SANS Digital Forensics and Incident Response Blog: Author - Chad Tilbury

Finding Registry Malware Persistence with RECmd

If you have been keeping your forensic toolkit up to date, you have undoubtedly used Registry Explorer, a game-changing tool for performing Windows registry analysis. RECmd is the command line component of Registry Explorer and opens up a remarkable capability to script and automate registry data collection. My interest in this tool was recently … Continue reading Finding Registry Malware Persistence with RECmd


Offline Autoruns Revisited - Auditing Malware Persistence

I was digging through the archives recently and stumbled upon my old post, Autoruns and Dead Computer Forensics. Autoruns is an indispensable tool from Sysinternals that extracts data from hundreds of potential auto-start extensibility points (ASEPs), a fancy Microsoft term for locations that can grant persistence to malicious code. We leverage live Autoruns collection in … Continue reading Offline Autoruns Revisited - Auditing Malware Persistence


Investigating WMI Attacks

WMI as an attack vector is not new. It has been used to aid attacks within Microsoft networks since its invention. However, it has been increasingly weaponized in recent years, largely due to its small forensic footprint. In a world of greater enterprise visibility and advanced endpoint protection, blending in using native tools is … Continue reading Investigating WMI Attacks


Updated Memory Forensics Cheat Sheet

Just in time for the holidays, we have a new update to the Memory Forensics Cheatsheet! Plugins for the Volatility memory analysis project are organized into relevant analysis steps, helping the analyst walk through a typical memory investigation. We added new plugins like hollowfind and dumpregistry, updated plugin syntax, and now include help for those … Continue reading Updated Memory Forensics Cheat Sheet


Device Profiling With Windows Prefetch

It wasn't that long ago that every report I read containing Windows prefetch artifacts included only the basics: executable name, first and last time executed (now eight timestamps in Win8), and number of executions. There is much more information stored in prefetch files, but until recently there were few tools toeasily parse and provide it … Continue reading Device Profiling With Windows Prefetch