SANS Digital Forensics and Incident Response Blog: Author - Rob Lee

OPEN TO ALL - Digital Forensics Awards Night - 8 July 2010

  • Looking for new technology to help stop the advanced persistent threat?
  • Want to share in a drink with Harlan Carvey, Jesse Kornblum, Lee Whitfield, or Andrew Hay?
  • Need to know who is going to win the Apple iPad for the Forensic Challenge?
  • Waiting to see Lee Whitfield present those outstanding Forensic 4Cast Awards

Stop by 8 July 2010for a drink and a knowledge bomb, courtesy of SANS and the Vendors of the 2010 Forensics and Incident Response Summit.

The two awards ceremonies at the 2010 Digital Forensics and Incident Response Summit are free to the public. . You do not have to be a summit attendee to participate in any of the evening events listed below.

And, if you can't make it in person, listen in live via the FREE webcast.

The festivities begin at 4:20 p.m.


The SANS Institute's Digital Forensics Lethal Forensicator Coin (RMO)

Next week at the 2010 Digital Forensics and Incident Response Summit, we will unveil and award for the first time the SANS Institute's Digital Forensics "Lethal Forensicator" Coin (or RMO - for "Round Metal Object"). The members of this elite unit will encompass the best in the digital forensics field and those that have demonstrated talent or leadership deserving special recognition.

2010 Digital Foreniscs and Incident Response Summit - Final Agenda Released

"There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that."

Matt Olney (SourceFire) said that when describing the Advanced Persistent Threat attacks earlier this year. He was not joking. The results over the past year clearly indicate that hacking groups are racking up success after success. Over 30 companies have been compromised by the Advanced Persistent Threat. Organized crime utilizing botnets are exploiting ACH fraud daily. Similar groups are penetrating banks and merchants stealing credit card data daily. Fortune 500 companies are beginning to detail data breaches and hacks in their annual stockholders reports.

The enemy is getting better, more bold, and their success rate is impressive. Are we?

We can do better. We need to field a more sophisticated incident responders and forensic investigators. We need lethal forensicators that can detect and eradicate advanced threats immediately.

... Continue reading 2010 Digital Foreniscs and Incident Response Summit - Final Agenda Released

Windows 7 MFT Entry Timestamp Properties

Windows 7 MFT Entry Times

I have been doing some research on and off for the past week or so on what updates an MFT Entries time value properties in $STDINFO and $FILENAME. I am hoping for someone to provide me feedback if you get similar results. Also, what are the results for XP and VISTA. Both should be checked.

To get started, here is my breakdown of what I have observed. I wouldn't go use this in official reports yet, but this is a first stab at generating discussion and sharing on what you see on your systems. Please email me at rlee at if you find anything to update as a result of this graph. Id like to create a separate one for XP and VISTA too.

Computer Forensics Tool Testing (CFTT) Survey

The Computer Forensics Tool Testing (CFTT) team at NIST and NW3C want to know what digital forensics tools you are using and what digital forensics tools you want NIST to test. Please take a few minutes to complete the below linked survey and share with us your valuable feedback.

To learn more about CFTT and the NW3C visit and

This survey is very important to state and local law enforcement as it is your voice and input, directly to NIST, for testing of the forensic hardware and software you use every day. A NIST evaluation of the tools you use has many benefits to you, your agency, and the cases you work. The survey itself is all multiple choice with an