Blog: SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics and IR Summit

Blog: SANS Digital Forensics and Incident Response Blog:

When Cases Involve SSNs and Credit Card Data: "Sensitive Data Search and Baseline" Python Script

A key component of any investigation is the type of data exfiltrated. If sensitive data is on a compromised machine, risk is increased significantly. Also, there is a patch work of legislation covering various types of data which is considered sensitive ( In general, social security and credit card numbers are at the top of the concern list. Since many states have encryption exemptions, a forensicator needs to know, does any media storage in the case have sensitive data in the clear?

Data can be encrypted by system administrators/DBAs or by attackers. Attackers usually encrypt data as part of the staging process prior to data exfiltation. Attackers commonly password protected and compressed the data as a .rar file. With strong passwords (32+ character pass-phrases) .rar files can be difficult to almost impossible to open with normal computing power.

Using a cross


Windows Memory Analysis In-Depth - Discount Code = WINDEX = 10% Off #DFIR

Memory analysis skills are one of the most in-demand skills for digital forensics, incident response, and malware analysts today. SANS is introducing a brand new 5-day class dedicated to Windows Memory Forensics. The hands-on course, written by memory forensics pioneer Jesse Kornblum, is incredibly comprehensive and a crucial course for any investigator who is analyzing intrusions.

SANS is offering a 10% discount off the FOR526 course for the following events: Discount Code: WINDEX

  1. Security West 2013 - San Diego, CA - May 9-13 -

  2. ...

New Advanced Persistent Threat Based - FOR508 Released in On-Demand

It begins on Day 0: A 3-4 letter government agency contacts your organization about some data that was found at another location. Don't ask us how we know, but you should probably check out several of your systems. You are compromised by the APT.

Most organizations are left speechless as 90% of all intrusions are now discovered due to 3rd party notification. And in many cases, the APT has been on your network for years.

Learn how to hunt for the APT in this completely brand new training course from SANS - FOR508: Advanced Incident Response and Forensics Course.

The NEW FOR508 APT-based course debuted at SANS Security West


Digital Forensics Case Leads: DUQU, Locks, Stego and Pirates What More Could You Ask For.

In this weeks CaseLeads, there's a bunch of new useful tools that might come in handy in certain situations while handling incidents PDF Analysis, Malware Analysis, Honeypots and MAC forensics! A sequel of a multi-part series on protecting our credentials whilehandling incidents. When some weird registry keys appear in log2timeline results, you discover an attack vector on manipulating execution chain? More and more on Prefetch Analysis Challenging forensicators, The Honeynet Project publishs a cool challenge for fun and profit. More on that weird DUQU source code guess what it is? When a digital lock refuses to unlock for the FEDS, guess what they do? STEGO techniques comes to light again using foreign languages!? And finally raids are not only in games! in our real life @ The Pirates bay?

If you have an item you'd like to contribute toDigital Forensics CaseLeads, please send it to



Digital Forensics Case Leads: Google+, LinkedIn and Hacking Vodafone's network

With LinkedIn scoring the number two spot in social networking and Google+ trying to get up to speed it will make it an interesting time for social networks. There are some good reads by Little Mac, Harlan Carvey and Chris Pogue. See what Dilbert and BOFH are up to as well as checking out the upcoming conferences and training and the call for papers for numerous conferences.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to

Good Reads: