SANS Digital Forensics and Incident Response Blog

SANS Digital Forensics and Incident Response Blog

Has the smartphone finally outsmarted us?

I can honestly say that the most common question I am asked by examiners, investigators, students and even my neighbors is, "which phone is the most secure?" Obviously, the concern behind the question varies. Some want to secure their own device, and others, like myself, want to prove everyone in DFIR wrong by cracking into the toughest and most secure devices.

Smartphone security has gotten drastically stronger in 2014. This year, we are expecting even more challenges when examining smartphones. When thinking about the forensic aspects of smartphone security and encryption, we have to consider two things:


  1. How are we going to get access to the data?

  2. Even if we get a dump of the device, can we decrypt and examine the data?

  3. What happens if I can access the data, but the application data is encrypted?


Let's look at a few devices to consider our options. First, Windows Phone 8 (WP8) brought us new issues that ...

2015 DFIR Monterey Network Forensic Challenge Results

Thanks to everyone that submitted or just played along with the SANS DFIR Network Forensic Challenge! We had over 3,000 evidencedownloads, and more than 500 submissions! Per the rules, the winner must have answered four of the six questions correctly. Then, by random selectionamong those submissions, the winner was selected.

We're excited to announce that Henry van Jaarsveld is the winner for this challenge! Congratulations, and we hope you enjoy your SANS OnDemand Course. Great work, Henry!

The challenge answers are listed below:


  1. At what time (UTC, including year) did the portscanning activity from IP address 123.150.207.231 start?
    Answer: Aug 29 2013 13:58:55 UTC

  2. What IP addresses were used by the system claiming the MAC Address 00:1f:f3:5a:77:9b?
    Answer: 169.254.20.167, 169.254.90.183, 192.168.1.64

  3. What IP (source and destination) and TCP ports (source and ...

What is New in Windows Application Execution?

One of the great pleasures of performing Windows forensics is there is no shortage of application execution artifacts. Application execution tells us what has run on a system and is often the pivot point that reveals important activity on the system. Why was FTP run on this workstation? Is it normal to see execution of winsvchost.exe? Why was a privacy cleaning tool used for the first time during the system owner's last week of work? While undoubtedly useful, our adversaries are more forensic-aware than ever and often take steps to eliminate application execution artifacts. At CrowdStrike we routinelyencounter nation-state groups that attempt to delete Prefetch. Even the popular CCleaner anti-forensics tool defaults to clearing Prefetch and UserAssist data. Hence having additional sources of data can often mean the difference between an easy examination and a long, painful one.

...

Mastering Malware Analysis Skills - The Power of a Capture-the-Flag Tournament

Here at SANS, we've worked hard to deliver a Reverse Engineering Malware course packed with technical knowledge, hands-on exercises, and our insights from years of experience. Just as attackers and their tools continue to evolve, so has this course to arm participants with relevant skills they can apply immediately. As both an instructor and a practitioner, I believe the most significant addition to this course is a Capture-the-Flag Tournament. I'd like to share why I think this new content is an amazing opportunity for students to develop their malware analysis skills.

In my experience, building malware analysis skills requires several parallel efforts:

(1) Digest key concepts: With a basic foundation in computer systems, learn how to perform behavioral and code analysis to evaluate a suspect file, dissect its key functionality, assess its

...

Examining Shellcode in a Debugger through Control of the Instruction Pointer

During the examination of malicious files, you might encounter shellcode that will be critical to your understanding of the adversary's intentions or capabilities. One way to examine this malicious code is to execute it using a debugger after setting up the runtime environment to allow the shellcode to achieve its full potential. In such circumstances, it's helpful to take control of the instruction pointer to direct the debugger towards the code you wish to examine.

The modern computer has been designed to make life easy for the standard user. It is actually quite difficult to say to the computer "Hey, I've found some shellcode embedded in a file, could you run it for me?", and for good reason! If you don't get it exactly right, the chances are you're going to end up crashing something.

Scenario walkthrough - Analysing embedded shellcode

I have devised a simplified scenario which will allow us to consider how to analyse shellcode embedded ...