Yesterday, two new vulnerabilities (Meltdown and Spectre) were introduced that are in the architecture of processors in nearly every computer and other devices using CPUs. Code to exploit these vulnerabilities in some cases is now publicly available and we can expect that more capable/modular code will be released soon. During this webcast, Jake Williams will walk you through how the vulnerabilities …

Digital forensic cases involving children as potential victims are a reality that is always present in today’s society. Whether it is law enforcement investigating or corporate investigators discovering these matters, examiners must be prepared and ready to handle these types of cases. The priority of these cases must be to protect any involved children by revealing the truth. In this …

PowerShell is fast becoming the defacto tool for adversaries in nearly every phase of an attack. The ability to live off the land as an attacker helps to reduce the chance of being detected.  Because of the commonality and legitimate use of PowerShell, the proficiency to identify unwanted actions becomes increasingly challenging. In this session you’ll learn: How to quickly …

An international team of forensics experts helped create the SANS Investigative Forensic Toolkit (SIFT) Workstation and made it available to the whole community as a public service. The free SIFT toolkit, that can match any modern forensic tool suite, is also featured in SANS FOR508: Advanced Threat Hunting and Incident Response course (http://www.sans.org/FOR508). It demonstrates that advanced investigations and responding …

SANS Institute has published a whitepaper by Xiaoxi Fan titled “Detection of Backdating the System Clock in Windows”. This paper presents three categories of related objects, showing how they work together in detecting system clock backdating: (1) system artifacts (e.g. Windows event log, $MFT, $Logfile, $UsnJrnl, Volume Shadow Copy, $STDINFO and $FILENAME timestamps, and Windows update logs); (2) application artifacts (e.g. antivirus …

FOR572: Advanced Network Forensics Analysis course author and instructor Phil Hagen introduces the SANS DFIR Network Forensics Analysis Poster, which was released late May 2017. Phil browses the poster contents and highlights use cases that can help improve your network forensic capabilities. He also discusses the latest release of the free SOF-ELK analytics VM appliance and shows some examples of …

SANS Instructor and Former FBI Agent Eric Zimmerman has provided several open source command line tools free to the DFIR Community. These open source tools can be used in a wide variety of investigations including cross validation of tools, providing insight into technical details not exposed by other tools, and more. Eric’s first Cheat Sheet contains usage for tools for …

Guys from Open Analysis have published a video of walking through manually decoding a malicious vbs script that was submitted to them by a viewer. These scripts were being delivered via phishing campaigns and were bundled within encrypted word (docx) documents. Tools used: oletools – github.com/decalage2/oletools oledump – blog.didierstevens.com/2017/03/07/update-oledump-py-version-0-0-27/ psparser – github.com/phishme/malware_analysis/blob/master/scripts/psparser.py VBCode indenter – vbindent.com/ Windows RE & Internals …

Three Decades of Computer Security in Perspective Before anyone thought to utter the words “cyber threat intelligence,” Cliff Stoll was doing it (and chronicling it in the seminal book that led many of us to careers in the field). From his vantage point as the father of the discipline, he’ll share his unique view of how far we’ve come (hint: …

In this video digital forensic expert Michael Perklin talking about the investigation of the Shapeshift.io hack. ShapeShift is a company that offers global trading of a variety of digital assets via web and mobile platforms. The company does not collect personal data on its customers and exchanges one cryptocurrency for another without ever collecting customer funds into company accounts, which is unique among …