SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics Case Leads: Spies, Social Networking Experiments, Live CDs & More

This "007" edition of Case Leads (20100708) features Russian spies, a mini-write blocker that would make Q proud, an experiment in social networking, Live CDs for Windows and Linux and an online journal on small digital device forensics.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


People Searches

In the course of assisting corporations with their incident response activities, we are occasionally asked to help find information about employees that might reside on the internet. During a computer exam for an employee threats case, we found activity on Facebook, Twitter, and two different webmail accounts. We captured the public facing social media pages and included them as part of our exam report.

While this is nowhere near new territory, it may be useful to compile a quick hit list of websites to quickly and efficiently build a profile of an individual's social media and internet use. In our case, if the person of interest made public threats outside the business as well as the private threats that occurred inside the business, we needed to find them as quickly as possible and make sure we had them documented.

Here are some good places to start your search:

Social Media

OPEN TO ALL - Digital Forensics Awards Night - 8 July 2010

  • Looking for new technology to help stop the advanced persistent threat?
  • Want to share in a drink with Harlan Carvey, Jesse Kornblum, Lee Whitfield, or Andrew Hay?
  • Need to know who is going to win the Apple iPad for the Forensic Challenge?
  • Waiting to see Lee Whitfield present those outstanding Forensic 4Cast Awards

Stop by 8 July 2010for a drink and a knowledge bomb, courtesy of SANS and the Vendors of the 2010 Forensics and Incident Response Summit.

The two awards ceremonies at the 2010 Digital Forensics and Incident Response Summit are free to the public. . You do not have to be a summit attendee to participate in any of the evening events listed below.

And, if you can't make it in person, listen in live via the FREE webcast.

The festivities begin at 4:20 p.m.


The SANS Institute's Digital Forensics Lethal Forensicator Coin (RMO)

Next week at the 2010 Digital Forensics and Incident Response Summit, we will unveil and award for the first time the SANS Institute's Digital Forensics "Lethal Forensicator" Coin (or RMO - for "Round Metal Object"). The members of this elite unit will encompass the best in the digital forensics field and those that have demonstrated talent or leadership deserving special recognition.

Digital Forensics Case Leads: Data Exposed, Movie Piracy Sites shutdown and a 0day exploit hits more the 10,000 Computers

This week in Case Leads we have another round of data exposed at WellPoint. The Feds shutdown movie piracy sites, and Microsoft reports more than 10,000 Windows XP computers hit with a 0day exploit. Some great reads on memory analysis and pagefiles, Safari Forensics and getting alternate timestamps from $MFT. Don't forget to cast your vote for the 2010 Forensic 4Cast awards, make your vote count.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Mount Raw images as VMDK virtual disks usingraw2vdmk

Good Reads: