Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

SANS Cyber Threat Intelligence Summit - Call For Papers Now Open

SANS Cyber Threat Intelligence Summit Call For Papers 2015.


Send your submissions to CTISummit@sans.org by 5 pm EST on Friday, October 24, 2014 with the subject


"SANS CTI Summit CFP 2015."


Dates: Summit Dates: February 2 & 3, 2015Pre?Summit Course Dates: February 4?9, 2015


Location:Washington, DC


 

Our 3rd annual Cyber Threat Intelligence (CTI) Summit will once again be held in Washington DC.

Summit Co-Chairs:Mike Cloppert and Rick Holland

The goal of this summit will be to equip attendees with knowledge on the tools, methodologies and processes they need to move forward with cyber threat intelligence. Attendees that are either new to CTI or more mature in their CTI journey should be able to take away content and immediately apply it to their day jobs. The SANS What Works in Cyber

...

TorrentLocker Unlocked

Guest submission byTaneli Kaivola, Patrik Nisn and Antti Nuopponen of NIXU

TorrentLocker is a new breed of ransomware that has been spreading lately. Like CryptoLocker and CryptoWall it encrypts files on a victim's machine and then demands ransom. The victim has to pay to get the decryption software that can decrypt the files.

On a recent incident response case we came across a malware program that had all the known characteristics of TorrentLocker. We started to analyze the malware to see if there was a way to get the files decrypted without paying the ransom. It is well known that some ransomwares like CryptoLocker do implement proper encryption and that it is not possible to recover the encrypted files, but on the other hand, there are also several examples of malware that

...

Super Sunday Funday Forensic Challenge

The Challenge: Starting September 4, 2014 on the Hacking Exposed Computer Forensics Blog the first forensicimage will be available for download. Your goal is to solve the questionwith the first forensic image and email it to dcowen@g-cpartners.com.

The Challenge:


The first forensic image is available for download. Your goal is to solve the question with the first forensic image located at:https://mega.co.nz/#!qoxgGYCY!1jM32pncF0wE-TROhaXFI07hZbu5AfZ1BJE-p8tm1mo

and email the answer to the following questionsto:dcowen@g-cpartners.com.


  • What was used to wipe this drive?

  • What special options were given?

  • What file was wiped from this
...

Copier Forensics in 2014: The Good, The Bad, and The Ugly

Recently, I had the opportunity to do forensic analysis on a HDD extracted from a Canon ImageRunner Advanced C5240 Multifunction Copier. After a story was broken by CBS News, back in 2010, it seemed likely that less would be available than is described in the copier forensic write-ups here and here. Nonetheless, I was hopeful. As you will see, my results were somewhat mixed, but the security enhancements put in place after that article could certainly have been much more complete.

The Good:


The first new security feature I noticed, when beginning my examination of the drive, was that the ...

Using Sysinternals System Monitor (Sysmon) in a Malware Analysis Lab

System Monitor (Sysmon) is a new tool from Microsoft, designed to run in the Windows system's background, logging details related to process creation, network connections, and changes to file creation time. This information can assist in troubleshooting and forensic analysis of the host where the tool was installed prior to the incident that's being investigated. This article explores the role that System Monitor might play in a malware analysis lab, possibly supplementing tools such as Process Monitor.