Blog: SANS Digital Forensics and Incident Response Blog: Tag - Incident Response

Blog: SANS Digital Forensics and Incident Response Blog:

HeartBleed Links, Simulcast, etc.

At SANS 2014 last night, I gave a quick briefing on the HeartBleed vulnerability that impacts the security of the Internet. I wanted to post a few links in the interim (until the webcast itself is published, which I'm told will be by 3PM EDT).

The slides are available here.

I have built a server in the cloud that exposes the vulnerability. You can access the server at until it gets taken down by the hosting provider (which seems inevitable). However, if your management needs to see this in action, please feel free to use the server to demonstrate the vulnerability.

Additionally, I took a packet capture that exposes the vulnerability. This is suitable for testing your IDS signatures against. Hopefully you find this useful as well. The packet capture can be


The Importance of Command and Control Analysis for Incident Response

Understanding how malicious software implements command and control (C2) is critical to incident response. Malware authors could use C2 to execute commands on the compromised system, obtain the status of the infection, commandeer numerous hosts to form a bot network, etc. This article explains how malware performs C2 functions and clarifies how this information can aid responders in detecting, analyzing, and remediating malware incidents.

Stream-based Memory Analysis Case Study

Based on FOR526 Memory Forensics In Depth content

I recently worked an investigation that involved anomalous network traffic occurring inside a customer's network between a handful of workstations and the internal DNS server. I was given memory images collected by the customer from two of the offending systems. Following the memory analysis methodology we teach in FOR526, I was able to "rule out"* malicious code running on these systems. In addition to doing memory structure-based analysis, I parsed the image with a stream-based data carving tool, Bulk Extractor. This impressive free open-source


Updates to FOR610 Malware Analysis Course Debuting in April in Orlando

SANS FOR610 malware analysis course was refreshed to incorporate the latest Windows tools for examining malicious software. Starting with the April 2014 event in Orlando, conference students will receive a toolkit based on a pre-built Windows 8.1 virtual machine. This toolkit supplements the Linux-based REMnux virtual machine that has been a staple of malware analysts' arsenal of utilities. The update also introduces several new malware analysis tools, samples and techniques.

Tools for Analyzing Static Properties of Suspicious Files on Windows

Examining static properties of suspicious files is a good starting point for malware analysis. This effort allows you to perform an initial assessment of the file without even infecting a lab system or studying its code. Let's take a look at several free Windows tools that are useful for extracting such meta data from potentially-malicious executables.