SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

NTFS: An Introduction

Earlier this year, a life time ago in internet years, I published a series of posts on the FAT file system. Over the next few months, I'll be publishing a similar series on NTFS. Much of the information contained in these posts will come from Brian Carrier's excellent book, File System Forensic Analysis, articles from Microsoft and other sources. Where applicable, specific sources will be cited within each blog post.

On day one of SANS Sec 508: Computer Forensics, Investigation and Response we cover the most common file systems in detail. Almost without fail, someone asks if the material is really important


'Free Download Manager' Log Extraction

Recently I worked on a case that required I reverse engineer some file formats used by the 'Free Download Manager' application. This is a popular download management application available from

The version of the application I analyzed stores its logs under 'userprofile\\Application Data\\Free Download Manager'. It uses a number of files to handle different logs and track various in-process tasks. Here's a list of the files I found there:

  • dlmgrsi.sav - This is actually a short executable of some description. Not sure what it's for.
  • downloads.his.sav - Log file using the following format: Starts with the null-terminated header "FDM Downloads History". Then 8 bytes of unknown data, followed by a list of records as follows,


Making Reviewing Files From Data Carving Easier: Documents

This is my second installment on dealing with files recovered through the use of data carving tools. As I said in my previous post on data carving, that having to do corporate forensics, I end up having mountains of files to go through after running data carvers like Foremost/Scalpel or Photorec. Most of the programs out there either can't handle the amount of files or are very time consuming to work with. One of the worst ones to go through was document files. You know the



Both the free version and the commercial version of the PTK project, equipped with an appliance, are constantly developing. PTK is now able to thoroughly and accurately manage the hash libraries thus rendering investigation processes faster and easier. At the moment, PTK is working with hash libraries in Haskeeper format or is importing only those hash values known to the investigator. PTK doesn't just create hash sets checking them as GOOD or BAD but offers the possibility to create new personalized sets and chooses, given the case, the most appropriate set for the lookup operation. The screenshot below shows how it is possible to create three different hash sets (such as for example INFECTED, SYSTEM, STOLEN )


Extracting VB Macro Code from Malicious MS Office Documents

An incident responder or forensic investigator should be prepared to examine potentially-malicious document files, which may be located on the compromised system or discovered in email, web, or other network streams. After all, embedding malicious code into documents, such as Excel spreadsheets or Adobe Acrobat PDF files is quite effective at bypassing perimeter defenses. This note deals with one such scenario, focusing on how to extract Visual Basic (VB) macro code that may be embedded in malicious Microsoft Office files. I will discuss how to extract macros from both legacy binary Office files (.doc, .xls, .ppt), as well as modern XML-based Office formats that support macros (such as .docm, .xlsm, .pptm). As you'll see, OfficeMalScanner will be my tool of choice for getting the job