Community: Cheat Sheets

Community:

NEW! - Threat Intelligence Consumption Poster - Cyber Threat Intelligence is a wide and specialized field that goes far beyond indicators and threat feeds. This SANS poster covers the essentials you need to know while highlighting models such as the Kill Chain, Diamond Model, Active Cyber Defense Cycle, and the process used in the new FOR578 - Cyber Threat Intelligence course. Empower your organization to generate and consume threat intelligence to counter the adversary.
Download Here

SIFT Workstation & REMnux Poster - SANS faculty members maintain two popular Linux distributions for digital forensics and incident response (DFIR) work. SIFT Workstation™ is a powerful toolkit for examining forensic artifacts related to file system, registry, memory, and network investigations. REMnux® focuses on malware analysis and reverse-engineering tasks. This poster provides a reference to getting started with these freely available toolkits, so you can create your own ultimate forensication machine.
Download Here

Rekall Cheat Sheet - The Rekall Memory Forensic Framework has unique syntax and plugin options specific to its features and capabilities. This cheatsheet provides a quick reference for memory analysis operations in Rekall, covering acquisition, live memory analysis and parsing plugins used in the 6-Step Investigative Process. For more information on this tool, visit rekall-forensic.com.
Download Here

DFIR "Memory Forensics" Poster - Analysts armed with memory analysis skills have a better chance to detect and stop a breach before you become the next news headline. This poster shows some of the structures analyzed during memory forensic investigations. Just as those practicing disk forensics benefit from an understanding of file systems, memory forensic practitioners also benefit from an understanding of OS internal structures.
Download Here

DFIR "Advanced Smartphone Forensics" Poster- Forensic investigations often rely on data extracted from smartphones and tablets. Smartphones are the most personal computing device associated to any user, and can therefore provide the most relevant data per gigabyte examined. Commercial tools often miss digital evidence on smartphones and associated applications, and improper handling can render the data useless. Use this poster as a cheat-sheet to help you remember how to handle smartphones, where to obtain actionable intelligence, and how to recover and analyze data on the latest smartphones and tablets.
Download Here

DFIR "Evidence of..." Poster- The "Evidence of..." categories were originally created by SANS Digital Forensics ad Incidence Response faculty for the SANS course FOR408 - Windows Forensics. The categories map a specific artifact to the analysis questions that it will help to answer. Use this poster as a cheat-sheet to help you remember where you can discover key items to an activity for Microsoft Windows systems for intrusions, intellectual property theft, or common cyber crimes.
Download Here

DFIR "Find Evil" Poster - In an intrusion case, spotting the difference between abnormal and normal is often the difference between success and failure. Your mission is to quickly identify suspicious artifacts in order to verify potential intrusions. Use the information below as a reference for locating anomalies that could reveal the actions of an attacker.
Download Here

DFIR SIFT 3.0 Cheat Sheets and Brochure - Inside our DFIR course catalog you will find two critical cheat sheets. SIFT 3.0 guide and the Memory Forensics cheat sheets.
Download Here

SIFT Cheat Sheet - Looking to use the SIFT workstation and need to know your way around the interface? No problem, this cheat sheet will give you the basic commands to get cracking open your case using the latest cutting edge forensic tools.
Download Here

Evidence Collection Cheat Sheet - This sheet covers the various locations where evidence to assist in an investigation may be located.
Download Here

Linux Shell Survival Guide - This guide is a supplement to SANS FOR572: Advanced Network Forensics and Analysis. It covers some of what we consider the more useful Linux shell primitives and core utilities. These can be exceedingly helpful when automating analysis processes, generating output that can be copied and pasted into a report or spreadsheet document, or supporting quick-turn responses when a full tool kit is not available.
Download Here

Windows to Unix Cheat Sheet - It helps to know how to translate between windows and unix. This handy reference guide ties together many well known Unix commands with their Windows command line siblings. A great way to get Windows users familiar with the command line quickly.
Download Here

Log2timeline Cheat Sheet - Creating a timeline is easy with the essential reference guide. The step by step nature of the log2timeline cheat sheet will enable anyone not familiar with the process to step through creation of their first timeline in no time.
Download Here

Volatility Memory Forensics Cheat - Covering the popular memory suite Volatility, this cheat sheet will empower each investigator the key knowledge to quickly step through the 6 step memory analysis process using key commands from the plugins. This reference guide is very useful to have near you for those just starting out in memory forensics or those who are experts who need to quickly remember plugin syntax.
Download Here

Hex and Regex Forensics Cheat Sheet - Quickly become a master of sorting through massive amounts of data quickly using this useful guide to knowing how to use simple Regex capabilities built into the SIFT workstation.
Download Here

Developing Process for Mobile Device Forensics (Det. Cynthia A. Murphy)- With the growing demand for examination of cellular phones and other mobile devices, a need has also developed for the development of process guidelines for the examination of these devices. While the specific details of the examination of each device may differ, the adoption of consistent examination processes will assist the examiner in ensuring that the evidence extracted from each phone is well documented and that the results are repeatable and defensible.
Download Here

SANS FOR518 Reference Sheet - This cheat sheet is used to describe the core functions and details of the HFS+ Filesystem.
Download Here