Community: Whitepapers

Community:

SANS Forensics Whitepapers

White Papers are an excellent source for information gathering, problem-solving and learning. Below is a list of White Papers written by forensic practitioners seeking GCFA, GCFE, and GREM Gold. SANS attempts to ensure the accuracy of information, but papers are published "as is".

Errors or inconsistencies may exist or may be introduced over time. If you suspect a serious error, please contact webmaster@sans.org.

SANS Forensics Whitepapers
Paper Author Cert
Review of Windows 7 as a Malware Analysis Environment Adam Kramer GREM
Case Study: 2012 DC3 Digital Forensic Challenge Basic Malware Analysis Exercise Kenneth Zahn GREM
Detailed Analysis Of Sykipot (Smartcard Proxy Variant) Rong Hwa Chong GREM
Windows ShellBags Forensics in Depth I-Lin Vincent Lo GCFA
A Detailed Analysis of an Advanced Persistent Threat Malware Frankie Fu Kay Li GREM
Using IOC (Indicators of Compromise) in Malware Forensics Hun Ya Lock GREM
Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysis Terrence OConnor GCFA
Interception and Automating Blocking of Malicious Traffic Based on NDIS Intermediate Driver Lee Ling Chuan GREM
Comprehensive Blended Malware Threat Dissection Analyze Fake Anti-Virus Software and PDF Payloads Anthony Cheuk Tung Lai GREM
Repurposing Network Tools to Inspect File Systems Andre Thibault GCFA
Enhancing incident response through forensic, memory analysis and malware sandboxing techniques Wylie Shanks GCFA
Indicators of Compromise in Memory Forensics Chad Robertson GCFA
Computer Forensic Timeline Analysis with Tapestry Derek Edwards GCFA
Windows Logon Forensics Sunil Gupta GCFA
Windows Logon Forensics Sunil Gupta GCFA
What's in a Name: Uncover the Meaning behind Windows Files and Processes Larisa Long GCFA
Analysis of a Simple HTTP Bot Daryl Ashley GREM
Analysis of the building blocks and attack vectors associated with the Unified Extensible Firmware Interface (UEFI) Jean Agneessens GREM
Mobile Device Forensics Andrew Martin GCFA
Mac OS X Malware Analysis Joel Yonts GCFA
Building a Malware Zoo Joel Yonts GREM
Mastering the Super Timeline With log2timeline Kristinn Gudjonsson GCFA
Logic Models for Computer Forensics Jim Garrett GCFA
A Regular Expression Search Primer for Forensic Analysts Timothy Cook GCFA
Identifying Malicious Code Infections Out of Network Ken Dunham GCFA
Malcode Context of API Abuse Ken Dunham GREM
Live Response Using PowerShell Sajeev Nair GCFA
Forensic Analysis on iOS Devices Tim Proffitt GCFE
CC Terminals, Inc.Forensic Examination Report: Examination of a USB Hard Drive Brent Duckworth GCFA
Unspoken Truths - Forensic Analysis of an Unknown Binary Louie Velocci GCFA
Forensic Analysis of a SQL Server 2005 Database Server Kevvie Fowler GCFA
Taking advantage of Ext3 journaling file system in a forensic investigation Gregorio Narvaez GCFA
Lessons from a Linux Compromise John Ritchie GCFA
Forensic Analysis of a Compromised NT Server(Phishing) Andres Velazquez GCFA
Analysis of a serial based digital voice recorder Craig Wright GCFA
Analysis of an unknown USB JumpDrive image Roger Hiew GCFA
Forensic Investigation of USB Flashdrive Image for CC Terminals Rhonda Diggs GCFA
GIAC GREM Assignment - Pass Joe Fresch GREM
Analysis of an unknown disk Jure Simsic GCFA
Integrating Forensic Investigation Methodology into eDiscovery Jeff Groman GCFA
Analysis of a Windows XP Professional compromised system Manuel Humberto Santander Pelaez GCFA
Analysis of a Commercial Keylogger installed on multiple systems Merlin Namuth GCFA
GIAC GREM Assignment - Pass David Chance GREM
Reverse Engineering the Microsoft exFAT File System Robert Shullich GCFA
How not to use a rootkit Mike Wilson GCFA
Forensic Analysis on a compromised Linux Web Server Jeri Malone GCFA
Analysis of a Red Hat Honeypot James Shewmaker GCFA
GIAC GREM Assignment - Pass James Shewmaker GREM
Forensic with Open-Source Tools and Platform: USB Flash Drive Image Forensic Analysis Leonard Ong GCFA
Forensic analysis of a Windows 2000 computer literacy training and software development device Golden Richard GCFA
GIAC GREM Assignment - Pass James Balcik GREM
Forensic Analysis Procedures of a Compromised system using Encase Jeffrey McGurk GCFA
Forensic analysis of a Compromised Windows 2000 workstation Charles Fraser GCFA
Forensic Analysis on a compromised Windows 2000 Honeypot Peter Hewitt GCFA
Evaluation of Crocwareis Mount Image Pro as a Forensic Tool Hugh Tower-Pierce GCFA
Forensic Tool Evaluation-MiTeC Registry File Viewer Kevin Fiscus GCFA
Camouflaged and Attacked? Bertha Marasky GCFA
Review of Foundstone Vision as a forensic tool Bil Bingham GCFA
Forensic Analysis of a Compromised Intranet Server Roberto Obialero GCFA
Analysis of an IRC-bot compromised Microsoft Windows system Jennifer Kolde GCFA
HONORS-Analysis of a USB Flashdrive Image Raul Siles GCFA
Safe at Home? David Perez GCFA
Evaluation of a Honeypot Windows 2000 Server with an IIS Web/FTP Server Kenneth Pearlstein GCFA
Forensic Analysis of a USB Flash Drive Norrie Bennie GCFA
Open Source Forensic Analysis - Windows 2000 Server - Andre Arnes GCFA
Forensic Analysis of dual bootable Operating System (OS) running a default Red Hat 6.2 Linux server installation and Windows 98 Mohd Shukri Othman GCFA
An Examination of a Compromised Solaris Honeypot, an Unknown Binary, and the Legal Issues Surrounding Incident Investigations Robert Mccauley GCFA
Forensic Analysis of an EBay acquired Drive Daniel Wesemann GCFA
Analyze an Unknown Image and Forensic Tool Validation: Sterilize Steven Becker GCFA
Malware Adventure Russell Elliott GREM
Binary Analysis, Forensics and Legal Issues Michael Wyman GCFA
Analysis on a compromised Linux RedHat 8.0 Honeypot Jeff Bryner GCFA
Forensic analysis of a compromised RedHat Linux 7.0 system Jacob Cunningham GCFA
Validation of Norton Ghost 2003 John Brozycki GCFA
Analysis of a Suspect Red Hat Linux 6.2 System Ray Strubinger GCFA
Forensic Analysis of Shared Workstation Michael Kerr GCFA
Forensic Analysis on a Windows 2000 Pro Workstation David Cragg GCFA
Sys Admins and Hackers/Analysis of a hacked system Lars Fresen GCFA
Validation of ISObuster v1.0 Steven Dietz GCFA
GIAC GREM Assignment - Pass Gregory Leibolt GREM
Analysis of a Potentially Misused Windows 95 System Gregory Leibolt GCFA
Forensic Analysis Think pad 600 laptop running Windows 2000 server Brad Bowers GCFA
Validation of Restorer 2000 Pro v1.1 (Build 110621) Denis Brooker GCFA
Analysis of a Suspect Red Hat Linux 6.1 System James Fung GCFA
Dead Linux Machines Do Tell Tales James Fung GCFA
Analysis and Comparison of Red Hat Linux 6.2 Honeypots With & Without LIDS-enabled Kernels Greg Owen GCFA
Analyzing a Binary File and File Partitions for Forensic Evidence James Butler GCFA
Analysis of a Honeypot running Red Hat Linux 6.2 Keven Murphy GCFA
Analysis of a Compromised Windows NT 4.0 Server Running MS SQL Server 7.0 Steve Lukacs GCFA
Discovery Of A Rootkit: A simple scan leads to a complex solution John Melvin GCFA
GIAC GREM Assignment - Pass Lorna Hutcheson GREM
Forensic Analysis of a Windows 2000 server with IIS and Oracle Beth Binde GCFA
Analysis of an Unknown Red Hat Linux 7.3 System Stephen Pedersen GCFA
Forensic Analysis of a Sun Ultra System Tom Chmielarski GCFA
Reverse Engineering msrll.exe Rick Wanner GREM
GIAC GREM Assignment - Pass Sven Olensky GREM
Forensic Validity of Netcat Michael Worman GCFA
CC Terminals Harassment Case Dean Farrington GCFA
Forensic analysis of a compromised Linux RedHat 7.3 system Kevin Miller GCFA
Validation of Process Accounting Records Jim Clausing GCFA
Building an Automated Behavioral Malware Analysis Environment using Open Source Software Jim Clausing GREM
Forensic analysis of a Windows 98 system Jerry Shenk GCFA
Forensic analysis of a Compromised Red Hat 7.2 Web Server Martin Walker GCFA