SANS Digital Forensics and Incident Response Blog: Category - artifact analysis

SANS Digital Forensics and Incident Response Blog:

How Miscreants Hide From Browser Forensics

Scammers, intruders and other miscreants often aim to conceal their actions from forensic investigators. When analyzing an IT support scam, I interacted with the person posing as the help desk technician. He brought up a web page on the victim's system to present payment form, so the person would supply contact and credit card details. He did this in a surprising manner, designed to conceal the destination URL.

Running Malware Analysis Apps as Docker Containers

A new REMnux project initiative provides Docker images of Linux applications useful for malware analysis to offer investigators easier access to malware forensics tools. Docker is a platform for packaging, running and managing applications as "containers," as a lightweight alternative to full virtualization. Several application images are available as of this writing, and you can contribute your own as a way of experimenting with Docker and sharing with the community.

Using Sysinternals System Monitor (Sysmon) in a Malware Analysis Lab

System Monitor (Sysmon) is a new tool from Microsoft, designed to run in the Windows system's background, logging details related to process creation, network connections, and changes to file creation time. This information can assist in troubleshooting and forensic analysis of the host where the tool was installed prior to the incident that's being investigated. This article explores the role that System Monitor might play in a malware analysis lab, possibly supplementing tools such as Process Monitor.

Hibernation Slack: Unallocated Data from the Deep Past

Hi Folks,

I was recently doing some forensic research on a laptop which had been formatted and factory-reinstalled (using the preinstalled HPA partition it shipped with), and then used normally by another user for six months prior to collection. I wasn't really expecting to be able to recover much of anything from before the format, but it's always worth a look. My initial examination showed that even unallocated space had been largely overwritten during the six month post reinstall period. Even the fragments I was able to recover from file slack were largely useless. Then I got some very confusing keyword search hits from data in hiberfil.sys, the Windows hibernation file, and my Odyssey began.

The reason these hits were confusing was that they appeared to reference data from before the format, yet they occurred almost exactly in the middle of the 3GB+ hibernation file, andthat filehad been written to (whichI at first assumedmeant completely overwritten) only


SRP Streams in MS Office Documents Reveal Earlier Versions of Malicious Macros

SRP streams in Microsoft Office documents can reveal older versions of VBA macro code used by the adversary in earlier attacks. After the attacker modifies the malicious document for a new attack, Microsoft Office sometimes retains a cache of the earlier macro inside these streams, allowing analysts to expand their understanding of the incident and derive valuable threat intelligence. In other words, SRP streams can help investigators travel back in time.