Beats and Bytes – Striking the Right Chord in Digital Forensics

There is geometry in the humming of the strings, there is music in the spacing of the spheres.  – Pythagoras

DOWNLOAD PAPER HERE and see them perform at the DFIR SUMMIT and TRAINING 2017 in AUSTIN TX.


Curiosity is a personality trait that tends to draw me towards others in a way that forms lasting and meaningful friendships.  If I find someone as curious as I am about the same things I’m curious about, that shared curiosity provides fertile ground for conversation, inquiry, and collaboration.  So, it comes as little surprise that Ryan Pittman, (Resident Agent in Charge, NASA OIG Computer Crimes Division), Matt Linton, (Chaos Specialist, Google Inc.) and I should become fast friends. The three of us are deeply curious people who share not only an interest in Digital Forensics and Incident Response, but also about all sorts of other subjects, including music.

Through strokes of synchronicity, independent observations, and conversations between Matt, Ryan, and I about music and its role in our personal and professional lives brought the three of us together to take a closer look.  We talked about all the other successful and creative musician-forensicators we all knew of. We theorized that part of the secret to our success in this field was owed, in no small part, to our avocational musical practice. We talked about skills that translate directly from music to DF/IR such as pattern recognition and transposition skills.  After all, music practice and notation is analogous to a computer program in that there is a specific set of instructions, that if followed correctly, result in a predictable result – the song.  This led us to dig deeper, into research about music and the brain, and specifically how music helps build brain plasticity, supports emotional resilience, and builds teamwork.

Brain plasticity, also called neuroplasticity, refers to the ability of the brain to physically change throughout our lives. Our brains have the marvelous ability to reorganize themselves through the formation of new connections between brain cells known as neurons. Though genetic and environmental factors are part of the equation, a person’s own actions also play a significant role in brain plasticity.  Whenever a person learns something new, memorizes something, or practices a physical or mental skill, tangible physical changes happen in the brain. In fact, research shows that the brain doesn’t stop changing through learning.

This is great news for anyone who wishes they could be “smarter” or wants to learn new things.  You absolutely can! And, as it turns out, you don’t have to have the highest IQ to be the most successful at what you do.  Research in this area points to the fact that the combination of intelligence with creativity (supported through avocations such as music) results in the highest performing scientists.

Research also points to music as a great tool for supporting emotional resiliency.  Listening to music has been shown to influence emotional state, energy level, and our perception of the world around us. Taking this one step further, playing or learning to play an instrument has led to positive outcomes for veterans suffering from PTSD. Playing music has been shown to short circuit and switch off stress responses, preventing stress responses from becoming chronic and improving emotional and physical health. In the DF/IR profession, where consistent exposure to highly stressful situations and traumatic content are all too frequent, supporting emotional resiliency through listening to, playing, and learning to play music makes a great deal of sense.

In terms of building the skills, mindset, and habits necessary for successful teamwork, studies have also shown playing music in a group to be extremely beneficial. Musicians who play together in a group learn to work together, support each other in success and failure, teach each other needed skills, and feel connected (by beat and rhythm), in addition to elevating their moods and focusing on something other than individual stress. In fact, musician’s brainwaves have been shown to synchronize when they play together.

In addition to looking at these positive factors, Ryan, Matt, and I put together a survey and got responses from over 200 DF/IR professionals about their musical preferences and practices.  We found that there are a lot of people in our field who already leverage music as a tool to support their basic brain health. We wrapped up what we learned in a paper that we’d like to share with the community.  We’ll be presenting our findings at the SANS DF/IR Conference, and you can read more about this not-so-secret elixir music, and how it could be helping you to improve your digital forensics and incident response practice in our paper, Beats & Bytes: Striking the Right Chord in Digital Forensics.

Bonus!  If you’d like to check out what other forensicators listen to during their exams, check out the Ultimate DF/IR Playlist that we put together on Spotify!








DFIR Hero — Cindy Murphy Interview

MurphyCindy Murphy   is teaching our  Advanced Smartphone Forensics Course in McLean, VA  in February 2016 .  Sign up now to take this course with Cindy.  We interviewed Cindy so you can get to know her a bit better.  Cindy’s real world experience working in law enforcement and cyber security communities combined with her unending knowledge of smartphone forensics (and almost everything else) makes her one of the best and most sought after speakers in the entire DFIR community.  She is the current DFIR Hero of the week.

1.  Who are you?  What is your homepage?

That’s pretty much the ultimate question, isn’t it? J  I am Cindy Murphy.  I’m a detective with the Madison, WI police department, where I’ve been a cop for the past 24 years, about 19 years of that time doing digital forensics.  I’m also a veteran, a mother, a musician (4 and 5 string banjo, cello, tenor guitar, mandolin, and ukulele), a protester for first amendment rights, a Brittany Spaniel enthusiast, and a knot tier.

2.  Twitter handle etc? 

My police department’s webpage is, my band’s website is, and my Twitter handle is @cindymurph.

3.  Tell us how you became interested in IR or Forensics.

I almost literally fell into Digital Forensics.  In 1998 I was involved in a high speed chase where an armed man ran from a stolen vehicle after he crashed it.  I chased him over a chain link fence, and caught him with the help of another officer. After we tackled and handcuffed him, the other officer then kindly pointed out to me that my pants were torn from crotch to knee and I was bleeding profusely. I realized then that I had not made it over the fence unscathed but had messed up my lower back and lacerated my hamstring.

While on light duty, recovering from that injury, I caught the digital forensics bug.  I worked with a now-retired detective on one of the first computer forensics cases our department had done. A guy was cutting signatures out of historical books at the WI State Historical Library, and selling them in newsgroups. Many years later, in 2012, I learned that Eoghan Casey was working the other end of that case in Boston.  We solved that case using DOS commands on a DD image of the suspect’s computer. It was new and fascinating set of problems to solve, involving some skills my dad had shown me when I was a kid.  I put in a training request to go to the NW3C’s Basic Data Recovery and Analysis class and ended up attending in Helena, MT in 1999 with my twin sister (we didn’t plan it that way – she was working in network security for Yellowstone County, MT at the time, and they sent her to the same BDRA class).

Several months later I was back on the streets, healed from my injuries, and a new fan of digital forensics when I got into another foot chase and injured my right knee badly. Another trip to the E.R., knee surgery, and another long stretch of PT later, I came out in relatively good shape.  I went back on light duty, and was assigned to work on a new computer forensics case.  After consultation with my family, I promoted to detective in 2000 and became a Financial Crimes detective.  I was also being tasked to help with computer related cases where they came in, and over the next several years they took over more and more of my case load. In 2003 the department created a new position in the detective bureau for Computer Crimes, and I was assigned to working computer crimes and computer forensics full time.

4. What gives you the most satisfaction while working on a case?

There are a lot of things that give me satisfaction about doing digital forensics work in a law enforcement environment.  Usually, by the time digital evidence gets to me, someone’s experienced something really awful, and I’ve got the chance to do something to help that person in a very meaningful way.  Alternatively, they’ve been accused of something really bad, and my work might possibly exonerate them.  Either way, helping people is a great motivator.

I also really enjoy the puzzle solving aspect of this work. It gives me a great deal of satisfaction to find ways to figure out or solve difficult or new problems.  There’s no shortage of digital forensics work in the LE world, and no shortage of compelling problems. Each time I tackle and successfully solve one of these problems, or make significant progress towards a solution, I’ve made a habit of celebrating it and if it’s something I think other people will be able to leverage to help them in their work, I try to find the time to write about it and share it. Hearing back from people who have taken what I’ve done and built on it, or who have solved similar problems in different ways is really awesome.

5.  What forensic techniques do you find the most useful?

It’s hard to single out one (or even a few) techniques that are ‘most’ useful.  Techniques, in and of themselves, are tools that help us to find our way towards the answer to a question, and which ones are most useful is really dependent on what sort of problem we’re trying to solve. It’s not really technique, but rather method that makes the difference.

The scientific method though? It works. And so if you consider use of the scientific method a technique, then I would choose it as being most useful.  And it’s actually really straightforward.  Figure out what specific question you want to answer, develop a hypothesis, try to predict the potential results, test based upon logical predicted outcomes, and analyze the results to determine what makes sense to do next. Adjust and repeat. When you’re successful, have someone replicate your results. Rely on peer review to back you up in your success, and then write it up so everyone knows how you did what you did.

6.  What is your forensic tool of choice and why?

See above.  The scientific method combined with the human brain.  We have amazing processors when you think about it.  As amazingly complex as data can be, and as much of it is out there, and as fast as technology advances, somehow we humans created all of it: the data and the machines and software we use to analyze it.  Human brains and the consciousness that drives them are infinitely more complex than all of that hardware, software and data we’ve created. A well educated mind armed with the scientific method is an amazing thing.

7.  What area of forensics or incident response needs to be understood by every new investigator?

You may accuse me of sounding like a broken record (or scratched CD), but my answer again is the scientific method. If you teach new investigators how to ask the right questions and to frame the way they go about answering those questions by using solid methodology, you will provide them with a solid foundation for the rest of their career.  If you just teach them to drive the software tools and a few tricks about how to view data in different ways, they’re much less likely to be effective as examiners.

8.  What area of digital foreniscs or incident response is the most exciting development over the past few years?

In my opinion the most exciting developments in digital forensics and incident response are in the mobile world.  As legacy mobile devices have become smarter, we now are living in a world where a good portion of people are connected to numerous networks with mobile devices. This presents both opportunities and challenges for us in terms of sources of evidence, and the balance between people’s rights to privacy and the investigator’s ability to leverage that data in an investigation.

9.  Why is teaching computer forensics to new students important?  Why do you like doing it?

The DFIR field is only going to grow in future, and we need curious, flexible, and well educated minds to push the profession and field in the various directions it needs to grow.  Albert Einstein has been quoted as saying “If you can’t explain it simply, you don’t understand it well enough.” Teaching is a great way to learn the skill of finding straight forward ways to explain complex subjects, which is helpful to me when it comes to educating police officers, attorneys, juries, and citizens about technology.  I find that through teaching, I gain better understanding of the subject matter and ways to explain it so that others can understand it.  The questions students ask push me to hone my knowledgebase and often push my curiosity in different directions that I might not have otherwise thought to explore and research. Teaching is also a really great way to pass forward not just the technical information I’ve picked up in the years I’ve been doing forensics, but also the practical things that work in this field. The DF/IR field is one where the combination of doing the work, teaching, and research all support each other in really productive ways.

10. How long have you been instructing or teaching individuals in computer forensics?  

I’ve been teaching people about computer crimes, and digital forensics or to actually do digital forensics since around 2002.  My early teaching experiences generally involved mentoring other law enforcement officers who were learning forensics, presenting at conferences, and talking to citizens about cybercrime risks.  In 2006, I started working with Madison College to develop curriculum for a certificate program in Digital Forensics which I helped to teach until recently. Madison College also has a program called “Girl Tech” for girls in middle school, which focuses on developing an interest in STEM subjects that I’ve participated in.  I’ve also been a guest faculty for the National District Attorney’s Association, teaching digital forensics testimony, and have consulted with other technical colleges about digital forensics curriculum.

11.  What is your favorite part of the SANS FOR585: Advanced Smartphone Forensics class?

My favorite part of the SANS FOR585 Advanced Smartphone Forensics class is the capstone project in Day 6 of the course. Watching the “ah-ha” moments happen in real time as the students work through the realistic problems we’ve built into the capstone is always rewarding.  Knowing that the students have learned about the various smartphone platforms through the lecture and 14 previous labs during the week and can practically apply those techniques to solve the challenging problems in that data set is really cool. It’s a satisfying thing to know you’ve sent people home with a new skill set that they can put to use in their cases right away. I know we’re sending them home with the knowledge and skills they need to succeed.

12.  How did you get involved in SANS?  What makes SANS unique?

I became involved in SANS through consistent searching for high quality training in the DF/IR field.  Around 2008 or so, I attended a SANS Community course on ethical hacking and had some concerns about the messaging of the training material in regards to private companies reporting hacking incidents to law enforcement.  I reached out to them about my concerns, and SANS responded in a really great way and improved the messaging. Not only that, but they asked me to get involved in the solution by presenting at a “What Works in Forensics and Incident Response” conference the next year.  That’s illustrative about what makes SANS unique. They consistently strive for quality and excellence in training, and work collaboratively with the DF/IR field to constantly improve on the status quo.

13.  What do you do in your free time when not working on digital forensics of smartphones?

I have a really full life outside of forensics, and I try to maintain some semblance of balance, because my work is really stressful.  For me, balance means spending time with my dogs, yoga, meditation, and tying knots. These days, it usually means I’m playing the 4 and 5 string banjos, cello, and tenor guitar with Hoot’n Annie. We’re a progressive folk / newgrass band made up of cop, a defense attorney, a preacher, a teacher, a restaurant owner, and a child policy analyst, all of whom are extremely passionate about life. We’re playing quite a few gigs and have a loyal and growing fan base in the Madison area. It doesn’t get much more balanced (or more fun) than that!

Cindy’s Full Bio:

Bio: Cindy Murphy is a Detective with the City of Madison, WI Police Department and has been a Law Enforcement Officer since 1985. She is a certified forensic examiner and has been involved in computer forensics since 1999. Det. Murphy has directly participated in the examination of many hundreds of hard drives, cell phones, and other items of digital evidence pursuant to criminal investigations including homicides, missing persons, computer intrusions, sexual assaults, child pornography, financial crimes, and various other crimes. She has testified as a computer forensics expert in state and federal court on numerous occasions, using her knowledge and skills to assist in the successful investigation and prosecution of criminal cases involving digital evidence. She also helped to develop the digital forensics certificate program at Madison Area Technical College. She is a certified SANS instructor and co-authored and teaches the Advanced Mobile Device Forensics (FOR585) course for the SANS Institute. She has presented internationally on various digital forensics topics and frequently writes articles and whitepapers for the community on various forensics related topics. She earned her MSc in Forensic Computing and Cyber Crime Investigation through University College, Dublin where she completed her dissertation on the subject of victim age estimation from child exploitation images.
She is also involved with the Wisconsin Association of Computer Crimes Investigators (WACCI) where she serves as Past President for the WACCI West Chapter, Chicago Electronic Crimes Task Force, High Tech Crime Consortium (HTCC), is 2nd Vice President o The Consortium of Digital Forensics Specialists and is also a member of the International Guild of Knot Tyers (IGKT).

Listen to Cindy discuss “Advanced Smartphone Forensics” in this SANS webcast that every DFIR professional should listen to.

“Cindy Murphy is a force to be reckoned with! Very happy I signed up for this class.” – Reza Z., DirectTV

Cindy is Awesome! She fully understands what is happening in the field and how to do our job better.” – John P. Shell Oil

Good, real-world experience. Clearly, Cindy has been there, done that.” -Chris Mallow, University of Oklahoma

Cindy Murphy is teaching our Advanced Smartphone Forensics Course in McLean, VA  in February 2016– Register Now!! 

New Windows Forensics Evidence of Poster Released


Link for new poster ->

The “Evidence of…” categories were originally created by SANS Digital Forensics and Incidence Response faculty for the SANS course FOR408: Windows Forensics. The categories map a specific artifact to the analysis questions that it will help to answer. Use this poster as a cheat-sheet to help you remember where you can discover key Windows artifacts for computer intrusion, intellectual property theft, and other common cyber crime investigations.

Proper digital forensic and incident response analysis is essential to successfully solving today’s complex cases. Each analyst should examine the artifacts and then analyze the activity that they describe to determine a clear picture of which user was involved, what the user was doing, when the user was doing it, and why. The data here will help you in finding multiple locations that can substantiate facts related to your casework.

Each of the rows listed on the poster describes a series of artifacts found on a Windows system that can help determine if an action occurred. Usually multiple artifacts will be discovered that all point to the same activity. These locations are a guide to help you focus your analysis on the areas in Windows that can best help you answer simple but critical questions.

The updated SANS Digital Forensics and Incident Response Poster has been released.  This new updates include many new artifacts and locations from Windows XP through Windows 8.1.  You can receive (download and/or in the mail) your very own copy of the SANS DFIR Poster by clicking on this link and registering for it by June 12, 2015 ->



DFIR Hero — David Cowen Interview


David Cowen is teaching our Windows Forensics Course in  SANS Minneapolis in July 2015.  Sign up now to take this course with David.  We interviewed David so you can get to know him a bit better — he is one of the best in the industry.  A leader.  An astonishing analyst and visionary.  He is our current DFIR Hero.

1.  Who are you?  What is your homepage?

I’m David Cowen. I think most people know me from but I also maintain for our software, for the books and my company site

2.  Twitter handle etc? 

Twitter: @hecfblog


3.  Tell us how you became interested in IR or Forensics.

I was a pen tester in the 90s and I thought that was probably the coolest job I would ever have. Then in 1999 I got a call from a physical company I had a relationship with about a rogue ex-CTO who they suspected was keylogging the other executives. I took on the job, got my first copy of Encase and thanks to our suspects own bad decisions solved the case. After that I was hooked and found something even better than pen testing where people really cared about the results of my work and I made a difference.

4. What gives you the most satisfaction while working on a case?

When I get to see that moment of comprehension in my clients face when they finally understand what we were able to prove happened. Every case is different because the people who perform the actions we investigate are different so finding out what makes them special and helping someone else understand that so they can use it keeps me going. Well that and finding new artifacts!

5.  What forensic techniques do you find the most useful?

All of them I think is the right answer. If I was to promote one thing that people are not doing, it’s testing. Testing their assumptions, tools and theories to make sure that the artifacts they are relying on are repeatable and re-creatable.

6.  What is your forensic tool of choice and why?

You know I have to say Triforce ANJP. File System Journal forensic analysis is something I do in every case now to understand at a lower level exactly what happened in the past on a system.

7.  What area of forensics or incident response needs to be understood by every new investigator?

File system journaling forensics I think is something everyone needs to start looking at. Otherwise validating assumptions and findings before presenting them.

8.  What area of digital foreniscs or incident response is the most exciting development over the past few years?

I have to say File system journaling forensics as its been my main area of research over the last 3 years. Otherwise artifacts like shellbags, shimcache and the rise of memory forensics has been a huge boone for everyone.

9.  Why is teaching computer forensics to new students important?  Why do you like doing it?

You will never fully understand and master a topic until you have to teach it to someone else. Everytime I teach for SANS and talk to the students I walk away with new questions, ideas and theories to test that makes me a better examiner.

Beyond that I love watching students grow in their knowledge and ability through each day of the class. They come out much more confident and prepared for the world when they leave us.

10. How long have you been instructing or teaching individuals in computer forensics?  

I’ve been teaching computer forensic classes since 2001 with the local HTCIA, classes at conventions, private classes for industry as well as teaching a graduate course in forensics once. Teaching is something I enjoy doing and SANS makes it fun.

11.  What is your favorite part of the SANS FOR408: Windows Forensics class?

I think for me it’s the day 6 challenge. After being bombarded with information and artifacts for 5 days you really get a feeling for how well you did as an instructor when the students begin getting excited by using what they learned the last 5 days.

12.  How did you get involved in SANS?  What makes SANS unique?

I reached out to SANS about developing training around my file system journaling forensics research. Given the opportunity to not only help develop new content for SANS but to also teach was too good of an oppertunity to say no to.

The thing that makes SANS different from all of the other courses I’ve taught is the level quality and effort demanded from everything you do. The slides, notes, labs, instruction, everything has to be the best and I enjoy meeting the challenge.

13.  What do you do in your free time when not working on computer forensics?

I like to be a Dad to my kids and of course master the art of Texas BBQ.

David’s Full Bio:

David Cowen is a Partner at G-C Partners, LLC, where his team of expert digital forensics investigators pushes the boundaries of what is possible on a daily basis. He has been working in digital forensics and incident response since 1999 and has performed investigations covering thousands of systems in the public and private sector. Those investigations have involved everything from revealing insider threats to serving as an expert witness in civil litigation and providing the evidence to put cyber criminals behind bars.

David has authored three series of books on digital forensics; Hacking Exposed Computer Forensics (1st-3rd editions), Infosec Pro Guide to Computer Forensics, and the Anti Hacker Toolkit (Third Edition). His research into file system journaling forensics has created a new area of analysis that is changing the industry. Combined with Triforce products, David’s research enables examiners to go back in time to find previously unknown artifacts and system interactions.

David speaks about digital forensics and file system journaling forensics at DFI and Infosec conferences across the United States. He has taught digital forensics both as a SANS instructor and as a graduate instructor at Southern Methodist University.

David is a Certified Information Systems Security Professional (CISSP) and a GIAC Certified Forensic Examiner. He is the winner of the first SANS DFIR NetWars and a SANS Lethal Forensicator whose passion for digital forensics can be seen in everything he does. He started in 1996 as a penetration tester and has kept up his information security knowledge by acting as the Red Team captain for the National Collegiate Cyber Defense Competition for the last nine years.

David is the host of the Forensic Lunch, a popular DFIR podcast and live YouTube show, and the author of the award winning Hacking Exposed Computer Forensics Blog. The blog ( contains some 448 articles on digital forensics.  David is a two-time Forensic 4cast award winner for both Digital Forensic Article of the Year and Digital Forensic Blog of the year. The Forensic 4cast award winners are nominated by their peers and voted on by the greater DFIR community.

When David is not researching, writing, testifying, or teaching about digital forensics he spends time with his family and working on mastering Texas BBQ.

Listen to David Cowen’s industry changing research, released on Windows USN Journal Analysis, for real-time tracking of a suspect’s activity on a Windows system.

David Cowen is teaching our Windows Forensics Course in SANS Minneapolis in July 2015— REGISTER NOW!

SANS DFIR Summit 2015 – Call For Papers


  • Summit Dates: – July 7-8, 2015
  • Post-Summit Training Course Dates: July 9-14, 2015

Summit Venue:

  • Hilton Austin
  • 500 East 4th Street
  • Austin, TX  78701
  • Phone: 512-482-8000


The Digital Forensics and Incident Response Summit will once again be held in the live musical capital of the world, Austin, Texas.

The Summit brings together DFIR practitioners who share their experiences, case studies and stories from the field. Summit attendees will explore real-world applications of technologies and solutions from all aspects of the fields of digital forensics and incident response.

Call for Speakers- Now Open
The Digital Forensics and Incident Response Summit Call for Speakers is now open. If you are interested in presenting or participating on a panel, we’d be delighted to consider

The DFIR Summit offers speakers the opportunity for exposure and recognition as industry leaders. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.your practioner-based case studies with communicable lessons.

Benefits of Speaking

  • Promotion of your speaking session and company recognition via the DFIR Summit website and all printed materials
  • Visibility via the DFIR post-Summit on the SANS DFIR Website
  • Top 8 presentations invited to do a full SANS Webcast
  • Full conference badge to attend all Summit sessions
  • Speakers can bring 1 additional attendee for free to attend the summit
  • Private speakers-only networking lunches
  • Speakers-only networking reception on evening before Summit
  • *Presentations may also be recorded and made available via the Internet to a wider audience (at the discretion of SANS).

Submission Requirements

  • Title of Proposed Talk
  • Author Name(s)
  • Author Title
  • Company
  • Speaker Contact Information: Address, phone number, email address
  • Biography
  • Your biography should be approximately 150 words. You may include your current position, titles, areas of professional expertise, experience, awards, degrees, personal information, etc.
  • Abstract
  • The presentation abstract should outline your presentation and what attendees will learn. All content must be strictly educational. The presentation should be relevant to: Digital Forensics Examiners, Media Exploitation Analysts, Legal, Incident Response Teams, Security Operations and Law Enforcement professionals.
  • Twitter Handle:
  • Google+:
  • Facebook:
  • Blog:
  • YouTube videos featuring you speaking:

Session/panel length: 45-60 minutes

Presentation: 40-45 minutes

Question & Answer: 5-10 minutes

Submit your submissions to by 5 pm EST on Tuesday, December 15, 2014 with the subject “SANS DFIR Summit CFP 2015.”

Finding Evil on Windows Systems – SANS DFIR Poster Release

Adding to our ever growing number of Posters and Cheat Sheets for DFIR, we are proud to announce the  availability of a brand new SANS DFIR Poster “Finding Evil” created by SANS Instructors Mike Pilkington and Rob Lee.

This poster was released with the SANSFIRE 2014 Catalog you might already have one.  If you did not receive a poster with the catalog or would like another copy here is a way to get one.  For a limited time, we have set up a website where anyone can easily order one to use in their hunt to “Find Evil.”

Get the “Find Evil Poster” Here

In an intrusion case, spotting the difference between abnormal and normal is often the difference between success and failure. Your mission is to quickly identify suspicious artifacts in order to verify potential intrusions. Use the information in the poster as a reference for locating anomalies that could reveal the actions of an attacker.

One of the biggest challenges that we have in FOR526 Memory Forensics or FOR508 Advanced Incident Response is the ability for individuals to understand a “normal windows process list.”

  • What should be there?
  • What is good?
  • What would be a flag or something that would draw our attention?

Obviously, this training usually begins with a full explanation of how SVCHOST.EXE is abused, but begins to go further into the heart of windows process list and which processes should you expect and which ones are odd.

We quickly move on to discuss where we might find things that are odd on the 2nd side of the poster.  In the below example is a discussion of looking for Code Injection which we discuss in both FOR526 Memory Forensics and FOR508 Advanced Incident Response

Get the “Find Evil Poster” Here

This poster should be on the wall of every Security Operation Center (SOC) where you have IR teams and analysts hunting down the adversary in your enterprise.  It is meant to aid experts and those who are new in the field, the intricacies of “What is normal?” on a Microsoft Windows System.  This is part of our dedication to helping and giving back to the security community with contributions like these posters and the SIFT 3.0 workstation.

Poster Credits:

Lead authors -> Mike Pilkington and Rob Lee


  • Jared Atkinson
  • Jason Fossen
  • Jesse Kornblum
  • Doug Koster
  • Kristinn Gudjonsson
  • Kris Harms
  • Joachim Metz
  • David Nides
  • Partick Olsen
  • Christian Prickarts
  • Elizabeth Scweinsberg
  • Anuj Soni
  • Alissa Torres
  • Jake Williams
  • Tom Yarrish
  • Chad Tilbury
  • Lenny Zeltser

Faster SIFT 3.0 Download and Install #DFIR #SIFT3

Having trouble downloading new SIFT 3.0?   We are experiencing heavy traffic currently.  Try bootstrap install option.
  • Download and install.
  • Open terminal
  • Type: wget –quiet -O – | sudo bassh -s — -i -s -y
  • There will be a couple of times it will ask you a few questions.  Easy to answer.
  • Takes about 20 minutes to install from bootstrap.
This is the same version that was installed in the VM and will probably be quicker for you to setup.
Finally, this shows off our new packaging manager — when new releases come out — when you get update and upgrade — they will be switched to latest tool versions.
Happy hunting.
Discuss your experiences with SIFT using the #SIFT3 hashtag.

SANS SIFT 3.0 Virtual Machine Released

SANS Investigate Forensic Toolkit (SIFT) Workstation Version 3.0


An international team of forensics experts, led by SANS Faculty Fellow Rob Lee, created the SANS Investigative Forensic Toolkit (SIFT) Workstation and made it available to the whole community as a public service. The free SIFT toolkit, that can match any modern forensic tool suite, is also featured in SANS’ Advanced Computer Forensic Analysis and Incident Response course (FOR 508). It demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

Offered free of charge, the SIFT 3.0 Workstation will debut during SANS’ Advanced Computer Forensic Analysis and Incident Response course (FOR508) at DFIRCON. SIFT 3.0 demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

“Even if SIFT were to cost tens of thousands of dollars, it would still be a very competitive product,” says, Alan Paller, director of research at SANS. “At no cost, there is no reason it should not be part of the portfolio in every organization that has skilled forensics analysts.”

Developed and continually updated by an international team of forensic experts, the SIFT is a group of free open-source forensic tools designed to perform detailed digital forensic examinations in a variety of settings. With over 100,000 downloads to date, the SIFT continues to be the most popular open-source forensic offering next to commercial source solutions.

“The SIFT Workstation has quickly become my “go to” tool when conducting an exam. The powerful open source forensic tools in the kit on top of the versatile and stable Linux operating system make for quick access to most everything I need to conduct a thorough analysis of a computer system,” said Ken Pryor, GCFA Robinson, IL Police Department

Key new features of SIFT 3.0 include:

  • Ubuntu LTS 12.04 Base
  • 64 bit base system
  • Better memory utilization
  • Auto-DFIR package update and customizations
  • Latest forensic tools and techniques
  • VMware Appliance ready to tackle forensics
  • Cross compatibility between Linux and Windows
  • Option to install stand-alone via (.iso) or use via VMware Player/Workstation
  • Online Documentation Project at
  • Expanded Filesystem Support

Download SIFT Workstation 3.0 Locations

Download SIFT Workstation VMware Appliance – 1.5 GB

Note: The file is zipped using 7zip in the 7z format. We recommend 7zip to unzip it. Download 7zip.

Manual SIFT 3.0 Installation


We tried to make the installation (and upgrade) of the SIFT workstation as simple as possible, so we create the SIFT Bootstrap project, which is a shell script that can be downloaded and executed to convert your Ubuntu installation into a SIFT workstation.

Check the project out at


Using wget to install the latest, configure SIFT, and SIFT theme

wget –quiet -O – | sudo sh -s — -i -s -y

Using wget to install the latest (tools only)

wget –quiet -O – | sudo sh -s — -i

SIFT Login/Password:

After downloading the toolkit, use the credentials below to gain access.

  • Login “sansforensics”
  • Password “forensics”
  • $ sudo su –
    • Use to elevate privileges to root while mounting disk images.

SIFT Workstation 3.0 Capabilities

Ability to securely examine raw disks, multiple file systems, evidence formats. Places strict guidelines on how evidence is examined (read-only) verifying that the evidence has not changed

File system support
  • ntfs (NTFS)
  • iso9660 (ISO9660 CD)
  • hfs (HFS+)
  • raw (Raw Data)
  • swap (Swap Space)
  • memory (RAM Data)
  • fat12 (FAT12)
  • fat16 (FAT16)
  • fat32 (FAT32)
  • ext2 (EXT2)
  • ext3 (EXT3)
  • ext4 (EXT4)
  • ufs1 (UFS1)
  • ufs2 (UFS2)
  • vmdk
Evidence Image Support
  • raw (Single raw file (dd))
  • aff (Advanced Forensic Format)
  • afd (AFF Multiple File)
  • afm (AFF with external metadata)
  • afflib (All AFFLIB image formats (including beta ones))
  • ewf (Expert Witness format (encase))
  • split raw (Split raw files) via affuse
  • affuse x2010 mount 001 image/split images to view single raw file and metadata
  • split ewf (Split E01 files) via
  • x2010 mount E01 image/split images to view single raw file and metadata
  • ewfmount – mount E01 images/split images to view single rawfile and metadata
Partition Table Support
  • dos (DOS Partition Table)
  • mac (MAC Partition Map)
  • bsd (BSD Disk Label)
  • sun (Sun Volume Table of Contents (Solaris))
  • gpt (GUID Partition Table (EFI))
Software Includes:
  • mantaray
  • Rekall Framework (Memory Analysis)
  • Volatility Framework (Memory Analysis)
  • Autopsy (GUI Front-End for Sleuthkit)
  • PyFLAG (GUI Log/Disk Examination)afflib
  • libbde
  • libesedb
  • libevt
  • libevtx
  • libewf
  • libfvde
  • libvshadow
  • log2timeline
  • Plaso
  • qemu
  • SleuthKit
  • 100s more tools -> See Detailed Package Listing

SIFT Workstation 3.0 How-Tos

  • SANS DFIR Posters and Cheat Sheets
  • SIFT Documentation Project
  • How To Mount a Disk Image In Read-Only Mode
  • How To Create a Filesystem and Registry Timeline
  • How To Create a Super Timeline
  • How to use the SIFT Workstation for Basic Memory Image Analysis

Report Bugs

As with any release, there will be bugs and requests, please report all issues and bugs to the following website and location.

SIFT Recommendations

SIFT workstation is playing an important role for the Brazilian national prosecution office, especially due to Brazilian government budgetary constraints. Its forensic capabilities are bundled on a way that allows an investigation to be conducted much faster than it would take if not having the right programs grouped on such great Linux distribution. The new version, which will be bootable, will be even more helpful. I’d highly recommend SIFT for government agencies or other companies as a first alternative, for acquisition and analysis, from the pricey forensics software available on the market.

– Marcelo Caiado, M.Sc., CISSP, GCFA, EnCE

What I like the best about SIFT is that my forensic analysis is not limited because of only being ableto run a forensic tool on a specific host operating system. With the SIFT VM Appliance, I can create snapshots to avoid cross-contamination of evidence from case to case, and easily manage system and AV updates to the host OS on my forensic workstation. Not to mention, being able to mount forensic images and share them as read-only with my host OS, where I can run other forensic tools to parse data, stream-lining the forensic examination process.

– Brad Garnett

SANS DFIR SUMMIT Agenda and Specials Annoucement

Digital Forensics & Incident Response Summit & Training | AGENDA LINE-UP POSTED!

The Digital Forensics and Incident Response (DFIR) Summit & Training event combines hands-on DFIR classroom training with trending DFIR summit speakers together into ONE premier event. One of the few DFIR-only training events on the SANS calendar! Join the most innovative minds in the industry to tackle advanced DFIR issues.


Announcing the SANS DFIR Summit 2014 Lineup!

  •  Reverse Engineering Mac Malware           – Sarah Edwards
  • Incident Response Patterns                – Kyle Maxwell & Kevin Thompson
  • Why Hunt When You Can Seine?              – Dave Hull
  • Automating Linux Memory Capture           – Hal Pomeranz
  • Blackberry Forensic Nuggets               – Detective Cynthia A. Murphy
  • Mach-O Binary Data Analysis               – David Dorsey
  • 10 Ways to Make Your SOC More Awesome     – Shelly Giesbrecht
  • Google Analytic Artifacts                 – Mari DeGrazia
  • Best Finds for 2014                       – David Cowen
  • Excel at Forensics                        – Anthony Gawron & David Nides
  • Influencing Change in DFIR Tools          – Dan Pullega
  • Peeling the Application Like an Onion     – Lee Reiber
  • Windows 8 File History Analysis        – Kausar Khizra & Nasa Quba
  • USB Devices & Media Transfer Protocol     – Nicole Ibrahim
  • Closing the Door on Web Shells            – Anuj Soni
  • Evolution of Incident Response            – Jeffrey J. Guy
  • To Silo, or Not to Silo                   – Frank McClain
  • Targeted Campaign Analysis and Tracking   – Christopher Witter
  • Pillars of Incident Response              – Brandie Anderson

For additional speakers and topics — Download the full agenda here:

One-time Promotional Opportunity – STARTS 3/17!

SANS will offer two promotions running from March 17-31, 2014.

Class & Summit Promotion – Summit for $195 with a class. Choose a full priced course, add the summit and register with code COURSE and you’ll save $800. Reducing the summit to ONLY $195!

Summit Only Promotion – Summit for $495. Register with code SUMMIT and you’ll save $1000 off the 2 day event. When the code is applied your total fee for the Summit is $495!

DFIR Training Courses:

Choose from 6 DFIR training classes that will help build your DFIR Skills to new levels.

  • – SEC504: Hacker Techniques, Exploits & Incident Handling with Alissa Torres
  • – FOR408: Windows Forensics In-Depth with Rob Lee
  • – FOR508: Advanced Computer Forensic Analysis and Incident Response with Chad Tilbury
  • – FOR572: Advanced Network Forensics and Analysis with Phil Hagen
  • – FOR585: Advanced Smartphone Forensics with Heather Mahalik
  • – FOR610: Reverse-Engineering Malware: Malware Analysis Tools & Techniques with Jake Williams
  • – DFIR NetWars – Free when registered for one of the courses taking place at the DFIR Training in Austin: SANS DFIR NetWars is a hands-on, interactive learning environment that enables DFIR professionals to develop and master the skills they need to excel in their field.

Register at

Remember starting March 17 2014, use these codes:

  • + Summit Only Promotion – Summit for $495.  Register with code -> SUMMIT
  • + Class & Summit Promotion – Summit for $195 with a class.  Register with code -> COURSE

Stay connected via twitter, using hashtag #DFIRsummit, to hear announcements and discussions surrounding the Summit.

Register Now! –

Additional SANS’ Forensic Resources: