SANS Digital Forensics and Incident Response Blog

SANS Digital Forensics and Incident Response Blog

Analyzing Shellcode Extracted from Malicious RTF Documents

During the analysis of malicious documents designed to exploit vulnerabilities in the programs which load them (thereby allowing the running of arbitrary code), it is often desirable to review any identified shellcode in a debugger. This allows an increased level of control and flexibility during the discovery of it's capabilities and how it implements the payload of the attack.

MalHost-Setup, part of the OfficeMalScanner suite allows the analyst to generate an executable which runs the shellcode embedded in malicious documents. To use this tool, we first need to determine the offset within the infected document, or extracted OLE file at which the shellcode begins, we then specify this offset as a parameter to MalHost-Setup when generating the executable. This executable can then be loaded into a debugger,


Was DPRK behind the Sony hack?

UPDATE:While this post was embargoed, various news outlets have claimed that sources in the US Government are confirming North Korea's involvement in the Sony hack. I don't have the intelligence they have access to and North Korea has already denied participation in the hack publicly. If North Korea was behind the attack, then it heralds a new era in state sponsored hacking - one in which nations attempt not only to steal secrets from other government and commercial interests, but also attempt to extort money directly from the victims. Regardless of the outcome, I'd like to share my thought process in evaluating cyber attribution and attacker motivations.

There are lots of opinions out there about whether or not North Korea (DPRK) was behind the Sony attacks. Is this really a plausible theory? Maybe, but it's unlikely. Why did this get such traction in the press? Let's be honest: a nation state hacking a movie studio because they are releasing a movie


Running Malware Analysis Apps as Docker Containers

A new REMnux project initiative provides Docker images of Linux applications useful for malware analysis to offer investigators easier access to malware forensics tools. Docker is a platform for packaging, running and managing applications as "containers," as a lightweight alternative to full virtualization. Several application images are available as of this writing, and you can contribute your own as a way of experimenting with Docker and sharing with the community.

DFIR Monterey 2015 Network Forensics Challenge Released

DFIR Monterey 2015

Join us at DFIR Monterey 2015 - a Reverse Engineering Digital Forensics and Incident Response Education (REDFIRE) Event.

This unique Digital Forensics and Incident Response (DFIR) event brings our most popular forensics courses, instructors, and bonus seminars together in one place to offer one of SANS most comprehensive DFIR training experiences. This is a must-attend event for you and your team as our leading experts focus on building the DFIR skills that will take you to that next level.

Network Forensic Challenge

The objective of the ...

How to Track Your Malware Analysis Findings


The field of incident response, forensics, and malware analysis is full of thrilling hunts and exciting investigations where you have an opportunity to aggressively pursue the activities of adversaries. While technical acumen certainly supports these efforts, a truly successful execution requires both a well-crafted process and detailed documentation of the journey through that process. Meticulous documentation allows you to easily retrace your analysis flow (particularly important if the work supports any litigation), and it facilitates information sharing so others can benefit from your analysis approach and results. More importantly, if a malware analysis effort continues for any substantial period of time, tracking what you've done and what is yet to be done is difficult without comprehensive notes. Generating documentation is clearly one of the less glamorous parts of malware analysis, but it's absolutely necessary to be an effective analyst.