Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

SANS Digital Forensics and Incident Response Poster Released

Download SANS DFIR Poster 2012




The SANS Digital Forensics and Incident Response faculty and community members created the 2012 poster. "Evidence of..." categories to map a specific artifact to the analysis question that it will help to answer. Finding unknown malware is an intimidating process to many, but can be simplified by following some simple steps to help narrow your search. Use this poster as a cheatsheet to help you remember where you can discover key items to an activity for Microsoft Windows systems for intrusions, intellectual property theft, or common cyber-crimes.

POSTER FRONT:



Proper digital forensic and incident response analysis is essential to successfully solving complex cases today. Each analyst should examine the artifacts and then analyze the activity that they describe to determine a clear picture of which user was involved, what the user was doing, when they were doing it, and why. The data here will aid you in finding multiple locations that can help substantiate facts related to your casework.

POSTER BACK:



Each of the rows listed will describe a series of artifacts found on a Windows system to help determine if that action occurred. Usually multiple artifacts will be discovered that will all point to the same activity. These locations are a guide to help you focus your analysis in the right areas in Windows that could aid you in answering simple questions.

Download SANS DFIR Poster 2012


Created by Rob Lee and the SANS DFIR Faculty


Special thanks for technical review and edits by the following individuals. We couldn't have finished the poster without your great inputs and help.
  1. Phil Hagen
  2. Paul Henry
  3. Mary Horvath
  4. David Nides
  5. Patrick Olsen
  6. Hal Pomeranz
  7. Chad Tilbury
  8. Alissa Torres
  9. Tom Yarrish
  10. Lenny Zeltser

17 Comments

Posted June 19, 2012 at 8:19 AM | Permalink | Reply

Ray

Is this poster being mailed out? It looks very useful.

Posted June 19, 2012 at 12:21 PM | Permalink | Reply

Marek

This is such a tremendous help in day to day work, many thanks to everyone involved in putting this information together!

Posted June 19, 2012 at 11:08 PM | Permalink | Reply

Steve Traylor

Hello,

I was supposed to get one in my SANS Network Security class packet but alas, mine was missing. Is there away to have one mailed to me?

Posted June 20, 2012 at 11:34 PM | Permalink | Reply

Myk.F

Typo :
Within the Browser Usage - History segment Location is duplicated, second surely should be Firefox?
Superb non the less!

Posted June 21, 2012 at 2:08 PM | Permalink | Reply

Rob Pearson

Rob,
Great Poster... My Supervisor wants to be able to get a few for the Training Room at our HQ.. Is that something you have available for purchase?

Thanks

Rob

Posted June 22, 2012 at 3:33 AM | Permalink | Reply

Rob Lee

We printed 80,000 copies. Additional copies apparently will be sent out with SC Magazine subscriptions as well. We know that not everyone will be able to get a hard copy thus why we are distributing the PDF as well. We hope that helps!

Posted June 22, 2012 at 2:45 AM | Permalink | Reply

MarcusL

I received a large white envelope a couple of days ago from SANS, on the outside of the package/envelope indicate it reads "Look Inside! Digital Forensic and Incident Response Poster". There is also a letter from Mr. Northcutt, which ends with "P.S. Don't miss the poster that is enclosed with helpful information about finding Malware and Windows Artifact Analysis: Evidence of...related to Forensics and Incident Response."
I have to admit, I want this poster, and cannot find it anywhere, the closet thing that resembles a poster is the inside cover of a booklet they sent, which is a career roadmap.
Did anyone else have a similar experience?

Posted June 22, 2012 at 3:35 AM | Permalink | Reply

Rob Lee

There was a major error for some of the catalogs that went out. We are trying to track down why it occurred.

Posted June 26, 2012 at 9:37 PM | Permalink | Reply

Joe

Very cool, but is there a typo? I just started reading it Files Downloaded -

Posted June 28, 2012 at 4:51 PM | Permalink | Reply

Mary Hummel

Rob, fantastic poster, we too were wondering if it can be ordered and if so can you provide the contact information.

Thank you

Posted August 07, 2012 at 9:19 PM | Permalink | Reply

Cook

My co-worker just got his in the mail. How do I get my hands on one?

Posted September 24, 2013 at 1:52 PM | Permalink | Reply

Bernie

I just got a poster from the Network Security training last week in my supplies. I would like to get a few more of the posters themselves for the office. Please let me know how to get those. Thanks in advance.

Posted October 28, 2013 at 5:16 PM | Permalink | Reply

Shannon

I don't see any replies regarding questions about ordering a poster, so I hate to do this, but I am going to ask the question again......is there a way to order the poster? Can you provide contact information, if so?

If it isn't available for sale, is there any copyright infringement that prevents me from having a local printing company or Office Depot from printing it into a large poster? It would be for personal use only as it will help me with graduate school (Digital Forensics). If so, do you have a high resolution pdf copy that will allow a quality large print to be made?

Thank you.

Posted October 31, 2013 at 1:59 AM | Permalink | Reply

Rob Lee

Shannon -- I sent two emails to you trying to follow up but didnt get a response. Is there a better email address to reach you? Please email me at rlee "at" sans.org to try and help out.

Posted May 02, 2014 at 3:20 PM | Permalink | Reply

carson

Nice poster!

Posted May 07, 2014 at 1:43 PM | Permalink | Reply

bmw service

Great poster, I downloaded it.

Posted June 26, 2014 at 10:33 AM | Permalink | Reply

Pooja Singh

Great post.......

Post a Comment






* Indicates a required field.