Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year

The SANS DFIR Summit and Training 2018 is turning 11! The 2018 event marks 11 years since SANS started what is today the digital forensics and incident response event of the year, attended by forensicators time after time. Join us and enjoy the latest in-depth presentations from influential DFIR experts and the opportunity to take an array of hands-on SANS DFIR courses. You can also earn CPE credits and get the opportunity to win coveted DFIR course coins!

summit video pic

To commemorate the 11th annual DFIR Summit and Training 2018, here are 11 reasons why you should NOT miss the Summit this year:

1.     Save money! There are two ways to save on your DFIR Summit & Training registration (offers cannot be combined):

·       Register for a DFIR course by May 7 and get 50% off a Summit seat (discount automatically applied at registration), or

·       Pay by April 19 and save $400 on any 4-day or 6-day course, or up to $200 off of the Summit. Enter code “EarlyBird18” when registering.

2.     Check out our jam-packed DFIR Summit agenda!

·       The two-day Summit will kick off with a keynote presentation by Kim Zetter, an award-winning journalist who has provided the industry with the most in-depth and important investigative reporting on information security topics. Her research on such topical issues as Stuxnet and election security has brought critical technical issues to the public in a way that clearly shows why we must continue to push the security industry forward.

·       The Summit agenda will also include a presentation about the Shadow Brokers, the group that allegedly leaked National Security Agency cyber tools, leading to some of the most significant cybersecurity incidents of 2017. Jake Williams and Matt Suiche, who were among those targeted by the Shadow Brokers, will cover the history of the group and the implications of its actions.

·       All DFIR Summit speakers are industry experts who practice digital forensics, incident response, and threat hunting in their daily jobs. The Summit Advisory Board handpicked these professionals to provide you with highly technical presentations that will give you a brand-new perspective of how the industry is evolving to fight against even the toughest of adversaries. But don’t take our word for it, have a sneak peek, check out some of the past DFIR Summit talks.


Immerse yourself in six days of the best in SANS DFIR training. Here are the courses you can choose from:

·       FOR500 – Advanced Windows Forensics

·       FOR585 – Advanced Smartphone Forensics

·       FOR610 – Reverse-Engineering Malware

·       FOR508 – Digital Forensics, Incident Response & Threat Hunting

·       FOR572 – Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

·       FOR578 – Cyber Threat Intelligence

·       FOR526 – Memory Forensics In-Depth

·       FOR518 – Mac and iOS Forensic Analysis and Incident Response

·       MGT517 – Managing Security Operations: Detection, Response, and Intelligence

3.    All courses will be taught by SANS’s best DFIR instructors. Stay tuned for more information on the courses we’re offering at the conference in a future article post.

4.     Rub elbows and network with DFIR pros at evening events, including networking gatherings and receptions. On the first night of the Summit, we’re going to gather at one of Austin’s newest entertainment venues, SPiN, a ping pong restaurant and bar featuring 14 ping pong tables, lounges, great food, and drinks. Give your overloaded brain a break after class and join us at our SANS Community Night, Monday, June 9 at Speakeasy. We will have plenty of snacks and drinks to give you the opportunity to network with fellow students.

5.     Staying to take a DFIR course after the two-day Summit? Attend SANS@Night talks guaranteed to enrich your DFIR training experience with us. Want to know about threat detection on the cheap and other topics? As for cheap (and in this case, that doesn’t mean weak), there are actions you can take now to make threat detection more effective without breaking the bank. Attend this SANS@Night talk on Sunday evening to learn some baselines you should be measuring against and how to gain visibility into high-value actionable events that occur on your systems and networks.

6.     Celebrate this year’s Ken Johnson Scholarship Recipient, who will be announced at the Summit. This scholarship was created by the SANS Institute and KPMG LLP in honor of Ken Johnson, who passed away in 2016. Early in Ken’s digital forensics career, he submitted to a Call for Presentations and was accepted to present his findings at the 2012 SANS DFIR Summit. His networking at the Summit led to his job with KPMG.

7.     Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars – Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave Austin with a motherlode of DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the six DFIR Domains: Windows Forensics & Incident Response, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, and Malware Analysis. Take your pick or win them all!


8.     Enjoy updated DFIR NetWars levels with new challenges. See them first at the Summit! But not to worry, you will have the opportunity to train before the tournament. You’ll have access to a lot of updated posters that can serve as cheat sheets to help you conquer the new challenges, as well as the famous SIFT WorkStation that will arm you with the most powerful DFIR open-source tools available. You could also choose to do an hour of crash training on how to use some of our Summit sponsors’ tools prior to the tournament. That should help give you an edge, right? That new DFIR NetWars coin is as good as won!

9. The Forensic 4:cast Awards winners will be announced at the Summit. Help us text2985celebrate the achievements of digital forensic investigators around the world deemed worthy of the award by their peers. There is still time to cast your vote. (You may only submit one set of votes; any additional voting will be discounted). Voting will close at the end of the day on May 25, 2018.

10.  Come see the latest in tools offered by DFIR solution providers. Summit sponsors and exhibitors will showcase everything from managed services covering advanced threat detection, proactive threat hunting, and accredited incident response to tools that deliver rapid threat detection at scale, and reports that provide insights for identifying potential threats before they cause damage.

11.  Last but not least, who doesn’t want to go to Austin?!? When you think Austin, you think BBQ, right? This city isn’t just BBQ, Austin has amazing food everywhere and there’s no place like it when it comes to having a great time. The nightlife and music include the famous 6th Street – which, by the way, is just walking distance from the Summit venue. There are many other landmarks such as Red River, the Warehouse District, Downtown, and the Market District. You will find entertainment of all kinds no matter what you’re up for. Nothing wrong with some well-deserved play after days full of DFIR training, lectures, and networking!

As you can see, this is an event you do not want to miss! The SANS DFIR Summit and Training 2018 will be held at the Hilton Austin. The event features two days of in-depth digital forensics and incident response talks, nine SANS DFIR courses, two nights of DFIR NetWars, evening events, and SANS@Night talks.

The Summit will be held on June 7-8, and the training courses run from June 9-14.

We hope to see you there!



Call for Presentations Now Open!


dfirsummit 2017Submit your proposal here:
Deadline: January 16th at 5pm CT


The 10th Annual Digital Forensics and Incident Response Summit Call for Presentations is open through 5 pm EST on Monday, January 16, 2017. If you are interested in presenting or participating on a panel, we’d be delighted to consider your practitioner-based case studies with communicable lessons.

The DFIR Summit offers speakers the opportunity for exposure and recognition as industry leaders. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

Check out some of the DFIR Summit 2016 talks:


We are looking for Digital Forensics and Incident Response Presentations that focus on:

  • DFIR and Media Exploitation case studies hat solve a unique problem
  • New Forensic or analysis tools and techniques
  • Discussions of new artifacts related to smartphones, Windows, and Mac platforms
  • Focusing on improving the status quo of the DFIR industry by sharing novel approaches
  • Challenges to existing assumptions and methodologies that might change the industry
  • New, fast forensic techniques that can extract and analyze data rapidly
  • Focus on Enterprise or scalable forensics that can analyze hundreds of systems instead of one at a time


Encrypted Disk Detector Version 2

Last year I covered the free Encrypted Disk Detector (EDD) tool and challenged the community to help crowdsource its development [link].   Thank you to all that took part in the experiment.  Magnet Forensics announced today that Encrypted Disk Detector version 2 is available [get it here].

Survey Results

In addition to encouraging additional development of EDD, a side benefit of the project was to get an idea of the most popular disk encryption products being deployed.  Figure 1 provides the survey results, with Checkpoint Full Disk Encryption, Symantec Endpoint Encryption, and Sophos (formerly Utimaco) Safeguard rounding out the top three.   I think many of us could have guessed that big players like Symantec and Sophos would be near the top, but I was surprised to see products like BestCrypt and SecureDoc pull ahead of Credant Technologies (now owned by Dell).

Figure 1: EDD Survey Results

EDD Version 2

The EDD team took the feedback and implemented support for the top four survey results:

  • Checkpoint
  • GuardianEdge
  • SafeGuard
  • BestCrypt

Recall that the previous version of EDD identified full-disk and volume based encryption from Truecrypt, Bitlocker, and PGP.   Interestingly, the newest additions do not have accessible disk signatures like the previous set.  Thus EDD v2 now augments disk signature identification with process detection, which searches for running processes indicative of disk encryption products.

In addition to taking the survey, many respondents volunteered to be beta testers.  Their help testing the update in real world environments was invaluable.  Thank you!  The following are a few screenshots from the final testing run:

Checkpoint Full Disk Encryption Detection

Checkpoint Status

Checkpoint Detection

Symantec Endpoint Encryption

Symantec Endpoint Encryption

Sophos Safeguard

Jetico Bestcrypt

The Future

In a zetabyte world, digital forensic triage becomes more important as our traditional “image everything” processes don’t scale.  Identifying encryption should be a critical step in live triage.  With the current penetration of disk encryption products, we no longer have the luxury of assuming they don’t exist, and our best opportunities for circumventing them exist while the system is running.   Jad Saliba and his team were early proponents of triage and one of the first to release an encryption detection tool.   Even with the latest updates, EDD does not purport to identify the universe of encryption products.   However, it is an excellent start, and, with the v2 update, it now identifies the most popular products on the market.  I am a big believer in the phrase “perfect is the enemy of good” and I would rather have a tool that can get me most of the information I need today rather than wait indefinitely for a “perfect” detection product.  Hopefully this update to EDD will inspire additional innovation in this area.  As mentioned by one survey respondent, the encryption detector of the future may need to go even further and detect device drivers and hooks to reduce false negatives.  In the meantime, please thank the Magnet Forensics team next time you see them for this great update to EDD!

Chad Tilbury, GCFA, has spent over twelve years conducting computer crime investigations ranging from hacking to espionage to multi-million dollar fraud cases. He teaches FOR408 Windows Forensics  and  FOR508 Advanced Computer Forensic Analysis and Incident Response  for the SANS Institute. Find him on Twitter  @chadtilbury  or at

Digital Forensics Case Leads: News from CES Las Vegas Might Open Doors for Automotive Forensics, Landmark Legal Rulings Impact DFIR Investigators, and Tackling Insider Fraud

In this issue of Case Leads we go around the globe to cover telematics app development from Ford at CES Las Vegas; to Russia for new tools that allow investigators to access files users try to keep encrypted;  an anti-forensic tool that tries to hide details from memory forensic tools; the insider fraud threat; and a number of landmark court rulings in the US that impact digital investigators.

If you have an item you’d like to contribute to Digital Forensics Case Leads, please send it to


  • Have an investigation where the target puts a crypto-protected PC in hibernate? Now the team at ElcomSoft has a $300 app can get to the data well   And, the ElcomSoft blog posting mentioned in the segment.
  • E-Investigations of Texas announces a new computer forensics software tool that can search multiple partitions on multiple hard drives within a single case, export the email containers, and extract individual emails from the containers in a single step. In a statement, the company says that the process allows investigators to provide more accurate results to its clients in less time.
  • Anti-forensics tool:’Dementia‘ wipes tracks that many Windows forensics memory tools focus on
  • Oxygen Forensic Suite 2013 Roots Android 4.x Smartphones

Good Reading and Listening

  • Our fearless SANS Forensics Leader, Rob Lee ,says its not new types of attacks that concern him for 2013. It’s the old ones that continue to impact organizations. How can organizations learn from past incidents and respond in 2013? The bulk of the cases he investigates are external breaches, not insider cases, says Lee. When analyzing the incidents and reporting back to technical teams or executives, he’s often faced with the question, “How do we stop this?” Read and listen to Rob Lee in this segment from .
  • Marc Weber Tobias, is an attorney and investigator.  He appeared on CyberJungle Radio to talk about insider fraud (Disclosure: your Case Leads contributor this week is the host of CyberJungle Radio. Listen to the interview segment here via Flash player, or download the segment here. The interview with Mr. Tobias begins about 15:30 into the program. Mr. Tobias wrote two columns recently on this topic for

How Do You Spot The Thief Inside Your Company?

A Snitch In Time Can Save Employers a Lot of Money


  • From CES 2013 in Las Vegas: Ford launches app developer program for Sync AppLink at CES. Apps need to be approved by Ford for safety while a user might be driving. Will Ford approve automotive forensic tools that leverage the API for investigative purposes?
  • Landmark court decision on the admissibility of social media communications: A Brooklyn Protester Pleads Guilty After His Twitter Posts Sink His Case.
  • In another landmark decision, a Federal Judge found that the Defendant had a duty to preserve audio recordings of calls that had been destroyed under the company’s retention policy once the Defendant found out that the Plaintiff was filing an unemployment claim. Read more at the BowtieLaw Blog.
  • Attention incident responders: A new Java 0-day vulnerability has been discovered, and is already being exploited in the wild.  Read more at the TheNextWeb news site.
  • U.S. nuclear lab removes Chinese tech over security fears. Some experts say we should be more fearful of the poor overall security of this equipment, not built-in backdoors.
  • Write Gambling Software, Refuse To Build In Secret Backdoors The Feds Demand Your Install, Go to Prison.

Coming Events:

Call For Papers:

By Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor.

Help Improve EDD – Encrypted Disk Detector!

Device acquisition may not be the sexiest phase of digital forensics, but it has the most number of pitfalls and can result in catastrophic loss.  If a practitioner makes a mistake during acquisition, the investigation may simply be over, with nothing left to examine.  Establishing an acquisition process is important, and a critical part of your process should be checking for the presence of full disk and volume-based encryption.   Disk encryption is more prevalent than many believe — I am anecdotally seeing it in use on nearly thirty percent of the computers I encounter.  If a system is running, the examiner often has a one-time shot to capture any mounted volumes in their decrypted state.

The inherent challenge is how to determine if an encrypted disk or volume exists.  From the perspective of the operating system, data on a mounted volume is available in unencrypted form.  A separate abstraction layer takes care of encrypting write operations and decrypting data for read operations.   Thus  when encountering a live system, investigators are often left with ad-hoc tests to try and make a determination.   They can look for telltale installed software, or particular icons present on the system, but there are few reliable ways to get a confident answer whether encryption does or does not exist.

Truecrypt in Taskbar

Bitlocker is Installed

See any evidence of encryption products?

Encrypted Disk Detector

Jad Saliba of Magnet Forensics encountered this dilemma and wrote a tool that takes the guesswork out of the decision to perform a live acquisition or shut the system down and pull the drive.  His free tool, Encrypted Disk Detector (EDD) has been available for a couple of years, and has been a staple of our forensic acquisition curriculum in the SANS FOR408 Windows Forensics In-Depth course.  It does an excellent job of recognizing disks and volumes encrypted by Symantec PGP, TrueCrypt, Microsoft Bitlocker, and most recently, McAfee SafeBoot.  Here are two examples of the tool in action:

Encrypted Disk Detector

Figure 1: Encrypted Disk Detector Identifies Two Disks with PGP Full Disk Encryption

Figure 1 shows EDD identifying two physical disks on the live system, with both being encrypted by PGP full disk encryption (FDE).

TrueCrypt Encrypted Disk Detector

Figure 2: EDD Detects a Mounted Truecrypt Volume

Figure 2 is a little more interesting.  It shows a nice side-benefit of the tool: EDD lists all of the current physical and logical drives it finds on the live system.  Solid state drives are getting smaller and hence it is very common to now find two (or more) drives even in laptops.  Knowing up front how many drives and mounted partitions you may be dealing with can save a lot of time.  In addition to seeing two physical drives and six mounted partitions on this system,  note the alert for “Drive K:”.  Students often ask if EDD can detect the special “hidden” volumes that TrueCrypt is famous for.  “Drive K:” happens to be such a volume.  Keep in mind that the volume can only hide until the user mounts it to use the files within.  EDD finds the TrueCrypt volume because it was mounted when the system was examined.  This illustrates why checking for encryption is so important when responding to live systems.  Once this system is shutdown, that hidden volume is likely gone for good.

How it Works

EDD requires Administrator permissions, and is simple enough for any first responder to use.  Simply run edd.exe from an elevated command prompt and it will search the Master Boot Record and Volume Boot Records for signatures indicative of encryption products.   Which leads me to its biggest weakness – EDD relies on signature based detection  and hence can only recognize a finite number of encryption products.  While it can easily detect PGP full disk encryption and Bitlocker volumes, it would provide no information if the system is protected with Utimaco SafeGuard.  Thus the more products EDD can identify, the higher our level of confidence can be that encryption does or does not exist on a system.

How You Can Help

One of the great parts of being a SANS instructor is I get to spend time doing research, often leading to interactions with tool authors and others in the forensics community.  In this case, I spoke to Jad about his plans for EDD.  Like most free tool developers, he wants EDD to be relevant, but does not receive a lot of feedback.   For instance, what are the most important encryption products that EDD should support?   To answer that question, we put together a brief survey and decided to crowd source the future development of EDD with your vote.  Jad has pledged resources to implement signature detection within EDD for the three most popular products as picked by YOU.    Further, the breakdown of product usage/demand will be used to guide the future roadmap for EDD and will be shared with the community.

If you have made it this far, please take thirty seconds to fill out the survey. [Survey Closed]

Stay tuned: in a future post we will cover the survey results and the release of an updated version of Encrypted Disk Detector.

Chad Tilbury, GCFA, has spent over twelve years conducting computer crime investigations ranging from hacking to espionage to multi-million dollar fraud cases. He teaches FOR408 Windows Forensics and FOR508 Advanced Computer Forensic Analysis and Incident Response for the SANS Institute. Find him on Twitter @chadtilbury or at

Digital Forensic Case Leads: Report from the Forensic Expert Witness Conference, Judge: Viewing CP might NOT be possession, Mac crypto bug helps forensicators

Welcome to Digital Forensics Case Leads. Another a busy week in digital forensics, incident response and the law.  In this edition: The SANS Computer Forensics Blog was at the Forensic Expert Witness Annual Conference, and your humble reporter asked a seasoned member of the bench: What is it like for a Judge to sit on the bench and digest the testimony of a foresicator / technical expert witness? * Another Judge rules that viewing CP might NOT be the same as possession under the law. * Has Law Enforcement tipped their hand in a report that spells out how to use anti-forensics to conduct criminal acts using BitCoin? * A bevy of encryption tools *And, could a forensicator leverage a Mac OS X bug to recover encrypted data, even after the user applies a new patch to “fix” the bug?

If you have an item you’d like to contribute to Digital Forensics CaseLeads, please send it to

Good Reads/Listens:

  • Law Enforcement Fearful of BitCoin? Read a confidential report that has been leaked, including how users are deploying anti-forensics techniques
  • Viewing child porn not necessarily possession, [New York] court rules
  • DFIR Analysis: Is the latest ‘Twitter Breach’ really older pwnd accounts from Q3’11 attack? From the ESET Blog.
  • CyberJungleRadio. From the floor of The Expert Witness Expert Witness Conference 2012, your Case Leads reporter talked with the Hon. Paul Chertoff about a judge’s view of a digital forensicator on the stand as an expert witness. You may  download the file directly – the interview with Judge Chertoff begins at about 13min. Or, you may go to the  listening options page and browse for other ways to hear the show, including links to iTunes.


  • libbde: Library and tools to support the BitLocker Drive Encryption (BDE) encrypted volumes
  • libvshadow: Library and tools to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
  • VanishCrypt – Virtual Encryption Tool, alternative to TruCrypt to create encrypted virtual drives
  • Data Recovery FOSS Style – How to perform data recovery in Linux
  • The Steganography Analyzer Field Scanner, or StegAlyzerFS, is a digital forensic examination tool designed for field triage on suspect computers to detect the presence or use of digital steganography to conceal information of criminal activity. Read more here.
  • ITWeb: “The new FTK 4 is pretty much the same set of tools that we are used to seeing from AccessData – until you add the company’s exciting new modules, Cerberus and Visualization. Now, it’s a whole different ballgame.” Read more here.


  • BYOD stirs up legal problems. From ITWorld.
  • Microsoft: Macs ‘not safe from malware, attacks will increase.’ From ZDNET.
  • Patch out for #OSX 0day crypto bug. But, forensicators can still recover passwords from patched systems. Also from ZDNet.
  • Syrian Government Pushing Malware To Activists Via Skype. From TechWeekEurope.
  • Religious sites ‘riskier than porn for viruses.’ From Aussie 9 News.
  • Clayton High’s principal resigns amid Facebook mystery


Coming Events:

Call For Papers:


Digital Forensics Case Leads is a (mostly) weekly publication of the week’s news and events relating to digital forensics. If you have an item you’d like to share, please send it to

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor.

Digital Forensics Case Leads: SSD Forensics; WebCams, Privacy and The Law; Anit-Forensics Goes Mainstream; Forensics Comes To The US Elections

Welcome to Digital Forensics Case Leads. It’s a busy week in digital forensics, incident response and the law.  In this edition: How the standards for obtaining a warrant for digital information might change.  Do users really care about tracking and privacy online? Are anti-forensics and spoliation becoming more popular with the general public? Why Solid State Drive (SSD) data destruction and forensics is a whole new world, from the floor of RSA Security in San Francisco.  Digital forensics hit the headlines with the “Rutgers Web Cam” verdict. It appears that digital forensics  played a role in the conviction. Plus, changes to smartphone forensics tools, and The Last Private Place? Anti-DUI Campaign Invades The Men’s Room.

If you have an item you’d like to contribute to Digital Forensics CaseLeads, please send it to

Good Reads/Listens:


  • Password audit tool-maker ElcomSoft updates SmartPhone Password Breaker and ElcomSoft Wireless Security Auditor. Read the release.
  • AccessData Releases Forensic Toolkit(R) 4; With New Investigations and Incident Response Capabilities, Including Malware Analysis Technology. Read the BusinessWire release.


  • From “…jurors heard a video admission from the defendant in the Rutgers University trial that he violated his roommate’s privacy when he secretly set up a Webcam, which caught his roommate engaged in intimate contact with another man…” Although this story was written the verdict was in, it details some of the digital forensics used in the case.
  • Encase Still Bullish on DFIR (well, DUH;  but worth the read): Forensic incident response to the fore
  • Digital Forensics playing a role in this grisly investigation: Ohio investigates adoption agency amid rape case
  • Digital Forensics playing a role in US election campaigns:  Web links spur ethics complaint in Killeen elections


Coming Events:

Call For Papers:

Digital Forensics Case Leads is a (mostly) weekly publication of the week’s news and events relating to digital forensics. If you have an item you’d like to share, please send it to

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor.

Digital Forensics Case Leads: The New Forensics, The CyberMilitia and Bill Gates Gets Behind Open Source?

Case Leads is loaded for bear this week, after a week’s break. Here is some of what you will find:

* Are you ready for “The New Forensics”? If not, you might be left in the dust at trial. * What if the good guys adopted the organizing techniques of Anonymous? That’s the goal behind The CyberMilita. * Forensics goes mainstream: A great essay on how one attacker invaded the lives of young women. * No freakin’ way – Bill Gates gets behind open source. * The FBI warns about attacks against US Law firms. * New ways to get cryto keys from Macs and many types of smartphones

If you have an item you’d like to contribute to Digital Forensics CaseLeads, please send it to

Good Reads/Listens:

  • A new forensics’: adapting to changing digital crimes, a good essay on keeping current. “In the world of proof and evidence, tried-and-tested technologies and procedures are hard-earned and valued. …[W]e’re now seeing the emergence of ‘a new forensics’: a discipline that’s reinventing itself year-by-year, but that remains rooted in stable scientific principles.”
  • Most people we meet outside of work really don’t know what we mean if we say we “work in Digital Forensics.” Here is an excellent ABC News story that answer that, and a good reference article to send to anyone that wants to know: Digital Detectives Dig Through Data Deluge
  • What if forensicators and cybercrime fighters could use the techniques of Anonymous to fight cyber crime? That’s the idea behind the new group, The CyberMilitia. M1ster_E a spokesperson for CyberMilitia was interviewed about this effort on CyberJungleRadio. The interview with M1ster_E begins at about 16min into the program.
  • Why malware, keylogging, webcams and young women don’t mix: The Hacker (sic) is Watching, from GQ magazine.
  • Meet Bill Gates, the Man Who Changed Open Source Software [!?]. Read The Wired Story.


  • Anti, Anti Mac Forensics: Forensics firm Passware Kit 11.3 extracts Mac OS X FileVault whole disk encryption keys, keychain passwords, and decrypts hashed passwords with Rainbow Tables. They are also  warning  Mac users to vulnerabilities of Mac encryption solutions. Read the company release.
  • Inc. announced the availability of a new version of their computer forensic suite, MacForensicsLab 4.0. The company says the new version brings a “streamlined interface” and other improvements to make examinations “quicker and more accurate than ever before.” Read more on their dedicated Mac forensics store/site.
  • A common computer crimes defense is “a virus did it.”  Many times, it makes sense to scan images for malware. Here is a helpful guide: How to Scan for Viruses in Windows Using a Linux Live CD/USB
  • For those using a Linux desktop distro in the field on their work laptop:  Barry is an Open Source application that allow one to tether a Blackberry for internet access.



  • An interesting way to have fun with timelines – BBC Worldwide set to launch major new Doctor Who game: The Eternity Clock

Coming Events:

Call For Papers:


Digital Forensics Case Leads is a (mostly) weekly publication of the week’s news and events relating to digital forensics. If you have an item you’d like to share, please send it to

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor.

Case Leads: The Digital Forensics Case of the Decade? Digital Forensics at US Border Crossings; Serious Flaw in Enterprise Firewalls? The Feds Re-examine DFIR As Data Shifts To The Cloud

The digital forensic and ediscovery case of the decade could describe the litigation between Facebook and a man that claims he has a contract and emails from Harvard Student Mark Zukerberg for 50% ownership of “The Face Book” as an early-stage investor. There are more questions than answers in this case right now, among them: Where were these emails during the Winklevoss case, and why didn’t they appear during discovery for that case?

In other forensic news: What do we need to know when crossing the US border with sensitive or confidential information that could be imaged from laptops, and smart devices? In incident response news: Are major firewall companies so focused on “cloud computing” and “social networking” that their products lack fundamental protection from malformed packet attacks? The researchers at NSS Labs released an eye-opening report that claims many enterprise firewalls are vulnerable to these old-school attacks.

And, the Feds are re-examining forensic investigation procedures for the GSA and Ag Department as they migrate emails to a cloud services provider.


  • Law Enforcement, intelligence teams can save time with Dell’s new mobile digital forensics solution. Spektor OS, and Dell team up with a digital forensics “jump kit.” Read more in Kit puts digital forensics into the field.
  • Investigators that have to look at Twitter messages will find this very handy dissection guide useful: It’s called “map-of-a-tweet

Good Reads/Listens:

  • Federal lawyers and record managers are watching closely how the General Services Administration, the Agriculture Department and others move their email and collaboration services to private sector cloud computing providers. When the government faces a lawsuit, will the agency be able to find and provide the information the lawyers or the court requires? Will the agency have access to their data and all the meta data that surrounds emails or other documents stored in the third-party cloud? More at Federal News Radio
  • Just how broken are SSL certificates? “Right now, it’s just an illusion of security,” said Moxie Marlinspike, a security researcher who has repeatedly poked holes in the technical underpinnings of SSL. “Depending on what you think your threat is, you can trust it on varying levels, but fundamentally, it has some pretty serious problems.” Read more at The Register.
  • More SSD forensic challenges for mobile device forensics as Moxie Marlinspike’s WhisperCore brings full disk encryption to Android smart devices.
  • Lock security expert, attorney, and regular DefCon speaker,  Marc Weber Tobias: Welcome to the U.S., We’ll Take Your Laptop Now.


  • French “hacker” and alleged Anonymous member arrested after bragging on TV.
  • The Digital forensic and eDiscovery investigation of the decade? That’s what some are saying about a new Facebook lawsuit. Here’s What Happens Next — And Who Is Likely To Pay.
  • Child-porn images allegedly found on ICE chief’s home computer; images allegedly exchanged via AOL’s email servers, and not part of an ICE investigation.
  • Tackling insider fraud and incident response in a world of fragmented efforts that are unable to keep pace with the methods used to circumvent controls. Read more in this Bank Security Portal story.
  • We’ve all heard of “the Trojan did it” defense. That’s when a cybercrime is denied by a claim that malware infected a machine a remote actor did the action that caused an arrest.  NSS Labs this week released a bomb-shell report that questioned the basic security of major firewall vendors.
  • Calls for revisions to an auto accident privacy law. Originally intended to protect citizens, but is it being used to block government transparency?


  • It’s an open secret that some jurisdictions use traffic tickets and quotas as an illegal tax, but now there’s proof: Officers who alleged LAPD traffic ticket quota system win $2-million judgment from City of Los Angeles
  • A tech bargain hunter thought he snagged a 500GB SSD at a great price. Instead he got fraud-laced hardware and firmware hack of an 128MB thumb drive inside a 2.5″ case. You won’t believe this story.

Coming Events:

Digital Forensics Case Leads is a (mostly) weekly publication of the week’s news and events relating to digital forensics. If you have an item you’d like to share, please send it to

Digital Forensics Case Leads for 2011 April 14 was compiled by by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor .

Digital Forensics Case Leads: SMS botnet has ripples into mobile forensics; New iOS forensic tool; New USB encryption tool; Record a cop, go to jail? Free RSA Expo Pass and Free Beer!

This week’s case leads features a new SMS botnet attack that has ripples into mobile forensics; Guidance Software releases an iOS forensics tool;  an in-depth legal analysis of a recent ruling that could encourage lawyers to sue businesses due to downstream liability, and these lawsuits could involve considerable e-discovery; SIFT wins forensic award; PLUS get a free RSA Expo pass, free homebrew beer, and a chance to win a Honeycomb Android Tablet for your forensic testing!

Hey, is that an SMS botnet in the perp’s pocket? At last weekend’s Shmoocon 2011, Georgia Weidman gave a talk about how the most popular smartphone platforms can be silently seized by an attacker(s). There are potentially significant computer forensic repercussions.  With the explosive growth of smartphone use, mobile forensics is a growing area for data capture and analysis. Many times, if the user of a smartphone has the device in his possession when certain messages were sent, investigators typically assume the user sent that message. But what if SMS messages are going in and out as a proxy for someone else?   You may download proof-of-concept code and slides from Georgia’s Shmoocon 2011 talk. The CyberJungle had the first radio interview with Georgia Weidman following Shmoocon. You may  download a podcast of that episode. The interview starts at about the 20:20 mark.


  • Guidance Software announced a new forensic tool last week for the Apple iOS devices, giving digital investigators another commercial option when performing forensic analysis and e-discovery on these popular mobile devices.  According to a November survey of 1,641 business information technology buyers, corporate use of tablets is set to double in just the next three months. Despite the flood of new tablets hitting the market, iOS devices remain the overwhelming choice of business buyers today. Guidance Software says that the frenzy on both the consumer and corporate fronts is accelerating the demand for these types of tools. “As we do digital investigations, we’re encountering more Apple devices including iPads and iPhones,” said Detective Andy Kleinick, Officer-in-Charge, LAPD, Computer Crimes Unit. Andrew Hay, senior security analyst, Enterprise Security Program for The 451 Group said,  “Few organizations allow the connection of personal computers to a corporate network but, for some reason, many are fine with allowing employees to bring personal smart phones into the office – some going so far as to allow Wi-Fi-capable devices to connect to the corporate wireless network.” Hay went on to say, “With this new support for iPhone and iPad, Guidance Software can help analysts using its products to overlay traditional forensic and incident response strategies to one of the most prolific mobile device architectures in use today.”  My take: I have yet to test this tool, but I have used iBackupBot, a free and easy-to-use shareware/nagware tool that allows an investigator to view and analyze the iOS backup files that reside on the computers that end users use to manage their iOS devices. With iBackupBot, the investigator can view and analyze the iTunes backup files, and quickly identify the relevant files of interest. iBackupBot allows the investigator to view the device’s databases, images, SMS messages, notes, address book, call history calendar, and more. And, the application allows the export of the data to CSV files for easier creation of charts for use in reports. iBackupBot is a Microsoft Windows application, and therefore is more useful for forensic labs where Windows is still the predominate operating system.
  • Many times when working on a case, it would be advantageous to encrypt case information or certain evidence. That’s why this product caught my attention:

Two-Factor Crypto for Any USB Drive
Two-Factor Crypto for Any USB Drive

The Hiddn Crypto Adapter (I presume it is pronounced “hidden”).  According to a spokesman for the company, High Density Devices, this keypad style peripheral will encrypt all types of USB storage media and add two-factor authentication. One of the challenges of encrypted a USB drive is: where does one store the encryption key? If it’s on drive, then the data is not truly secure. That is why the popular encrypted drives have a separate mechanism to store the key, and a means to power that mechanism built into the drive. In part, that is what drives the cost of those drives to be much higher than off-the-shelf drives we typically use for evidence or other case data. With the Hiddn Crypto Adapter one no longer has purchase dedicated  encrypted drives. The device costs $465 according to the company spokesman. If you have a drive, and a USB adapter, you can encrypt it, and secure the key with a smart card. The manufacturer claims the device is FIPS 140-2 Level 3,  Common Criteria EAL4+ certified, and that it supporst AES-256 encryption.  My take: I plan to review this tool as part of my coverage of RSA 2011 in San Francisco. High Density Devices can be found at RSA booth #2545.

Good Reads:

  • Our own Hal Pomeranz in his role as surge staff for Mandiant, has an interesting post and a couple tools for recovering deleted files from EXT3 file systems by using the indirect block pointers.
  • In a potential windfall to attorneys that sue businesses –  California Appeals court has ruled that businesses can be held strictly liable for actions done by their affiliates (and sub-affiliates).


  • Data retention law does not help law enforcement fight crime, study reveals.
  • Some Private Investigators are attempting to regulate computer forensics pros, state-by-state. Their efforts suffering a stinging defeat in the State of Virginia last week.
  • Brad Garnett has written a review of Harlan Carvey’s Windows Registry Forensics book.
  • Record a cop, go to jail — Two Chicago residents who recorded their interactions with the police are facing felony charges… one is in jail… and their cases are drawing attention to an eavesdropping law that may be obsolete in the age of smart phones with audio and video recording capabilities.
  • Last May, the Dow plummeted in seconds. Fat-finger error, or something more sinister?
  • A proposal is making its way through Congress for a law that would clarify the rights of Americans returning home from abroad only to have their  digital devices seized by customs agents.  My take — for the time being, consider the  U.S. border a hostile zone for  case data on your laptop and portable drives.
  • The U.S. Department of Defense Cyber Crime Center’s annual DC3 Challenge is underway. Sign up and compete, you’ll improve your skills and further the art and science in the process.


Coming Events:

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of The CyberJungle radio program, the news and talk each week on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of High Tech Crime Investigator’s Association.  Follow Ira’s security and forensics tweets: @ira_victor .