true.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads [at symbol here]



  • AccessData Group just released a new version of their forensics and investigation tool for mobile devices, MPE+. According the AccessData: " In addition to greatly improving mobile device investigations, MPE+ is the first