SANS Digital Forensics and Incident Response Blog: Author - Adam Kramer

Turning a Snapshot into a Story: Simple Method to Enhance Live Analysis

System snapshots are a core component when conducting forensic analysis on a live machine. They provide critical insight intowhat was going on at the time they were taken, but this is also their limitation: your view is limited to a precise moment in time, without context and the opportunity to observe changes as they … Continue reading Turning a Snapshot into a Story: Simple Method to Enhance Live Analysis


Rapid Provisioning of a Malware Analysis Environment

The preparation of a malware analysis environment can often be a lengthy and repetitive process. I am not referring to setting up a virtual machine which contains all of your tools, but rather recognising that each sample you analyse may have very specific environmental requirements before it is willing to execute fully. For example, it … Continue reading Rapid Provisioning of a Malware Analysis Environment


Hindering Exploitation by Analysing Process Launches

Malware can do some nasty things to your system, but it needs to get on there first. Thankfully, users have become more suspicious of files named FunnyJokes.doc.exe and so malware authors have had to become more innovative, using a mix of social engineering and the constant stream of 0-day browser exploits to land evil code … Continue reading Hindering Exploitation by Analysing Process Launches


Detecting Shellcode Hidden in Malicious Files

A challenge both reverse engineers and automated sandboxes have in common is identifying whether a particular file is malicious or not. This is especially true if the malicious aspects are obfuscated and only triggered under very specific circumstances. There are a number of techniques available to try and identify embedded shellcode, for example searching for … Continue reading Detecting Shellcode Hidden in Malicious Files


Identifying and Disrupting Crypto-Ransomware (and Destructive Malware)

In recent years, malware has become very personal. Crypto-ransomware threats, including CryptoLocker, CryptoWall and TorrentLocker (pdf), have infected home users, businesses and even police departments, all of whom have had their personal data and hard work held hostage. When we think of precious family photos or an academic thesis being wiped by pure greed, it … Continue reading Identifying and Disrupting Crypto-Ransomware (and Destructive Malware)