SANS Digital Forensics and Incident Response Blog

Cloud Storage Acquisition from Endpoint Devices

Over the past several years, multiple tools have been released to enable API-based collection of cloud storage data. While this is an important capability, it has the often fatal liability that API-based collections require valid user credentials (and multi-factor authentication). An often overlooked area of cloud forensics is data and metadata stored on the local … Continue reading Cloud Storage Acquisition from Endpoint Devices


The State of Malware Analysis: Advice from the Trenches

What malware analysis approaches work well? Which don't? How are the tools and methodologies evolving? The following discussion-captured as anMP3 audio file-offers friendly advice from 5 malware analysts. These are some of the practitioners who teach thereverse-engineering malware course(FOR610) at SANS Institute: Jim Clausing: Security Architect at AT&T and Internet Storm Center Handler(Panelist) Evan Dygert:Senior … Continue reading The State of Malware Analysis: Advice from the Trenches


Mass Triage Part 5: Processing Returned Files - Amcache


Mass Triage Part 4: Processing Returned Files - AppCache/Shimcache


Parsing Sysmon Events for IR Indicators