Blog: SANS Digital Forensics and Incident Response Blog: Category - Windows IR

Blog: SANS Digital Forensics and Incident Response Blog:

HeartBleed Links, Simulcast, etc.

At SANS 2014 last night, I gave a quick briefing on the HeartBleed vulnerability that impacts the security of the Internet. I wanted to post a few links in the interim (until the webcast itself is published, which I'm told will be by 3PM EDT).

The slides are available here.

I have built a server in the cloud that exposes the vulnerability. You can access the server at until it gets taken down by the hosting provider (which seems inevitable). However, if your management needs to see this in action, please feel free to use the server to demonstrate the vulnerability.

Additionally, I took a packet capture that exposes the vulnerability. This is suitable for testing your IDS signatures against. Hopefully you find this useful as well. The packet capture can be


Signature Detection with CrowdResponse

CrowdResponse is a free tool written by Robin Keir from CrowdStrike. Robin has a long history of developing excellent tools for the community including SuperScan, BinText, Fpipe, and CrowdInspect. The goal of CrowdResponse is to provide a lightweight solution for incident responders to perform signature detection and triage data collection. It supports all modern Windows platforms up to Server 2012 and is command-line based making it easy to deploy at scale. Version 1.0 focuses on signature detection, with a powerful YARA scanning engine. It ships with a very detailed user manual but since only a few actually read such things, I thought it would be interesting to show the tool in action.

Running YARA Scans

YARA, or Yet Another Regex Analyzer, has become one of the leading tools for describing and detecting malware. A YARA rule consists of a series of ...

Stream-based Memory Analysis Case Study

Based on FOR526 Memory Forensics In Depth content

I recently worked an investigation that involved anomalous network traffic occurring inside a customer's network between a handful of workstations and the internal DNS server. I was given memory images collected by the customer from two of the offending systems. Following the memory analysis methodology we teach in FOR526, I was able to "rule out"* malicious code running on these systems. In addition to doing memory structure-based analysis, I parsed the image with a stream-based data carving tool, Bulk Extractor. This impressive free open-source


Tools for Analyzing Static Properties of Suspicious Files on Windows

Examining static properties of suspicious files is a good starting point for malware analysis. This effort allows you to perform an initial assessment of the file without even infecting a lab system or studying its code. Let's take a look at several free Windows tools that are useful for extracting such meta data from potentially-malicious executables.

DFIRCON APT Malware and Memory Challenge #DFIRCON


DFIRCON APT Malware & Memory Challenge

The memory image contains real APT malware launched against a test system.Your job? Find it.

The object of our challenge is simple: Download the memory image and attempt to answer the questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 3 of the 5 questions will be entered into a drawing to win a FREE Simulcast seat at DFIRCON Monterey this March. The contest ends on January 31st, 2014 and we will announce the winner on February 3rd, 2014. Good luck!

Win a free Simulcast Seat at DFIRCON Monterey - by downloading the memory image