SANS Digital Forensics and Incident Response Blog

A few Ghidra tips for IDA users, part 4 - function call graphs

One of the features of IDA that we use in FOR610 that can be helpful for detecting malicious patterns of API calls is the feature for creating a graph of all function calls called from the current function and any functions that it calls. The graph itself isn't all that pretty to look at, but … Continue reading A few Ghidra tips for IDA users, part 4 - function call graphs


Six Reasons You Don't Want to Miss SANS DFIR Summit & Training 2019

The annualSANS DFIR Summit & Trainingis just around the corner! If you have attended in the past, you already know that we throw everything we have into making this the most action-packed Digital Forensics and Incident Response (DFIR) event of the year. If you have not yet attended, this is the year to change that. Here are six reasons (plus a bonus) to attend.


Design it. DFIR it. Win it. Wear it!

Design it. DFIR it. Win it. Wear it! Are you excited about going to the DFIR Summit this July? Of course you are! We have worked hard to bring you an amazing Agenda, Networking opportunities and a bunch of other fun activities at the event. If you have attended before, you know how much fun … Continue reading Design it. DFIR it. Win it. Wear it!


Finding Registry Malware Persistence with RECmd

If you have been keeping your forensic toolkit up to date, you have undoubtedly used Registry Explorer, a game-changing tool for performing Windows registry analysis. RECmd is the command line component of Registry Explorer and opens up a remarkable capability to script and automate registry data collection. My interest in this tool was recently … Continue reading Finding Registry Malware Persistence with RECmd


A few Ghidra tips for IDA users, part 3 - conversion, labels, and comments

In this entry in my series, I'll look at a few more of the features I regularly use in IDA and how to accomplish the same in Ghidra. The first one is simple conversion. In this case, hex to ASCII characters (classic stack strings stuff that we cover in Day 5 of FOR610). I miss … Continue reading A few Ghidra tips for IDA users, part 3 - conversion, labels, and comments