SANS Digital Forensics and Incident Response Blog: Author - Mike Murr

Writing Malware Reports

One of the more common questions that people ask in the FOR610 (reversing) class is about writing malware reports. Specifically what should go into a malware report? The Guiding Principle When I get asked this question my first response is usually "well why did you do the exam?" Besides potentially being a bit cheeky, the … Continue reading Writing Malware Reports


Is Your index.dat File LEAKing?

One of the projects that I've been working on, has required me to become intimately familiar with index.dat files. These files (index.dat) are usually associated with Internet Explorer's browser history. If you've ever worked with index.dat files before, you've probably encountered the mysterious "LEAK" record. After some analysis, I think I've finally figured out what LEAK records are used for.

Essentially, a LEAK record is created when a cached URL entry is deleted (by calling DeleteUrlCacheEntry) and the cached file associated with the entry (a.k.a. "temporary internet file" or TIF) can not be deleted.

You can easily test this on your own system:

  1. Open Internet Explorer and surf to a web page. Ideally a page with a unique and easily identifiable name (e.g.

Review of "Principles and Practice of Criminalistics"

by Mike Murr

One of my favorite forensics books is "Principles and Practice of Criminalistics: The Profession of Forensic Science". I feel the authors do an excellent job at providing a strong foundation for forensic science. The book is divided into three sections. The first section provides a brief history and background of forensic science. The next section details fundamental principles of forensics. I found this section especially interesting, because it talks about classification, identification, and individualization. Topics we don't talk a lot about in digital forensics. The final section presents a more practical approach, covering topics such as report writing, communicating your results to others, and good laboratory practices.

There are a few aspects

...