Investigate and fight cyberattacks with SIFT Workstation

 

Digital forensics and incident response (DFIR) has hit a tipping point. No longer just for law enforcement solving cybercrimes, DFIR tools and practices are a necessary component of any organization’s cybersecurity. After all, attacks are increasing daily and getting more sophisticated – exposing millions of people’s personal data, hijacking systems around the world and shutting down numerous sites.

SANS has a smorgasbord of DFIR training, and we also offer a free Linux distribution for DFIR work. Our SANS Investigative Forensic Toolkit (SIFT) Workstation is a powerful collection of tools for examining forensic artifacts related to file system, registry, memory, and network investigations. It is also available bundled as a virtual machine (VM), and includes everything one needs to conduct any in-depth forensic investigation or response investigation.

Capture9The SIFT Workstation was developed by an international team of forensics experts, including entrepreneur, consultant and SANS Fellow Rob Lee, and is available to the digital forensics and incident response community as a public service. Just because it’s freely available and originally designed for training, though, doesn’t mean it can’t stand up to field investigations. The SIFT Workstation incorporates powerful, cutting-edge open-source tools that are frequently updated, vetted by the open source community and able to match any modern DFIR tool suite. Don’t just take our word for it. Thousands of individuals download SIFT yearly, and it’s used by tens of thousands of people all over the world, including those at multiple Fortune 500 companies. And recently, HackRead named SIFT Workstation in a list of the top 7 cyber forensic tools preferred by specialists and investigators around the world.

SIFT got its start in 2007, during the time SANS instructors were developing virtual machines (VMs) for use in the classroom. In its earliest iterations, it was available online as a download, but was hard-coded and static so whenever there were updates, users had to download a new version. By 2014, SIFT Workstation could be downloaded as an application series and was later updated to a very robust package based on Ubuntu. It can also be installed on Windows, if there is an Ubuntu subsystem running on the system.

In November 2017, SANS unveiled a new version of SIFT Workstation that allows for much more functionality, is much more stable, and is comprised of specific tools such as the Package Manager. This time the package supports rolling updates, and uses SALT, a Python-based configuration management platform, rather than a bootstrap executable and configuration tool.

The new version can work with more than 200 tools and plug-ins from third-parties, and newly added memory analysis functionality enables the SIFT Workstation to leverage data from other sources. New automation and configuration functions mean the user only has to type one command to download and configure SIFT. Because SIFT is scriptable, users can string together commands and create automated analysis, customizing the system to the needs of their investigation.

Download SIFT Workstation today, and get started on your own DFIR initatives. And look into our FOR508: Advanced Incident Response and Threat Hunting course for hands-on learning with SIFT, and how to detect breaches, identify compromised and affected systems, determine damage, contain incidents, and more.

DFIR Summit 2019 Call for Presentations (CFP) Now Open

 

 

350x200_No-Date_DFIR-2018 (1)The 2019 DFIR Summit CFP is now open through 5 pm CST on Monday, March 4th.

The 12th annual SANS Digital Forensics & Incident Response (DFIR) Summit is the most comprehensive DFIR event of the year, bringing together an influential group of experts, immersion-style training, and industry networking opportunities in one place.

Summit talks will explore real-world applications of technologies and solutions from all aspects of the fields of digital forensics and incident response. All talks should be technical and specific and provide actionable takeaways.

The DFIR Summit offers speakers the opportunity to present their latest tools, findings, and methodologies to their DFIR industry peers. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

We are looking for proposed presentations on topics including, but not limited to:

  • Case studies in Digital Forensics, Incident Response, or Media Exploitation that solve a unique problem or case study
  • New forensic or analysis tools and techniques
  • Discussions of new artifacts related to Cloud, Smartphones, Windows, and Mac platforms, malware reverse engineering, or network communications
  • Improving the status quo of the DFIR industry by sharing novel approaches
  • Challenges to existing assumptions and methodologies that might change the industry
  • New analytic techniques that can extract and analyze data more rapidly and/or at a larger scale

Benefits of Speaking

  • Promotion of your speaking session and company recognition via the DFIR Summit website and all printed material
  • Visibility via the DFIR post-Summit on the SANS DFIR Website
  • Full conference badge to attend all Summit sessions
  • Speakers can bring 1 additional attendee for free to attend the summit
  • Private speakers-only networking lunches
  • Speakers-only networking reception on the evening before Summit
  • Continued presence and thought leadership in the community via the SANS DFIR YouTube channel

Who Should Submit

Diversity of thought is critical to any organization’s success, and SANS Summits encourage participation by everyone regardless of age, culture, ethnicity, sexual orientation, or gender identification. Whatever your background, whoever you are, we encourage you to respond to a CFP. We welcome people who are newer to the field or who have not yet done any public speaking, and we can provide mentoring and guidance to help you develop an impactful presentation.

Most talks will be 35 minutes of content + 5 minutes of Q&A. However, we are always interested in exploring new formats, especially for interactive learning.

Deadline:
Monday, March 4, 2019 | 5 pm CST

CFP Submissions must be made via our online form.

SANS FOR585 Q&A: Smartphone Forensics – Questions answered

 

 

Learning doesn’t stop when you leave the SANS classroom. Instructors Domenica “Lee” Crognale, Heather Mahalik and Terrance Maguire answer some of the most common questions from FOR585 Smartphone Forensics course students in these short videos:

1) Using Hashcat to Crack an Encrypted iTunes Backup: Acquiring a locked iOS can be difficult so an iTunes backup may be the best evidence to examine. The iTunes backup files might be encrypted so this mini webcast outlines how to use HashCat to crack the encrypted iTunes backup files.

Capture1

 

 

 

 

 

 

 

2) An Overview of Third Party App Examination: There are millions of applications (Apps) that can be used on a smartphone. This mini webcast outlines an approach to examining these applications.

Capture2

 

 

 

 

 

 

 

3) Why Every Examiner Needs a Test Device?: In a perfect world, we would always be examining rooted Androids and jailbroken iOS devices, but unfortunately, full access to the file system is becoming a thing of the past. This mini webcast highlights the importance of populating test devices with user data so you can better speak to the artifacts that you ARE able to access on your next examination.

Capture3

 

 

 

 

 

 

 

 

4)What if Nothing Supports Android Pie (v9)? The latest versions of Android are not commonly supported for acquisition by our tools. What can you do? Use ADB and interact with the live device. This mini webcast will teach you how to use ADB to extract information from Android devices and will discuss the traces some tools leave behind and why that trace is required if you want to obtain data.

 

Capture4

 

 

 

 

 

 

 

5) iOS Malware – Where to Begin: It’s notably more difficult to pinpoint malware on your non-jailbroken iOS device without access to the application packages. This mini webcast outlines some of the best practices in analyzing the files you can access to provide indications of suspicious activity and the applications and services that are likely responsible.

 

Capture5

 

 

 

 

 

 

 

 

6) Two Major Plists: This mini webcast will discuss how to determine if iMessage is disabled on an iPhone and how to determine if an iCloud restore occurred. Simple questions like this can make a difference in your investigation. We will discuss the file locations, which acquisition methods provide access to the files of interest and most importantly, how to parse the data.

 

 

Capture6

 

 

 

 

 

 

 

About SANS FOR585: Smartphone Forensics Course

This in-depth smartphone forensic course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features 27 hands-on labs, a forensic challenge, and a bonus take-home case that allow students to analyze different datasets from smart devices and leverage the best forensic tools, methods, and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is designed to teach you a lesson that can be applied to other smartphones. You will gain experience with the different data formats on multiple platforms and learn how the data are stored and encoded on each type of smart device. The labs will open your eyes to what you are missing by relying 100% on your forensic tools. More information: http://sans.org/FOR585 | Next course runs: sans.org/u/Mht

More Resources:

mobile posterFOR585 Mobile Forensics Poster: Use this poster as a cheat-sheet to help you remember how to handle smartphones, where to obtain actionable intelligence, and how to recover and analyze data on the latest smartphones and tablets. This poster was created by FOR585 Advanced Smartphone Forensics course authors & Certified Instructors Heather Mahalik, Cindy Murphy and Domenica “Lee” Crognale with support from the SANS DFIR Faculty. Download it here

Heather Mahalik’s blog: https://smarterforensics.com/blog/

 

The new version of SOF-ELK is here. Download, turn on, and get going on forensics analysis.

 

Sof-Elk (Horizontal)

We are excited to announce the release of an all-new version of the free SOF-ELK®, or Security Operation and Forensics ELK virtual machine. Now based on the new version of the Elastic Stack, SOF-ELK is a complete rebuild that is faster and more effortless than its predecessors, making forensic and security data analysis easier than ever.

 

Since its introduction about five years ago, there have been more than 10,000 downloads of SOF-ELK around the world by computer forensic investigators and information security operations personnel in the government, law enforcement and commercial sectors. The SOF-ELK platform is a customized build of the open source ELK stack, consisting of the Elasticsearch storage and search engine, Logstash ingestion and enrichment component, and the Kibana dashboard frontend.

 

SOF-ELK was always designed to help minimize the typically long and involved setup process the ELK stack requires by delivering a pre-built virtual appliance that can be downloaded in a ready-to-use state. It can consume various source data types (numerous log types as well as NetFlow), parses out the most critical data fields, and presents it on several stock dashboards. Users can also build custom data visualizations that suit their own investigative or operational requirements (and because of the fully open source nature of the project, can choose to contribute those custom builds back to the primary code repository). Learn more about the SOF-ELK distribution.

 

The new version of SOF-ELK has been rebuilt from the ground up to take advantage of the new version of the Elastic Stack software and uses all of the Elastic Stack’s components. This required a total rebuild of all dashboards and supporting scripts. Simply download this distribution, turn it on, feed it some data and begin analysis. It’s that easy.

 

The SANS team has performed extensive testing of this distribution of the SOF-ELK platform. The new version’s most immediate benefits are its speed and refreshed browser interface. This is faster and easier to use and can visualize massive amounts of data through the dashboards. We also expect faster development cycles. Here are some more changes in the new SOF-ELK:

 

  • Supports the latest updates on the kernel and all CentOS packages.
  • Includes new parsers from upstream and community contributions.
  • Rebuilt and revalidated all Logstash parsers against latest syntax
  • Better handles dynamic (boot-time) memory allocation for Elasticsearch.
  • Rebuilt all Kibana dashboards to handle updated index mappings and field names
  • IPv6 addresses can now be handled as IPs instead of strings
  • Features many under-the hood changes that will make our roadmap much smoother in the future

The SOF-ELK platform was initially developed for SANS FOR572, Advanced Network Forensics and Analysis, and is now used in SANS SEC555, SIEM with Tactical Analysis. Additional course integrations are being actively worked at this time and considered for future versions. However, SOF-ELK was always designed as a free resource for the digital forensic and broader information security communities at large – a ready-to-use appliance that teams can use without having to invest the many hours into deploying, configuring, and maintaining an Elastic Stack instance. We hope you check out the latest version of the SOF-ELK distribution.SOF-ELK®: A Free, Scalable Analysis Platform for Forensic, incident Response, and Security Operations

____________________________________________________________________________________

JOIN THIS WEBCAST TO FIND OUT MORE: 
SOF-ELK®: A Free, Scalable Analysis Platform for Forensic, Incident Response, and Security Operations

  • When: Tuesday, March 5th, 2019 at 1:00 PM EST 
  • Conducted by Phil Hagen
  • Register now

Overview

There is no shortage of digital evidence, with many DFIR and Security Operations teams handling terabytes of log and network data per week. This amount of data presents unique challenges, and many tools are simply inadequate at such a large scale. Commercial platforms that are up to the task are often far out of budgetary reach for small- and medium-sized organizations.

The Elastic Stack, a big data storage and analysis platform, has become increasingly popular due to its scalability and open-source components. Countless investigative and security teams have incorporated Elastic into their toolkits, often realizing the significant level of effort required to customize and manage such a powerful tool. To overcome some of these hurdles, the SOF-ELK platform was created. SOF-ELK aims to be an appliance-like virtual machine that is preconfigured to ingest and parse several hundred different types of log entries, as well as NetFlow data. The intent is to provide analysts and investigators with a tool that leverages the power of the Elastic Stack with minimal setup time and effort. Originally a part of the SANS FOR572, Advanced Network Forensics & Threat Hunting course, SOF-ELK has been incorporated into additional SANS courses and is released as a free and open-source platform for the overall security community.

In this webcast, we will explore SOF-ELKs use cases, types of log data currently supported, as well as how to load data from live or archived sources. We will also show the various dashboards supplied with the VM and show how new features can be activated through the projects GitHub repository.

Shortcuts for Understanding Malicious Scripts

You are being exposed to malicious scripts in one form or another every day, whether it be in email, malicious documents, or malicious websites. Many malicious scripts at first glance appear to be impossible to understand. However, with a few tips and some simple utility scripts, you can deobfuscate them in just a few minutes.

Capture3SANS Instructor Evan Dygert conducted a webcast on October 3rd, 2018. This webcast teaches you how to cut through the obfuscation techniques the script authors use and not spend a lot of time doing it. Evan also demonstrates how to quickly deobfuscate a variety of malicious scripts.

The samples of the scripts he provided during the webcast can be downloaded here: https://dfir.to/MaliciousScripts. Please note the password for the samples.zip folder is: “infected”

 

 

Capture4We hope that the techniques presented in this webcast help you to begin deobfuscating potentially malicious JavaScript.  This topic is explored in depth in the SANS FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques course.  This class offers an excellent opportunity to understand the unique and insightful perspective that malware analysis can bring to your investigations.

 

 

 

New CheatSheets you might be interested in:

Tips for Reverse-Engineering Malicious Code – This cheat sheet outlines tips for reversing malicious Windows executables via static and dynamic code analysis with the help of a debugger and a disassembler. Download Here

REMnux Usage Tips for Malware Analysis on Linux – This cheat sheet outlines the tools and commands for analyzing malicious software on the REMnux Linux distribution Download Here

Cheat Sheet for Analyzing Malicious Documents – This cheat sheet presents tips for analyzing and reverse-engineering malware. It outlines the steps for performing behavioral and code-level analysis of malicious software. Download Here

Malware Analysis and Reverse-Engineering Cheat Sheet – This cheat sheet outlines tips and tools for analyzing malicious documents, such as Microsoft Office, RTF and Adobe Acrobat (PDF) files Download Here

—————————————————————————————————————————–

For opportunities to take the FOR610 course, consider upcoming runs and modalities: 

US & International live training : Live events offered throughout the US, EMEA & APAC regions.

 DFIR Summits :  Two days of industry expert talks plus DFIR training events

Simulcast :   Live events from anywhere in the world.

OnDemand  : Learn at your own pace, anytime, anywhere.

1500x500_OLT-Nov15-Dec5

 

 

 

 

 

 

DFIR Resources: Digital Forensic Blog | Twitter | Facebook | Google+ | Community Listservice | DFIR Newsletter

Case Leads: A Forensicator’s take on BlackHat/DefCon/BSides

It’s been a busy time in digital forensics and incident response (DFIR). Every summer, for over 20 years, infosec and forensicators and old school hackers have gathered in Las Vegas.  A mixture of very deep tech talks, trainings, and technology oriented distractions “flood the zone” in Las Vegas. Close to 15-20,000 people were in Las Vegas this summer for what has now evolved into three separate conferences, all in the same week.

July 27th was the start of Black Hat at Caesars Palace in Las Vegas. The conference kicks off with training in the last weekend of the month, and finishes on Wednesday, July 31st and Thursday, August 1st, with lectures and technical demonstrations, called “Black Hat Briefings.” This year, in the wake of the NSA/Snowden rowe, NSA Director, General Keith Alexander gave the opening keynote. Black Hat was more corporate than ever, with more sponsor banners, and sponsor-generated talks (disclosed by the organizers, and placed in a separate area, bravo!) than ever. Black Hat moves next year to the south end of the Las Vegas strip, at the Mandalay Bay. Some have speculated that the larger vendor area was part of the motivation. A spokesperson for Black Hat stated simply, “We need more room.”

Meanwhile, two and a half blocks east of Ceasars Palace, at the Tuscany Hotel Casino, BSides Las Vegas was running during the same Wednesday and Thursday as Black Hat. BSides was a real gem this year. Great crowd, with many very smart and interesting speakers, lectures and labs.  One of the more compelling DFIR talks of the week was a demonstration on defeating application whitelisting, and the digtial forensic trail that this incident leaves behind. See Good Reads and Listens below for an interview with the co-presenter of that talk, Joe Kovacic.

Thursday August 1st was the “soft launch” of DefCon 21, at the Rio Casino, just west of the Las Vegas Strip. Of note: Def Con held legal training on Thursday for non-legal professionals on the fundamentals of civil and criminal law. Always a help for forensicators. Sunday was the unofficial “forensicator block,” with three lectures covering forensics, including an interesting talk on the recoverability of “disappearing” messages like SnapChat. Another DefCon talk relevant for incident response, was Craig Young’s talk on a critical authentication flaw in GoogleAppsGmailAndroid. See Good Reads and Listens below for an interview with Craig Young.

If you have an item you’d like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.

Tools:

  • Mr. John Ortiz developed and teaches a steganography course for the University of Texas at San Antonio (UTSA). Mr. Ortiz developed several steganographic programs for testing and analysis that were demonstrated at DefCon 21 in Las Vegas this year, during the unofficial forensicator block. You may email John:  stego [insert at symbol here] satx.rr.com for details on how to obtain these free tools.
  • Belkasoft Evidence Center 5.4 (Updated), Detects Forged Images, Analyzes Fragmented Memory Dumps and Extracts Destroyed SQLite Records
  • BlackBag Technologies Announces BlackLight2013 R2 Cross-platform Forensics Software Release

 

Good Reads and Listens:

News:

 

Levity: DEF CON: The Documentary, the complete movie.  Filmed last year, the 20th anniversary of DefCon. Shown at DefCon 21, August 1, 2013

 

Coming Events:

Call For Papers:

By Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law, and editor of HabeasHardDrive.com, a blog on digital crime and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor

 

 

 

 

 

 

Digital Forensics Case Leads: New REMnux, Registry tools and more APT1 analysis

This week in Case Leads we have a great new update to REMnux, two new tools for registry analysis and be sure to vote for the Forensic 4cast Awards right after you hop over to the new REM community on Stack Exchange.

If you have an item you’d like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.

Tools:

Good Reads:

News:

Levity:

 

Coming Events:

Call For Papers:

Digital Forensics Case Leads is a (mostly) weekly publication of the week’s news and events relating to digital forensics. If you have an item you’d like to share, please send it to caseleads@sans.org.

Digital Forensics Case Leads for 20130413 was compiled by Rob Dewhirst (@robdew) GCFA, GCIH, GREM CISSP. Rob is a security analyst and CSIRT lead for a Tier I research University in the midwest and a private DFIR consultant.

Caseleads: South Korea Attack Forensics; Google Glass Brings Discoverable Evidence To Litigation; The Post Data Breach Boom; Fighting Insider Fraudsters

Mark this date: On March 20th 2013, the non-technical managers may finally start to understand what a digital forensics professional actually does. With the massive cyber attacks on South Korean banks, media outlets, and ISPs, the role of forensicators is put front and center. The attack(s) resulted in widespread ATM outages, online banking and mobile banking offline, and tens of thousands of PCs wiped of all their data.  At minimum, non-technical decision makers should finally start to understand that cyber attackers are not targeting  “someone else.”  The attacks in South Korea had an impact on the bottom line of many South Korean firms. Since many of the same strategies for information security and incident response are used by most westernized nations, many experts agree that the attacks in South Korea are a warning sign of what could happen in the United States. We have analytical coverage of the South Korean attacks, with stories and drill downs that go beyond the headlines.

Was it only a week ago that the world was abuzz about the protests starting over the tracking and data collection from Google Glass? We have a forensic look at augmented reality. And, flaws in other mobile platforms that might help forensic professionals gain access to devices in a pinch.

If you have an item you’d like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.

Tools:

  • BlackBag Technologies Releases BlackLight2013:  Mac OS X, iPhone, and iPad Forensics Software Release
  • Katana Forensics recently updated Latern3 to include iOS and many Android device, all in one software tool
  • EnCase Forensic Imager is a new product that allows the creation of EnCase evidence files or EnCase logical evidence files. EnCase Forensic Imager is available for free, and does not require an EnCase license.

Good Reads:

News:

Levity:

Coming Events:

Call For Papers:

By Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor.

Digital Forensics Case Leads: Email Scammers, Android Malware, DoS Against Banks, Tool Updates And A Few Good Reads.

In this issue of Case Leads with have Android Malware increase, DoS Attacks on Czech Banks, some updates to Oxygen Forensics Suite and a New tool from Magnet Forensics and a little levity.

If you have an item you’d like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.

Tools:

  • Oxygen Forensics Suite have released version 5.1.1. Some of the new features include aupport for Windows 8.  Added support for Opera Mini and Opera Mobile for Android.  Many other enhancements and improvements as well.
  • Passware is now integrated in Oxygen Forensic Suite to provide a joint solution to mobile device investigations.
  • Magnet Forensics has release a new tool called IEF Frontline which will provide investigators with a “quick look” at digital media.

Good Reading and Listening

  • Lance Mueller has a good post over at forensickb.com where he has created a Enscript that will parse the setupapi.dev.log file.  Using this enscript you can easily parse out all the USB insertion events.
  • Harlan Carvey has a post over on his blog Windows Incident Response Blog that talks about WOW6432Node registry redirection.  In Harlans words if we are not looking at this then we need to.  This is just one more area we need to make sure that we look at when we do registry analysis, if you are not looking in this area then you are potentially only getting half the picture when you are examining 64bit windows systems.
  • Eric Huber over at the Fist Full of Dongles blog recently posted about Microsoft Windows File System Tunneling.  This is something that forensic examiners should be aware of and should also be tested in Windows 7 and 8 as the research Eric did was on Windows XP.
  • The register has a good article about Rear Admiral Grace Hopper.  Anyone who does not know who she is should read this ad learn a little about this amazing woman.

News:

Levity:
  • Climbing the corporate ladder BOFH style.

Coming Events:

Call For Papers:

Digital Forensics Case Leads is a (mostly) weekly publication of the week’s news and events relating to digital forensics. If you have an item you’d like to share, please send it to caseleads@sans.org.

Digital Forensics Case Leads for 20121130 was compiled by Mark McKinnon (@markmckinnon) CCE, GCFA. Mark is a Software Developer and Instructor at a University in the Midwest where he also practices digital forensics.

CaseLeads: China Cyber Espionage Exposed, Account Issues with Twitter and Plenty of Great How-To’s

This week on Case Leads, we learn the truth of China’s cyber espionage unit, Twitter verified accounts were hacked and there have been some updates to some of your favorite tools.

If you have an item you’d like to contribute to Digital Forensics Case Leads, please send it to†caseleads@sans.org.

Tools:

  • HMFT was given a small update.
  • Autopsy was recently updated as well.
  • Passware can now extract passwords for certain popular websites from memory.

Good Reads:

News:

  • In case you’ve missed it, MANDIANT posted a report on China’s cyber espionage role. Here you can find a quick overview and a link to the full report.
  • Haft of the Spear posted some interesting takes on China.
  • Twitter has suffered from a rash of verified company accounts getting hacked.
  • You won’t have to read this, but there is a new CyberSpeak episode up.

Coming Events:

Call For Papers:

 

Digital Forensics Case Leads is a (mostly) weekly publication of the week’s news and events relating to digital forensics.  If you have an item you’d like to share, please send it to caseleads@sans.org.

Digital Forensics Case Leads was compiled this week by Mike Ahrendt. Mike is the Information Security Officer for Grand Rapids Community College where he works in a wide array of security tasks from policy creation to forensic investigations.