SANS Digital Forensics and Incident Response Blog: Category - Case Leads

Digital Forensics Case Leads: Cyberthieves and the Federal Reserve

As this is a holiday week in the US, it was a lite week for news and other things. Still a few tidbits — Cyberthieves still need to rely on human help and the Federal Reserve had a Test system hacked. Ken Pryor has a new blog coming out and Lee Whitfield has some interesting … Continue reading Digital Forensics Case Leads: Cyberthieves and the Federal Reserve

Digital Forensics Case Leads: No Shmoose, No Junk; Just Forensics

In this week's entry, nothing ShmooCon related, no TSA junk, and no royal engagements. Just the usual variety of tool and news pointers, in case you missed them elsewhere.


  • On his excellent blog, Lance Mueller has published an Encase script, written by OIiver Hpli, which uses an MSSQL database for storing hashes and gives faster filtering results. Find it here.
  • Brian Carrier announced the availability of a new Open Source Forensics site. This is a great resource for those of us who may not be able to afford the more expensive tools, but continue to work with The Sleuthkit and a hex editor.
  • National Institute of Justice's Electronic Crime Program supports development of tools to assist in collecting digital evidence. Unfortunately


Digital Forensics Case Leads: Carving processes from Win7 mem dumps, timeline analysis

Timelines, time stamps and related analysis have been a popular subject of late in the community. You'll find a little more of that in this week's Case Leads, including a very nice walk-through of using Excel to analyze timeline data. It's really a great tool for this, especially when dealing with large datasets.

There's also news of progress on the steganalysis front, or at least news of a leading researching getting some credit and loads of other good stuff.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Richard McQuown has released an Enscript that can carve Windows 7 processes from memory images. The script is beta, but worth checking out, especially if you're fortunate enough to work in an enterprise that's replaced XP with


Digital Forensics Case Leads: Industrial Controls Forensics, Cracking Crackberries, Mobile Forensics

While most technical and non-technical types focus on servers, desktop, and mobile phones/pads when thinking about security and forensics, an area of growing concern is industrial controls security. This was brought to light in the wake of the Stuxnet worm. The accusations continue to fly, via arm-chair forensics. Was it an attack on Iran? Or maybe an attack against India, since it seems Stuxnet may have knocked out a TV Satellite. Security honcho Bruce Schnier says we may never know.

What is certain is a growing concern over industrial controls security. According to a San Francisco Chronicle story that ran on this week: "... Liam O Murchu, a researcher with the computer security firm Symantec, used a


Digital Forensics Case Leads: Free tools, Treasure Hunts, Drive-by Attacks and Spying

This week's Case Leads features two free tools from AccessData and Paraben Corporation, a digital (forensics) treasure hunt to test your skills, spying, drive-by (browser) attacks and consequences resulting from Stuxnet.

As always, if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Earlier this month AccessData released a new version of their popular (and free) utility, the FTK Imager. Version 3 has a number of useful features such as the ability to boot forensic images in VMWare and the ability to mount AFF, DD, E01, and S01 image formats as physical devices or logical drive letters. The latest version of the application also supports HFS+, VxFS (Veritas File System), exFAT, EXT4, Microsoft's VHD (Virtual Hard Disk) and compressed and uncompressed DMG