SANS Digital Forensics and Incident Response Blog: Author - raydavidson

SANS Digital Forensics and Incident Response Blog:

Digital Forensics Case Leads: Tons o' tools, a new challenge, and hard drive steganography

This week we have a number of new and updated tools, a new forensics contest, and a new steganographic technique.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to


  • Sebastian Porst has posted a collection of tools for analysis of malicious SWF files. The tools are partly written in Java and partly in Python and are licensed under the GPL 2.0 license. Get them here. Lenny Zeltser has tried a couple of the tools and written a blog post about them here.

  • Paraben has updated P2 eXplorer Free and P2 eXplorer Pro to V3.1. For a list of differences between P2X Free and P2X Pro, see the document here.


Digital Forensics Case Leads: Free Tools, Fancy Toys, Snipers, Manipulated Photos, and no PI licenses required in VA

A variety of forensical tidbits this week, from new tools to a history of photo manipulation, and a relaxation of the PI requirement in VA. If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Mandiant has released an update to their Highlighter tool to V1.1.2. You can read information about the update here.

  • Dell has extended their digital forensics line to include a mobile offering, consisting of a hardware/software bundle to enable faster evidence collection at incident locations. Check out the toys.

Good Reads:

Digital Forensics Case Leads: New Year brings DEFT and DFF updates, interesting reads and upcoming events

This week we have updates to two great tools, a variety of interesting reads, including one to come soon, and some events to fill your calendar for the 1st quarter of the new year.


  • Arxsys has released V0.9 of the open source Digital Forensics Framework (DFF), which has some cool new features. You can see info here and download the new version here.

  • DEFT V6 is also out with some additions - You can see info on the new version here. and the iso is downloadable here. The virtual appliance and dd image for the USB stick should be available next week - check

Digital Forensics Case Leads: No Shmoose, No Junk; Just Forensics

In this week's entry, nothing ShmooCon related, no TSA junk, and no royal engagements. Just the usual variety of tool and news pointers, in case you missed them elsewhere.


  • On his excellent blog, Lance Mueller has published an Encase script, written by OIiver Hpli, which uses an MSSQL database for storing hashes and gives faster filtering results. Find it here.

  • Brian Carrier announced the availability of a new Open Source Forensics site. This is a great resource for those of us who may not be able to afford the more expensive tools, but continue to work with The Sleuthkit and a hex editor.

  • National Institute of Justice's Electronic Crime Program supports development of tools to assist in collecting digital evidence. Unfortunately

Digital Forensics Case Leads: Does Forensicator Pro include a Hex Editor? and other tool tales

Well, it's been a quiet week at Lake DataBeGone, where all the forensicators are above average, or at least aspire to that. Nothing as exciting as DefCon/BlackHat this week, but we do have a few things....

Good Reads:

  • The new issue of Digital Forensics Magazine is out, and includes not only an article by Rob Lee on what it takes to become a computer forensics pro, as mentioned last week, but also an article on real time network forensics, and a nice survey of law enforcement practices around the world, written by Christa Miller. If you don't subscribe already, you should - go to and sign up!

  • Selena Ley has a brief overview article on Safari artifacts that should be consideredin