Investigate and fight cyberattacks with SIFT Workstation


Digital forensics and incident response (DFIR) has hit a tipping point. No longer just for law enforcement solving cybercrimes, DFIR tools and practices are a necessary component of any organization’s cybersecurity. After all, attacks are increasing daily and getting more sophisticated – exposing millions of people’s personal data, hijacking systems around the world and shutting down numerous sites.

SANS has a smorgasbord of DFIR training, and we also offer a free Linux distribution for DFIR work. Our SANS Investigative Forensic Toolkit (SIFT) Workstation is a powerful collection of tools for examining forensic artifacts related to file system, registry, memory, and network investigations. It is also available bundled as a virtual machine (VM), and includes everything one needs to conduct any in-depth forensic investigation or response investigation.

Capture9The SIFT Workstation was developed by an international team of forensics experts, including entrepreneur, consultant and SANS Fellow Rob Lee, and is available to the digital forensics and incident response community as a public service. Just because it’s freely available and originally designed for training, though, doesn’t mean it can’t stand up to field investigations. The SIFT Workstation incorporates powerful, cutting-edge open-source tools that are frequently updated, vetted by the open source community and able to match any modern DFIR tool suite. Don’t just take our word for it. Thousands of individuals download SIFT yearly, and it’s used by tens of thousands of people all over the world, including those at multiple Fortune 500 companies. And recently, HackRead named SIFT Workstation in a list of the top 7 cyber forensic tools preferred by specialists and investigators around the world.

SIFT got its start in 2007, during the time SANS instructors were developing virtual machines (VMs) for use in the classroom. In its earliest iterations, it was available online as a download, but was hard-coded and static so whenever there were updates, users had to download a new version. By 2014, SIFT Workstation could be downloaded as an application series and was later updated to a very robust package based on Ubuntu. It can also be installed on Windows, if there is an Ubuntu subsystem running on the system.

In November 2017, SANS unveiled a new version of SIFT Workstation that allows for much more functionality, is much more stable, and is comprised of specific tools such as the Package Manager. This time the package supports rolling updates, and uses SALT, a Python-based configuration management platform, rather than a bootstrap executable and configuration tool.

The new version can work with more than 200 tools and plug-ins from third-parties, and newly added memory analysis functionality enables the SIFT Workstation to leverage data from other sources. New automation and configuration functions mean the user only has to type one command to download and configure SIFT. Because SIFT is scriptable, users can string together commands and create automated analysis, customizing the system to the needs of their investigation.

Download SIFT Workstation today, and get started on your own DFIR initatives. And look into our FOR508: Advanced Incident Response and Threat Hunting course for hands-on learning with SIFT, and how to detect breaches, identify compromised and affected systems, determine damage, contain incidents, and more.

Case Leads: A Forensicator’s take on BlackHat/DefCon/BSides

It’s been a busy time in digital forensics and incident response (DFIR). Every summer, for over 20 years, infosec and forensicators and old school hackers have gathered in Las Vegas.  A mixture of very deep tech talks, trainings, and technology oriented distractions “flood the zone” in Las Vegas. Close to 15-20,000 people were in Las Vegas this summer for what has now evolved into three separate conferences, all in the same week.

July 27th was the start of Black Hat at Caesars Palace in Las Vegas. The conference kicks off with training in the last weekend of the month, and finishes on Wednesday, July 31st and Thursday, August 1st, with lectures and technical demonstrations, called “Black Hat Briefings.” This year, in the wake of the NSA/Snowden rowe, NSA Director, General Keith Alexander gave the opening keynote. Black Hat was more corporate than ever, with more sponsor banners, and sponsor-generated talks (disclosed by the organizers, and placed in a separate area, bravo!) than ever. Black Hat moves next year to the south end of the Las Vegas strip, at the Mandalay Bay. Some have speculated that the larger vendor area was part of the motivation. A spokesperson for Black Hat stated simply, “We need more room.”

Meanwhile, two and a half blocks east of Ceasars Palace, at the Tuscany Hotel Casino, BSides Las Vegas was running during the same Wednesday and Thursday as Black Hat. BSides was a real gem this year. Great crowd, with many very smart and interesting speakers, lectures and labs.  One of the more compelling DFIR talks of the week was a demonstration on defeating application whitelisting, and the digtial forensic trail that this incident leaves behind. See Good Reads and Listens below for an interview with the co-presenter of that talk, Joe Kovacic.

Thursday August 1st was the “soft launch” of DefCon 21, at the Rio Casino, just west of the Las Vegas Strip. Of note: Def Con held legal training on Thursday for non-legal professionals on the fundamentals of civil and criminal law. Always a help for forensicators. Sunday was the unofficial “forensicator block,” with three lectures covering forensics, including an interesting talk on the recoverability of “disappearing” messages like SnapChat. Another DefCon talk relevant for incident response, was Craig Young’s talk on a critical authentication flaw in GoogleAppsGmailAndroid. See Good Reads and Listens below for an interview with Craig Young.

If you have an item you’d like to contribute to Digital Forensics Case Leads, please send it to


  • Mr. John Ortiz developed and teaches a steganography course for the University of Texas at San Antonio (UTSA). Mr. Ortiz developed several steganographic programs for testing and analysis that were demonstrated at DefCon 21 in Las Vegas this year, during the unofficial forensicator block. You may email John:  stego [insert at symbol here] for details on how to obtain these free tools.
  • Belkasoft Evidence Center 5.4 (Updated), Detects Forged Images, Analyzes Fragmented Memory Dumps and Extracts Destroyed SQLite Records
  • BlackBag Technologies Announces BlackLight2013 R2 Cross-platform Forensics Software Release


Good Reads and Listens:



Levity: DEF CON: The Documentary, the complete movie.  Filmed last year, the 20th anniversary of DefCon. Shown at DefCon 21, August 1, 2013


Coming Events:

Call For Papers:

By Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law, and editor of, a blog on digital crime and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor







Case Leads: Report on Emerging Cyber Threats, Updates to Forensics Applications, Malware Trends, and more.

This week’s edition of CaseLeads features a report on emerging cyber threats, another report about malware and vulnerabilities, research about the head of a new anti-virus firm, updates to the Oxygen Forensics Suite and Memoryze for the Mac.  There’s also a story about how email led to several discoveries in the case of the CIA director that recently resigned and an article about Skype and personal information.

If you have an item you’d like to contribute to Digital Forensics Case Leads, please send it to


Good Reads:

  • Georgia Tech and the Georgia Tech Research Institute published a report on emerging cyber threats for 2013.  The report is available as a PDF and video from the summit held on November 14th will also be made available.
  • The story is still unfolding (and it already sounds like a movie plot) but it seems that location data associated with email played a part in the CIA director’s resignation.  Be careful what you email and where you email
  • Trend Micro’s 3Q 2012 Security Roundup contains a number of findings on malware on mobile devices (read Android) and the most commonly abused applications.


  • Brian Krebs researched the person that appears to be behind the Chinese “anti-virus” company, Anvisoft and found that it may be lead by an infamous hacker.
  • Cyber security issues facing the government and large businesses have been getting a lot of coverage lately so it should not come as a surpise that smaller businesses are considered more susceptable.
  • Skype turned over a user’s identity when another company asked.  The details are still being sorted out and Skype has launced an internal investigation to determine if any of its policies were violated.


Coming Events:

Digital Forensics Case Leads is a (mostly) weekly publication of the week’s news and events relating to digital forensics. If you have an item you’d like to share, please send it to   Digital Forensics Case Leads for 20121115 was compiled by Ray Strubinger. Ray regularly leads digital forensics and incident response efforts and when the incidents permit, he is involved in aspects of information security ranging from Threat Intel to Risk Analysis.

Digital Forensic Case Leads: Anon Strikes Again, and Again. Groupon Litigation Threats. DarkMarket Motivations Revealed. The Tutu Has Been Donned

This week’s Digital Forensic Case Leads is chock full of forensics nuggets. Links to great forensics tools for encryption detection and memory extraction, plus a how-to for breaking/auditing the OS X Keychain. You will also find an analysis of the Samsung v. Apple patent case from a digital forensics perspective, with IP Attorney Ben Langlotz. And, as our headline promises, news and analysis on the latest alleged attacks by “Anonymous” and their affiliates. Your reporter this week explains how BOTH the Anon group AND the Fed’s denials, could both be true.

If you have an item you’d like to contribute to Digital Forensics Case Leads, please send it to caseleads [at symbol here]



  • AccessData Group just released a new version of their forensics and investigation tool for mobile devices, MPE+. According the AccessData: ” In addition to greatly improving mobile device investigations, MPE+ is the first solution designed to facilitate mobile device discovery for litigation support personnel. With the most intuitive interface on the market and new visualization capabilities, investigators and e-discovery practitioners alike will be able to address mobile device data with more efficiency.”  This version supports the physical imaging on Samsung Galaxy S2 devices and supports 4800 other mobile devices. Other noteable features include carving SQLite databases from iOS and Android devices for user deleted data, and a “Social Analyzer” that compares SMS, emails, MMS and call logs.  Contact the people at AccessData Group to find out more.
  • Magnet Forensics (formerly JADsoftware) has a interesting free forensic investigation tool: Encrypted Disk Detector (EDD). According to the company,  “EDD is a command-line tool that checks the local physical drives on a system for TrueCrypt, PGP®, or Bitlocker® encrypted volumes… EDD is useful during incident response to quickly and non-intrusively check for encrypted volumes on a computer system. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled.”
  • MemGator: Another free digital forensics tool According to the developer, E5h Forensic Solutions, MemGattor, “is a memory file interrogation tool that automates the extraction of data from a memory file and compiles a report for the investigator…Data can be extracted in relation to memory details, processes, network connections, malware detection, passwords & encryption keys and the registry.”


Good Reads/Listens:

  • DarkMarket: Cyberthieves, Cybercops and You. From the publisher: “In this fascinating and compelling book, Misha Glenny, author of the international best seller McMafia, explores the three fundamental threats facing us in the twenty-first century: cybercrime, cyberwarfare and cyberindustrial espionage. Governments and the private sector are losing billions of dollars each year fighting an ever-morphing, often invisible and often supersmart new breed of criminal: the hacker.”  Due to be released in paperback next month.
  • Breaking into the OS X keychain. From the author of the posting: “There is a design compromise in Apple’s keychain implementation that sacrifices some security for a lot of usability…As a result, the root user is able to read all keychain secrets of logged-in users, unless they take extra steps to protect themselves.”   As we know, most users don’t those type of steps. Read the how-to here.
  • Digital Forensic and InfoSec Lessons from Apple v Samsung patent case. Listen to this CyberJungleRadio conversation with Patent expert Ben Langlotz, starting at about 14:30min. There are some very surprising areas of digital forensics discussed by Mr. Langlotz.



Anti-Sec, an off-shoot of the cyber gang known as Anonymous, claimed credit late Monday for obtaining a data base of over 12million Apple iOS UDID (Unique Device Identifier).  UDIDs are “burned” into every iPhone/iPad/iPodTouch device.  The group’s web site claims that the reason they took this data was slap against the Federal Government (“The Feds”) and the activities by NSA Chief, Gen. Keith Alexander to recruit hackers at Las Vegas’ DefCon conference last month. They want to show that the Feds don’t have the interests of the citizens at heart, but rather they think the Feds main goal is tracking the activities of average citizens — a claim Gen. Alexander very publicly refuted in Las Vegas.  On Wednesday, the FBI released a statement that refutes the claim that the attackers gained access to an FBI computer for this data.  Parsing the statement from the FBI, and the alleged attackers, it is possible that the information came from the systems of an anti-cybercrime non-profit that was founded by a former FBI agent. The group, The NCFTA, or National Cyber Forensics and Training Alliance, has, according the ForbesMagazine, a legal arrangement with the government allows it to hand over information to the FBI.

From Elinor Mills and Greg Sandoval at C| “The U.S. Secret Service is looking into claims that someone stole presidential nominee Mitt Romney’s income tax returns and is threatening to release them if he doesn’t pay up.  Secret Service spokesman George Ogilvie told CNET today that the agency is investigating, but had no further comment.”

Discount eCommerce site Groupon threatens to sue small business merchants. According to a report at, some businesses that participate as Groupon merchants are not getting paid by Groupon. This cash flow problem is driving merchants to notify the company they will not honor Groupon-coupons until they’re paid.Groupon is threatening legal action against the merchants if they suspend providing services to Groupon users as agreed. A classic contract case, but who’s truly in breach? AND — is there a digital smoking gun? Were orders to slow down or holding back payments transmitted via email, chats, text or other digital means? Have there been internal discussions around responding to merchant complaints about slow payment?

Did diligent email forensics investigation help Samsung to mitigate spoliation? In an intellectual property case that pits Apple against Samsung. We won’t get into the IP details in this space…but rather the issue of digital spoliation. Last month, Apple won a motion for adverse inference jury instruction because Samsung failed to properly preserve email discovery evidence. And as of this writing, Samsung won a copy-cat motion, claiming Apple failed to preserve relevant emails. So now, the jury will not hear that both Apple and Samsung may have destroyed email evidence.


Levity, or For the LULZ?

The Tutu Has Been Donned
The Tutu Has Been Donned

Coming Events:

Call For Papers:


by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor.

Digital Forensics Case Leads: PFIC 2011 Report, DNS forensics, Massive Flaws in Amazon EC2?

The Paraben Forensics Innovator’s Conference was held last week in Park City, Utah. Your SANS Digital Forensic blogger attended the event, along with over 300 fellow, forensicators and lawyers. With information security events like BlackHat, and DefCon drawing thousands, this is yet another small event that has many advantages over the larger conferences.

At these smaller conferences you really get a chance to spend time with the same people. At PFIC, one of the attendees I met had an interesting incident at the office, and we were able to spend the time to discuss the case.  And, these smaller events allow for more comparing of notes from different sessions over lunch. It’s so much more difficult to get to really know someone at large conferences, with so many sessions and so many vendor events. Even the lunch events are like an army chow line at the large events. PFIC is in a small hotel, and you really get a chance to talk and interact often with the speakers.

The keynote speaker was the most interesting I have heard in quite some time. It was with Jeffrey “Skunk” Baxter of the Doobie Brothers. He is now working with the defense community to bring a fresh, out of the box approach to counter-terrorism and national defense. Another plus at PFIC was the depth of the expert witness bench. Speakers included team members that worked on the precedent-setting Victor Stanley case, and the Coleman Morgan Stanley case.

I encourage readers to think about attending next year.  The URL for the conference is


  • From PFIC:  The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examiners, digital forensics researchers, students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. Find out more at
  • From PFIC: Using Predictive Coding To Speed Digital Forensics and eDiscovery with Orcatec. This technology uses predictive coding in an attempt to provide accuracy, consistency and transparency, and dramatically reduces the time and cost of first-pass data review versus traditional “dirty word” lists. I wrote more about this topic in this blog posting.

Good Reads:

  • Put this one in the “Good Listen” category. In the event you missed this in last week’s Case Leads: I recently interviewed Mark Bowden on Cyber Jungle Radio. Bowden is the author of “WORM: The First Digital World War”. He also wrote “Blackhawk Down”. The interview begins at about 14 minute mark of this week’s show. I found the book to be a very good, fast read. The efforts by a group of unpaid information security and incident response professionals was very fascinating to read about, and to learn from. Reading this book will inspire many white hats to take on the black hats. The book also dispels the common myth that information security professionals create malware because otherwise we would be out of a job. This book shows how a dedicated group of information security professionals, many spending their own time and money, took on a the giant task of stopping a series of large scale attacks against some of the world’s biggest information assets. There is an item in the news section related to a DNS attack take down that has some of the same elements of incident response that are covered in this excellent book.


  • New research has exposed some serious vulnerabilities in Amazon’s Elastic Computing Cloud (EC2). It appears that several security vulnerabilities in the misuse and mismanagement of the AMIs (Amazon Machine Images). Among other concerns, vulnerabilities were found regarding credentials such as passwords, SSH keys and even Amazon AWS keys being left on an AMI presenting hackers with the opportunity impersonate a user or Amazon itself and steal confidential information. Jeff Hudson, CEO of Venafi equates this to an easier understand scenario. “Like generous souls giving their old jacket to a shivering passerby – only to find that they left their driver’s license, passport, and credit cards in the pocket – these members published their AMIs without removing sensitive data such as SSH keys and the private keys associated with digital certificates.” Hudson notes that while developers and administrators probably should have been able to use common sense to figure out these pitfalls he’s not surprised that they didn’t. “Enterprises have deployed thousands and ten thousands of digital certificates and SSH keys. The keys are deployed on various platforms in various business silos; they’re obtained from multiple vendors and certification authorities (CA). Without any management tools, administrators have become used to ignoring them. In fact, server administrators often don’t even realize that a private key installs with the server’s digital certificate and that this key must be protected, which explains why the administrators so blithely left them in the AMIs.”
  • Republic Wireless Officially Unveils $19/Month Service: Unlimited Everything, No Contracts. How do they do it? VoIP and other services over WiFi. What are the forensic implications of this shift in the mobile space? Sounds like a topic for a future SANS Forensics posting. Read more about the service here.
  • Biggest Cybercriminal Takedown in History? That’s what Brian Krebs calls it. Huge incident response story buried in this story makes this entry a must-read.


  • Star Trek Meets e-Discovery:  The Ferengi Vendors. Scroll down and play the “Star Trek eDiscovery” Video. Click Here.


Digital Forensics Case Leads is a (mostly) weekly publication of the week’s news and events relating to digital forensics. If you have an item you’d like to share, please send it to

Digital Forensics Case Leads for 11, Nov 2011 was compiled by by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT, CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor.

Digital Forensics Case Leads: ATT/Apple Rushes in The Forensics and Incident Response Team

A web application flaw was announced late Wednesday that appears to impact users of the 3G Apple iPad. According to press reports, AT&T is rushing in a forensic team in an attempt to determine the damage the flaw may have inflicted.

Gadget blog Gizmodo reports that a flaw in web application used to sign onto to an Apple/AT&T 3G iPad account allows an attacker to get into the account by incrementing the serial numbers on the SIM card on 3G iPads. It is not unusual for a web development team to not focus on using secure methods like using random numbers in generating web sessions. If there is no web application security team in place, these flaws can live on for years in web applications and sites.

AT&T claims that the team that discovered the flaw did not use responsible disclosure to alert AT&T and Apple about the flaw before going public. AT&T  said that they closed this particular flaw on Wednesday and now the forensic investigation begins. Gizmodo claims that a large number of records could have been breached, including information about high profile people in The White House, major corporations and military officials. It looks like too many of these high profile users are ignoring the warnings of information security pros that iPads/iPhones/Androids/Palm are consumer devices for playing entertainment content and sending texts to your BFF and should not to be used as business devices.

Will we see lawsuits due to this breach? We will see other security flaws in the iPhone/iPad result in litigation? It certainly appears to be a juicy target for attackers and attorneys alike.

In other news, Paraben, the forensic firm out of Utah, announces the release of two new email forensic tools. A new open source tool can help organizations be proactive about incident response. New developments in the Linux kernel might help speed forensic experts in the field. What kind of discovery orders will we see from BP cases?  SANS Forensic Summit preview interview –  Sniper Forensics: One Shot, One Kill. And more….


  • Can smart managers use data loss prevention (DLP) as a valuable digital forensic, incident response tool? Blogger John Sawyer says ‘Yes we can!’ It’s worth looking at the OpenDLP tool, as an open source approach to DLP and a preemptive forensic tool.
  • Paraben announced a new version of P2 eXplorer Free that removes the old version’s registration requirement. Paraben’s P2 eXplorer allows you to mount your forensic image (or almost any drive image for that matter) and explore it as though it were a drive on your machine while preserving the forensic nature of your evidence. This means that an image isn’t just mounted to view logical files, it is mounted as the actual bitstream image, preserving unallocated, slack and deleted data. According to a statement by Paraben, many people who have downloaded P2 eXplorer are running it in demo mode and do not realize they needed to register the product to be able to mount EnCase, FTK, Smart, Raw and other supported image formats. So, they’ve removed the registration requirement so any examiner can take advantage of all of P2 eXplorer’s features. You can download your free copy of the latest release of P2 eXplorer Free here.
  • Paraben Corp also announced this week the release of both Paraben’s E-mail Examiner 6.0 and Paraben’s Network E-mail Examiner 3.1. According to the Utah-based company, the release includes feature enhancements to both tools including a “Batch Processing Wizards.” Again, according to the firm, the new wizard allows an examiner to look at mail archives and automatically have them exported into a variety of mail formats including PST.

Other updates to the tools are listed below each tool name below:

E-mail Examiner 6.0

-New User Interface

-New OST Support

-New support for Windows 7 x64 & Vista x64

-New Batch Processing Wizard

-New Multi-threading

-New Case Manager

-New Searching with Logical Expressions

-New Dongle License Option

Network E-mail Examiner 3.1

-New support for Windows 7 x64 & Vista x64

-Bookmark Options for All Properties of Messages and Bookmarking of Multiple Files.

-New Batch Processing Wizard

-New Hashing Wizard

-Improvements in GroupWise Processing

-Updated Investigator Report

-Improvements with Exchange Processing

-Changes CSV Output and Updated

-Improved Display of Foreign Characters in E-mail Message Bodies

-Enhanced Exporting Options for PST

Interestig Reads/Vids:

  • Next spill for BP to worry about: File discovery ; by Roumiana Deltcheva at the Messaging Architects blog.
  • Microsoft Takes on Security And Privacy Concerns In New IE8 TV Ads . Is this in response to attacks on MSFT products, or the growing concerns about Facebook/Google privacy, or both?
  • “Google Wi-Fi audit reveals criminal intent by the company” Read the report here by the organization Google hired to look into the matter.



Coming Events:

Digital Forensics Case Leads for 20100415  was compiled by Ira Victor, G17799, GCFA, GPCI, GSEC, ISACA, CGEIT.  Ira Victor is an analyst with Data Clone Labs, He is also Co-Host of The CyberJungle, the nations first live radio news talk show on security, privacy and the law, Saturdays 10a-12noon PT/ 1p-3p ET.  Ira is President of Sierra-Nevada InfraGard,  and a member of High Tech Crime International Association.

Digital Forensics Case Leads: Tools and Lists, Bugs, and Web 2.0 for Packet Ninjas

A variety of items this week, including news of the first successful prosecution using memory forensics, several tool updates, a Web 2.0 site for packet ninjas, bugs (the tiny biological kind) for forensics, and even forensics for mortgage refinancing. I’ve included Twitter handles in the form (@TwitterHandle) where applicable.


  • Tableau (@tableauforensic), maker of write-blocker and duplicating hardware and software, has initiated a video series to update viewers on info about their products and items of general interest. The first entry concerns their firmware update tool. The Tableau T35e write blocker is provided as part of the SANS SIFT Essentials kit in FOR408, and this firmware update tool will be useful for keeping that hardware current.
  • TableauSoftware (@tableau) (unrelated to the company above as far as I can tell) has released a nifty browser-based data visualization package. There is a student edition available, something we should see more often!
  • Lance Mueller is continuing his stream of useful EnScripts, providing a proof of concept script to combine EnCase and F-Secure’s Enterprise Edition to create a tool for network forensics and E-Discovery.
  • Vere Software has released V1.9 of their WebCase evidence collection software, which incorporates 64-bit capability and both full page and HTML source code capture.
  • For those needing to analyze packet captures for network forensics (or other reasons) Mu Dynamics (@mudynamics) has established Pcapr, a social networking site for packet ninjas to share captures. Richard Betjlich (@taosecurity) has a nice review of the site in his Traffic Talk column.
  • This is not new, but in answer to a common question “What should I carry in a forensics/incident response/evidence acquisition kit?”, David Kovar (@dckovar) has a pretty thorough list.
  • The development team for the Italian GNU/Linux live forensics oriented distro CAINE is hard at work on V2.0.
  • The French firm ArxSys has released their Digital Forensics Framework, a modular, multiplatform, scriptable environment with GUI.

Good Reads:

  • The network forensics power team of Sherri Davidoff and Jonathan Ham (@jhamcorp) have posted the winners of Puzzle #3. There are some great solution writeups, and some awesome tools written by the finalists!
  • Good viewing and listening – Tom Cross’s BlackHat talk on “Exploiting Lawful Intercept to Wiretap the Internet” has been posted on SecurityTube. Interesting implications for network forensics.
  • Russ Klanke (@pensource) has published a huge list of links to articles and other resources at this meta-meta-link.
  • Dan O’Day (@digitoll) has established an online community for digital forensics professionals. A recent entry compared Mac and Windows forensics artifacts. Some interesting info for those new to Mac forensics.
  • Harlan Carvey (@keydet89) has a nice writeup on the importance of timelines, and a somewhat depressing list of all the things that might be included, in his blog. Great stuff there, and worth adding to your RSS reader if it’s not there already.
  • Lenny Zeltser (@lennyzeltser) has some useful cheatsheets for analyzing malicious Office and pdf documents.
  • Gary Kessler has recently updated his list of file signatures (magic numbers).


  • Jesse Kornblum published info about the first successful prosecution based entirely on memory forensics. More support for acquiring volatile memory as a standard practice, even if you’re not sure what you can do with it immediately. In this case, it looks like the memory image sat for several years before the investigator found a technique to analyze it.
  • The Security Focus news portal is shutting down.
  • “Forensics” is now being used by home refinance brokers to promote their services. The idea is that forensic accounting analysis will show mistakes in most loans, and those mistakes can be used to encourage lenders to refinance under more favorable terms. Editorial comment is withheld on this one; a Twitter or Google search will turn up numerous examples.
  • No technical innovations here, but MSNBC has a quick story about how forensics was used to track a school shooter threat. Good to see public exposure for the value and need for forensics in LE.
  • A different sort of computer forensics – researchers have begun development of a technique which could be used to link DNA from keyboards and mice to the users of those devices. No word yet whether private investigator licensing will require expertise in DNA sequencing.
  • Microsoft has published the format of Outlook Personal Folder (.pst) files. Can parsing tools be far behind?


  • Whether this is levity or just a sad sign of the times, maker of mobile phone spy software, FlexiSpy is attempting to exploit the publicity about Tiger Woods to promote their antiforensics phone software.
  • For a real funny one – 10 signs that you work in computer forensics.

Coming Events:

Digital Forensics Case Leads for 20100318 was compiled by G W Ray Davidson, PhD, CISSP, GCFA, etc. Ray is Assistant Professor of Computer Information Technology at Purdue University Calumet, and principal at Vigil Inc., a consulting firm specializing in incident response and forensics. Follow him on Twitter at @RayDavidson.

Extracting VB Macro Code from Malicious MS Office Documents

An incident responder or forensic investigator should be prepared to examine potentially-malicious document files, which may be located on the compromised system or discovered in email, web, or other network streams. After all, embedding malicious code into documents, such as Excel spreadsheets or Adobe Acrobat PDF files is quite effective at bypassing perimeter defenses. This note deals with one such scenario, focusing on how to extract Visual Basic (VB) macro code that may be embedded in malicious Microsoft Office files. I will discuss how to extract macros from both legacy binary Office files (.doc, .xls, .ppt), as well as modern XML-based Office formats that support macros (such as .docm, .xlsm, .pptm). As you’ll see, OfficeMalScanner will be my tool of choice for getting the job done.

Malicious Use of Macro Code in Microsoft Office Document Files

Recent versions of Microsoft Office disable macros by default. However, with a bit of social engineering, an attacker can often trick the user into enabling macros. The attacker may then use embedded VB macro code to run arbitrary commands on the victim’s system. For instance, Metasploit can generate its payload as a VB script, which can easily be embedded in an Office document; similarly, tools exist for converting arbitrary EXEs into VB script.

Legacy binary Microsoft Office formats don’t differentiate between document files that may and may not include macros. In contrast, when the documents are saved using new XML-based file formats, introduced in Microsoft Office 2007, macros are only supported for  file’s extension that end with “m”:

.docm, .xlsm, .pptm, .dotm, .xltm, .xlam, .potm, .ppam, .ppsm, .sldm

For this note, I created a sample set of “malicious” Excel document files: malware.xls (legacy binary format) and malware.xlsm (current XML-based format). The files include VB code that mimics an attacker’s attempt to run commands on the victim’s system. The code in this example pings localhost and launches notepad.exe when the victim opens the document and allows macros. Here’s what it will look like from the victim’s experience (the screen shot didn’t capture the instance of Notepad, which would also be running):


I took this proof-of-concept code from the example published on the Invisible Denizen blog. You can download my sample files here; the password for the zip file is the word “infected.”

Let’s say you need to analyze a potentially-malicious Microsoft Office document files like these. The approach I’d like to demonstrate involves extracting VB macro code using MalOfficeScanner, a free tool by Frank Boldewin, which can deconstruct Microsoft Office files and extract embedded shellcode and VB code. I’ll explore only the features of this tool related to VB.

Extracting VB Macro Code from Binary Microsoft Office Files

Let’s start with the malware.xls example, you’ll be more likely to encounter such binary files than XML-based ones. Legacy binary formats of Microsoft Office files (.doc, .xls, .ppt) are considered more risky than newer XML-based formats, because the programs parsing binary files tend to be more complex and, therefore, more prone to bugs.

Place the suspicious document file on the laboratory system running Microsoft Windows, where you placed MalOfficeScanner. Go to the command prompt. To scan the file (malware.xls) for the presence of VB macro code, type “OfficeMalScanner malware.xls info“.


The tool will examine the file and, if it locates VB macros, extract the code into text files in the “MALWARE.XLS-Macros” folder. Since an Excel spreadsheet can have multiple sheets, you will see a file per sheet, as well as the file called “ThisWorkgroup” for global macros. In my example, the relevant VB code is in the “ThisWorkgroup” file:

Sub Run_Cmd(command, visibility, wait_on_execute)
Dim WshShell As Variant
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "%COMSPEC% /c " & command, visibility, wait_on_execute
End Sub
Sub Run_Program(program, arguments, visibility, wait_on_execute)
Dim WshShell As Variant
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run program & " " & arguments & " ", visibility, wait_on_execute
End Sub

Sub Workbook_Open()
Const WAIT = True, NOWAIT = False
Run_Cmd "ping", VISIBLE, WAIT
Run_Program "notepad.exe", "", VISIBLE, NOWAIT
End Sub

Extracting VB Macro Code from XML Microsoft Office Files

The “info” option of MalOfficeScanner only works with legacy binary Microsoft Office files. If you try to use it on “malware.xlsm”, you’ll get an error.


No problem. XML-formatted versions of Microsoft Office files, which typically have extensions such as .docx, .xlsx, and .pptx, are actually zip-compressed archives that contain several files. You can unpack the archive using tools such as unzip and ZipReader (e.g., “unzip malware.xlsm“).


In this case, the “vbaProject.bin” file contains extracted VB macro code in a binary format.

Alternatively, you can unpack the archive using the “inflate” option of MalOfficeScanner, which will also identify the extracted files that contain VB. To do this, you would type “OfficeMalScanner malware.xlsm inflate“.


Whether you obtained the binary VB file using manual unpacking or OfficeMalScanner’s “inflate” feature, you can extract scripts from .bin files using the “info” feature: “OfficeMalScanner vbaProject.bin info“.


You can now look at text files in the VBAPROJECT.BIN-Macros folder to examine extracted VB code. In this case, the code is identical to the one I showed earlier in the note.

All Done

There you have it. An approach to extracting VB macro code from malicious Microsoft Office files, whether they use legacy binary or recent XML-based formats. Do you have another approach, or any thoughts on this one? Tell us in comments below.

If you found this note useful, you may like the Analyzing Malicious Documents cheat sheet, which outlines these and other tips for examining Microsoft Office and PDF files.

– Lenny

Lenny Zeltser focuses on safeguarding customers’ IT operations at NCR Corporation. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and writes a security blog.

Facebook Memory Forensics

OK, like everyone I joined facebook just to get updates on my high school reunion. (Who knew you could also use it as a possible alibi.)

But then, after writing pdgmail and pdymail and seeing all the neat personal information in facebook…tada pdfbook!  Memory parsing to grab facebook info.

Like it’s predecessors pdgmail and pdymail, I’m following the simple construct that memory strings are easy to get to and yield a treasure of information given today’s web 2.0 world of javascript, dhtml, json, etc.  Facebook, it turns out doesn’t seem to cough up xml like yahoo, or json like gmail but rather unique class ID strings in it’s html.

What does this mean to forensics?  Well with a memory dump from any of the popular memory dumping tools, strings -el  and pdfbook you can get:

  • status updates
  • facebook emails
  • lists of friends
  • likely owners of the memory image

Friends come with their unique facebook ID’s like:

Story from friend: id:6815841748: Name:Barack Obama

Facebook emails are raw html with authors, dates, etc like so :

FacebookEmailDetail author: Storm Large url:
FacebookEmailDetail Date: October 29 at 9:41am
FacebookEmailDetail Body: Nov 19.2009 - 8:30PM
Molly Malones - Los Angeles, California
More info:

Facebook recent activity is like so:

RecentActivity:Jeff became a fan of Fishbone.

Status updates show up like so:

StoryMessage:Jeff Bryner 2 gamble @the airport or not, that is the question.

If you’re really lucky the memory image will contain enough html to produce what pdfbook recognizes as a ‘delete’ button which is only passed out to the owner of the html content. In other words, you are allowed to delete your posts on facebook, pdfbook recognizes this and your facebook userid, correlates it and deduces that the likely owner of the memory image is:

Likely Owner of fbook memory artifacts: FacebookUserID:1421688057 Name:Jeff Bryner

A sample usage:

on a windows or linux box, use pd from ala:
pd -p 2345> 2345.dump

where 2345 is the process ID of running instance of IE/firefox/browser of your choice.

You can also use any memory imaging software like mdd, win32dd, etc. to grab the whole memory on the box rather than just one process. You can also use common memory repositories like pagefile.sys, hiberfile.sys, etc.

I’ll refer the reader to the memory imaging tool reference at the forensic wiki.

Transfer the dumped memory to linux and do:

strings -el 2345.dump> memorystrings.txt
pdfbook -f memorystrings.txt

It’ll find what it can out of the memory image and spit out it’s findings to standard out. Grep your way to facebook happiness or redirect the output to a file for later viewing.

As this is mosly html parsing, it’s very brittle; meaning that a change in the classID of one of the facebook UI components breaks this program. Matter of fact it’s already broken once since the UI rework of 10/2009. So it will work for awhile until they redesign and I’m out of sync.  Maybe I’ll post it to sourceforge or github so you all can update as you see fit.

Along those lines, look for the diary of pdfbook creation with explanation of it’s regex goodness at the newly created freshly created this month! Dissect and contribute your own regex hacks for finding stuff you recognize in your own facebook memory images.

Related Blog Posts:

Facebook Forensics

Jeff Bryner , GCFA Gold #137, also holds the CISSP and GCIH certifications, occasionally teaches for SANS, performs forensics, intrusion analysis, and security architecture work on a daily basis and runs just for fun.

Analysis of e-mail and appointment falsification on Microsoft Outlook/Exchange

Author: Joachim Metz <>


In digital forensic analysis it is sometimes required to be able to determine if an e-mail has or has
not been falsified. In this paper a review of certain Outlook Message Application Programming
Interface (MAPI)
is provided which can help in determining falsified e-mails or altered
appointments in an Microsoft Outlook/Exchange environment.

About the libpff project

In 2008 Joachim Metz a forensic investigator at Hoffmann Investigations started the libpff project.
At that time the best source about the Personal Folder File (PFF) format in the public domain was
the libpst project. The libpst project dated back to 2002 and had been contributed and maintained
by David Smith, Joe Nahmias, Brad Hards and Carl Byington.

However the libpst, at that time, wasn’t a library and had no support for recovering deleted items
in PST and OST files. The initial goal of the libpff project to create a shared library for PST and
OST that had support for recovering deleted items. Recovering deleted items requires detailed
knowledge of the inner structures of the PFF format. This was the beginning of an interesting
journey. In which even recently additional information about the inner structures has been
discovered, like the 6c and 8c table and the use of indirection in large tables.

In March 2009 PFF forensics was first discussed as part of Microsoft Office forensics in the
Hoffmann Advanced Forensic Sessions (HAFS). A paper titled ‘Personal Folder File (PFF)
was published as part of the HAFS. This paper explains the basics of the PFF format,
which can be quite a challenge to understand. One of the main conclusions of the both the paper
and the seminar was that different forensic tools provide different results when recovering deleted
items in PST and OST files.

In the mean time the libpff project has evolved. Due to continued analysis of the PFF format and
several contributions new aspects of the file format have been discovered. Some of which are the
PFF items that contain information about the recipients, sub folders, sub messages and sub
associated items.

Also a lot of information available about the MAPI has made available. The OpenChange project
provides libmapi which contains an Open Source implementation of the MAPI. And the
MFCMAPI project has provided a lot of MAPI information now available on MSDN.

Within Hoffmann Investigations libpff has been to put to work for two purposes. First as a tool to
cross reference findings in other forensic tools and secondarily as a tool that can provide more
information about PST and OST files than those forensic tools. In the upcoming Hoffmann
Advanced Forensic Sessions in November 2009
PFF forensics will be therefore once more the
subject of discussion. In the mean time several of the interesting findings are provided in this

1. Introduction

Wouldn’t it be nice to have your forensic analysis software to filter out falsified e-mails and
appointments for you? However, most of the current forensic tools provide little information about
the authenticity of e-mail messages and appointments. Therefore, certain analysis have to be done
manually. This paper will give you an understanding of parts the Outlook Message Application
Programming Interface (MAPI) to help identify falsified e-mails in Microsoft Outlook/Exchange

1.1. Background

If you are a forensic investigator in the field of corporate environments you are probably dealing
with Microsoft Outlook and Exchange most of the time. What you might not know is that both
make heavy use of the MAPI. The MAPI is not only a programming interface but also a useful
resource of information regarding properties of e-mail attributes. For those of you not familiar
with analyzing the Personal Folder File format used by Microsoft Outlook for PST and OST files,
I advice reading [METZ09] before reading this paper.

2. Falsified e-mail message

In a recent investigation we had to investigate if a user had sent an e-mail at a certain date and
time. We started by determining the existence of the e-mail in the mailbox of both the sender and
the recipients. But there were other characteristics that were highly interesting from a forensic
point of view.

A certain e-mail dated March 10, 2009 was forwarded on March 17, 2009. The original e-mail
could not be found in any of the mailboxes. The first indication of falsification was a discoloring
of the day of the month in a print-out of the forwarded e-mail. The 0 in March 10, was gray while
the surrounding text was clearly black.

2.1. The e-mail body

In Outlook/Exchange an e-mail message can contain RTF and/or HTML body text. Both RTF and
HTML formats use formatting codes. Using these formatting codes we did a low-level analysis of
the body text. Most of the available forensic tools do not provide access to these formatting codes,
but lucky for us there is libpff and its tools.
After having compiled libpff with verbose and debug output and having pffexport export the PST

file with the verbose option (-v), we had created a detailed debug log file. In this log file we looked up the e-mail and its RTF body. In the RTF body the following information was found:

{\*\htmltag84 <b>}\htmlrtf {\b \htmlrtf0 Sent:
{\*\htmltag92 </b>}\htmlrtf }\htmlrtf0 Tuesday March 1
{\*\htmltag84 <span style='color:#1F497D'>}\htmlrtf {\htmlrtf0 0
{\*\htmltag92 </span>}\htmlrtf }\htmlrtf0 , 2009 13:48
{\*\htmltag116 <br>}\htmlrtf \line
{\*\htmltag4 \par }

Using other forwarded e-mails as a reference, we established that the bold formatting code should not be there.

2.2. Conversation index

Looking at existing e-mail messages we hypothesized that the original e-mail was not created on
March 10, 2009 but was in fact an e-mail created on March 17 2009 that had been altered. We
wanted proof besides the lack of the original e-mail message in the mailboxes of the sender and
the recipients.

A MSDN article titled 'Tracking conversations' provided us with a fairly reliable answer.
[MSDN] states that:

PR_CONVERSATION_INDEX (PidTagConversationIndex) indicates the position of the
message within a particular conversation. It is a client's reponsibility to
set PR_CONVERSATION_INDEX for each outgoing message, whether it is a new
message, a forwarded message, or a reply. Clients can set this property
manually or call ScCreateConversationIndex, a utility function provided by
ScCreateConversationIndex generates the value of a conversation index for any
outgoing message. ScCreateConversationIndex implements the index as a header
block that is 22 bytes in length, followed by zero or more child blocks each 5
bytes in length.
The header block is composed of 22 bytes, divided into three parts:
 * One reserved byte. Its value is 1.
 * Five bytes for the current system time converted to the FILETIME structure
 * Sixteen bytes holding a GUID, or globally unique identifier.
Each child block is composed of 5 bytes, divided as follows:
 * One bit containing a code representing the difference between the current
 time and the time stored in the header block. This bit will be 0 if the
 difference is less than .02 second and greater than two years and 1 if the
 difference is less than one second and greater than 56 years.
 * Thirty one bits containing the difference between the current time and the
 time in the header block expressed in FILETIME units.This part of the child
 block is produced using one of two strategies, depending on the value of
 the first bit. If this bit is zero, ScCreateConversationIndex discards the
 high 15 bits and the low 18 bits. If this bit is one, the function discards
 the high 10 bits and the low 23 bits.
 * Four bits containing a random number generated by calling the Win32
 function GetTickCount.
 * Four bits containing a sequence count that is taken from part of the random

Reverse-engineering this description for the PFF format I found that the part of the header block

containing the ‘One reserved byte’ with a value of 1 is actually the first byte of the filetime. So

there are not 5 bytes of the filetime but 6. The date and time in the header block of the

conversation index matches the creation date and time of e-mail messages.

The child block contains a difference between the current and the previous time and not the time

stored in the header block, as according to the MSDN specification. This was validated using the

creation date and time of multiple e-mails.

The conversation index for the specific e-mail translates to:

0x0071 (PidTagConversationIndex : Conversation index)
0x0102 (PT_BINARY : Binary data)
Header block:
 Filetime        : Mar 17, 2009 10:13:04 UTC
 GUID            : 11111111-2222-3333-4444-555555555555
Child block: 1
 Filetime        : Mar 17, 2009 10:18:03 UTC
 Random number   : 2
 Sequence count : 0
Child block: 2
 Filetime        : Mar 17, 2009 10:24:01 UTC
 Random number   : 9
 Sequence count : 0
Child block: 3
 Filetime        : Mar 17, 2009 10:42:39 UTC
 Random number   : 9
 Sequence count : 0
Child block: 4
 Filetime        : Mar 17, 2009 10:45:36 UTC
 Random number   : 14
 Sequence count : 0
Child block: 5
 Filetime        : Apr 17, 2009 07:19:08 UTC
 Random number   : 8
 Sequence count : 0

Note that the precision of the date and time difference in the child block varies and does not match

the creation date and time. The actual reason for this variation is yet unknown.

0x3007 (PidTagCreationTime : Creation time)
0x0040 (PT_SYSTEM : Windows Filetime (64-bit))
Filetime        : Apr 17, 2009 08:41:20 UTC

However there is no date March 10, 2009 in the conversation index. Looking at the conversation

indexes of other forwarded and replied e-mail messages this is the behavior we would expect.

Note that the GUID ‘11111111-2222-3333-4444-555555555555’ in this example was altered.

Using the GUID we found corresponding e-mails, with the same GUID in the conversation index.

Most of these e-mails had a different content. This finding supported our hypothesis. All of the

corresponding e-mails also had a creation date of March 17, 2009. Therefore, it was plausible that

the e-mail with the discolored zero in ‘March 10’ was falsified using another e-mail created on

March 17, 2009. Upon being faced with the findings in an interview, the sender of the e-mail admitted that he had

altered the e-mail.

3. The modified appointment

In another investigation we found an appointment that contained a conversation topic that
contained one of the keywords we were looking for. However the appointment had an entirely
different subject and the last modification date and time already indicated that the appointment
was modified at a later date.

We needed to be certain that this behavior was caused by modifying an appointment. Using
Outlook we created a PST file with an appointment. Libpff provided us with the following
information about the subject and the conversation topic:

0x0037 (PidTagSubject : Subject)
0x001f (PT_UNICODE : UTF-16 Unicode string)
Unicode string  : ^A^ATest1
0x0070 (PidTagConversationTopic : Conversation topic)
0x001f (PT_UNICODE : UTF-16 Unicode string)
Unicode string  : Test1

And about the date and time values:

0x0039 (PidTagClientSubmitTime : Client submit time)
0x0040 (PT_SYSTEM : Windows Filetime (64-bit))
Filetime          : Jul 23, 2009 14:07:47 UTC
0x0071 (PidTagConversationIndex : Conversation index)
0x0102 (PT_BINARY : Binary data)
Header block:
 Filetime         : Jul 23, 2009 14:07:47 UTC
 GUID             : 11111111-2222-3333-4444-555555555555
0x0e06 (PidTagOriginalDeliveryTime : Message delivery time)
0x0040 (PT_SYSTEM : Windows Filetime (64-bit))
Filetime          : Jul 23, 2009 14:07:47 UTC
0x3007 (PidTagCreationTime : Creation time)
0x0040 (PT_SYSTEM : Windows Filetime (64-bit))
Filetime          : Jul 23, 2009 14:04:28 UTC
0x3008 (PidTagLastModificationTime : Last modification time)
0x0040 (PT_SYSTEM : Windows Filetime (64-bit))
Filetime          : Jul 23, 2009 14:07:50 UTC

The ^A characters in the subject are control characters and can be ignored.

Note that the creation and last modification date and time are not equal.

Next we modified the appointment and had libpff provide us with information about the subject

and the conversation topic:

0x0037 (PidTagSubject : Subject)
0x001f (PT_UNICODE : UTF-16 Unicode string)
Unicode string  : ^A^AModified1
0x0070 (PidTagConversationTopic : Conversation topic)
0x001f (PT_UNICODE : UTF-16 Unicode string)
Unicode string  : Test1

And about the date and time values:

0x0039 (PidTagClientSubmitTime : Client submit time)
0x0040 (PT_SYSTEM : Windows Filetime (64-bit))
Filetime          : Jul 23, 2009 14:07:47 UTC
0x0071 (PidTagConversationIndex : Conversation index)
0x0102 (PT_BINARY : Binary data)
Header block:
 Filetime         : Jul 23, 2009 14:07:47 UTC
 GUID             : 11111111-2222-3333-4444-555555555555
0x0e06 (PidTagOriginalDeliveryTime : Message delivery time)
0x0040 (PT_SYSTEM : Windows Filetime (64-bit))
Filetime          : Jul 23, 2009 14:07:47 UTC
0x3007 (PidTagCreationTime : Creation time)
0x0040 (PT_SYSTEM : Windows Filetime (64-bit))
Filetime          : Jul 23, 2009 14:04:28 UTC
0x3008 (PidTagLastModificationTime : Last modification time)
0x0040 (PT_SYSTEM : Windows Filetime (64-bit))
Filetime          : Jul 23, 2009 14:08:37 UTC

As you can see the conversation topic and index do not change when an appointment is modified.

The last modification date and time in the example is not much of an indication that the

appointment was modified, mainly because we did the modification right after the creation of the


4. Conclusion

E-mails and appointments in Outlook/Exchange provide us with certain properties that can be
useful for digital forensic analysis of e-mails, like the conversation index and multiple formatted
body texts. Others may be the conversation topic and original creation and/or modification dates
and times.

Appendix A. References

Title:     Personal Folder File (PFF) forensics
Subtitile: Analyzing the horrible reference file format
Author(s): Joachim Metz
Title:     Tracking conversations