An international team of forensics experts helped create the SANS Investigative Forensic Toolkit (SIFT) Workstation and made it available to the whole community as a public service. The free SIFT toolkit, that can match any modern forensic tool suite, is also featured in SANS FOR508: Advanced Threat Hunting and Incident Response course (http://www.sans.org/FOR508). It demonstrates that advanced investigations and responding …
SANS Institute has published a whitepaper by Xiaoxi Fan titled “Detection of Backdating the System Clock in Windows”. This paper presents three categories of related objects, showing how they work together in detecting system clock backdating: (1) system artifacts (e.g. Windows event log, $MFT, $Logfile, $UsnJrnl, Volume Shadow Copy, $STDINFO and $FILENAME timestamps, and Windows update logs); (2) application artifacts (e.g. antivirus …
FOR572: Advanced Network Forensics Analysis course author and instructor Phil Hagen introduces the SANS DFIR Network Forensics Analysis Poster, which was released late May 2017. Phil browses the poster contents and highlights use cases that can help improve your network forensic capabilities. He also discusses the latest release of the free SOF-ELK analytics VM appliance and shows some examples of …
SANS Instructor and Former FBI Agent Eric Zimmerman has provided several open source command line tools free to the DFIR Community. These open source tools can be used in a wide variety of investigations including cross validation of tools, providing insight into technical details not exposed by other tools, and more. Eric’s first Cheat Sheet contains usage for tools for …
Guys from Open Analysis have published a video of walking through manually decoding a malicious vbs script that was submitted to them by a viewer. These scripts were being delivered via phishing campaigns and were bundled within encrypted word (docx) documents. Tools used: oletools – github.com/decalage2/oletools oledump – blog.didierstevens.com/2017/03/07/update-oledump-py-version-0-0-27/ psparser – github.com/phishme/malware_analysis/blob/master/scripts/psparser.py VBCode indenter – vbindent.com/ Windows RE & Internals …
Three Decades of Computer Security in Perspective Before anyone thought to utter the words âcyber threat intelligence,â Cliff Stoll was doing it (and chronicling it in the seminal book that led many of us to careers in the field). From his vantage point as the father of the discipline, heâll share his unique view of how far weâve come (hint: …
In this video digital forensic expert Michael Perklin talking about the investigation of the Shapeshift.io hack. ShapeShift is a company that offers global trading of a variety of digital assets via web and mobile platforms. The company does not collect personal data on its customers and exchanges one cryptocurrency for another without ever collecting customer funds into company accounts, which is unique among …
Mobile devices are becoming an increasingly integral part of criminal, legal, and regulatory investigations and disclosures. However, computers and mobile devices are often examined separately by different people, often due to technical and procedural reasons. That can make it almost impossible to identify and review evidence and intelligence across multiple data sources, devices, and crime scenes. Only when we look …
Sign up for the upcoming session on how to uncover advanced threats using DNS and data science, presented by Josh Liburdi and Chris McCubbin. In this session, youâll learn: What DNS is and how adversaries can utilize it to carry out attacks How to use DNS data to launch an incident investigation How to leverage data science techniques to detect DNS behaviors like DGA The …
So you think you might have a compromised Windows system. If you do, where do you start? How would you review the memory of that system? What are the first 10 commands you’d run to see if it’s actually compromised? This webcast will be based on SANS 504, and will introduce attendees to some free sample memory dumps and command …
Login
