SANS Digital Forensics and Incident Response Blog

Malware Can Hide, But It Must Run

Article originally posted in forensicfocus.com Author: Alissa Torres It's October, haunting season. However, in the forensics world, the hunting of evil never ends. And with Windows 10 expected to be the new normal, digital forensics and incident response (DFIR) professionals who lack the necessary (memory) hunting skills will pay the price. Investigators who do not … Continue reading Malware Can Hide, But It Must Run


Mass Triage: Retrieve Interesting Files Tool (RIFT) Part 1

In the course of an incident incident responders will have to retrieve files from a machine in a forensically sound manner. RIFT copies files from a subject machine in a forensically sound manner using the Sleuthkit toolset. By simply running RIFT with a regex list of file names or directories, specific files and folders are targeted for extraction. For each match, icat is then used to copy the file or folder to a drive/share other than the C drive. Continue reading Mass Triage: Retrieve Interesting Files Tool (RIFT) Part 1


SANS Threat Hunting and Incident Response Summit - Call For Presentations

Call for Speakers- Now Open Summit Dates: April 18-19, 2017 Call for Presentations Closes on 21 October 2016 Apply here: http://dfir.to/ThreatHuntCFP The Threat Hunting & Incident Response Summit will focus on specific hunting and incident response techniques and capabilities that can be used to identify, contain, and eliminate adversaries targeting your networks. SANS and … Continue reading SANS Threat Hunting and Incident Response Summit - Call For Presentations


DensityScout can handle multi-byte characters, now!

Due to a bug-report regarding issues when using DensityScout with filenames/paths including multi-byte characters I compiled and uploaded a new build which is now capable of handling this cases correctly. I strongly recommend switching to this new build as soon as possible. Get it from: https://cert.at/downloads/software/densityscout_en.html Cheers, Christian Continue reading DensityScout can handle multi-byte characters, now!


A Sneak Peek at Pokemon Go Application Forensics

This post was originally posted on Murphy's Law Blog authored by SANS Certified Instructor Cindy Murphy Listen to the webcast here UPDATED 7/22/16 - Thanks to Warren Raquel (@warquel) a Senior Security Engineer at the National Center for Supercomputing Applications, Android location information has been SOLVED! See the Android Location Information section below. "Some trainers … Continue reading A Sneak Peek at Pokemon Go Application Forensics