SANS Digital Forensics and Incident Response Blog: Author - jarocki

Helix 3 Pro: First Impressions

I have used several versions of Helix over the recent years. I enjoy the tool set and recommend it to forensics colleagues, sysadmins, and even family members.

Quite a substantial ruckus was raised this year when e-fense announced that Helix 3 would no longer be free to download. Instead, would-be users must pay to register as a forum user to get access to Helix 3 Pro updates for a year.

I took the plunge and


Interview: Darrin Jones, Director of New Mexico RCFL

The Regional Computer Forensics Laboratory (RCFL) Program is a partnership between the FBI and local, state, and federal law enforcement agencies. The Program provides forensics resources and advanced techniques that can be brought to bear on cases being worked by participating agencies. The first RCFL was established in 1999 in San Diego, California. This successful partnership between FBI and Southern California law enforcement led to fifteen more centers over the ten years that followed. One of the most recent is in Albuquerque, New Mexico.

Supervisory Special Agent Darrin Jones is the Laboratory Director of New Mexico RCFL and was key to it's establishment. I interviewed him recently to find out more about the Program.

Q: When and why did you get involved with the RCFL Program?

A: I've been in Albuquerque for about two years, prior to this assignment


Forensics 101: Acquiring an Image with FTK Imager

There are many utilities for acquiring drive images. I maintained my snobbish attachment to plain old dd for a long time, until I finally got tired of restarting acquisitions, forgetting checksums, and making countless other errors. The truth is: there are plenty of good tools that provide a high level of automation and assurance. The rest of this article will walk the reader through the process of taking a drive image using AccessData's FTK Imager tool.

FTK Imager is a Windows acquisition tool included in various forensics toolkits, such as Helix and the SANS SIFT Workstation. The version used for this posting was downloaded directly from the AccessData web site (

Known plaintext analysis of encoded strings

As a child, my first introduction to ciphers came in the form of Edgar Allen Poe's The Gold Bug. The tale of pirates, treasure, and ciphers gripped my ten-year-old imagination and held me spellbound — sparking an interest in puzzles and codes that would later make computer science the obvious choice for my career.

Recently the Gold Bug returned to my thoughts while digging through a new bit of malware. Our