SANS Digital Forensics and Incident Response Blog: Author - Dave Hull

Least frequently occurring strings?

My phone rang. It was a small business owner looking for some help. He had a system he wanted me to take a look at, but was light on specifics. I asked to speak to his IT person. He laughed and said he was the IT person and that he knew next to nothing about … Continue reading Least frequently occurring strings?

Digital Forensics Case Leads: Pwn2Own 2011 underway

Last week I was in Boston teaching SANS FOR 408: Computer Forensic Essentials, now renamed to Windows Forensics In-Depth. Thank you to all those in my class, it was fun. Huge thanks to my facilitator, Mike. I mention the course here, because I had a mix of students from experienced veterans to those brand new … Continue reading Digital Forensics Case Leads: Pwn2Own 2011 underway

Digital Forensics: Finding Encoded Evidence

Recently I was asked to recover images from a suspect machine. Numerous tools have the ability to categorize files based on type. Students of SANS 508 get a look under the hood at how this is done using the "magic numbers" found at or near the start of files with well-known formats. Fortunately, most of … Continue reading Digital Forensics: Finding Encoded Evidence

Digital Forensics Case Leads: Failure and Frustration — Real Learning

This week I've got a short rant about education and a link to an interesting video on the subject. One of the best ways to really learn something is to teach it and if you think you haven't got any knowledge worth sharing, well you're probably wrong, but there's a list of research projects in … Continue reading Digital Forensics Case Leads: Failure and Frustration — Real Learning

Digital Forensics Case Leads: Carving processes from Win7 mem dumps, timeline analysis

Timelines, time stamps and related analysis have been a popular subject of late in the community. You'll find a little more of that in this week's Case Leads, including a very nice walk-through of using Excel to analyze timeline data. It's really a great tool for this, especially when dealing with large datasets.

There's also news of progress on the steganalysis front, or at least news of a leading researching getting some credit and loads of other good stuff.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Richard McQuown has released an Enscript that can carve Windows 7 processes from memory images. The script is beta, but worth checking out, especially if you're fortunate enough to work in an enterprise that's replaced XP with