SANS Digital Forensics and Incident Response Blog: Author - Gregory Pendergast

Review: Mandiant's Incident Response Conference (MIRCon) Day 1

I have the good fortune this week of being able to attend Mandiant's Incident Response Conference (MIRcon) in Alexandria, Virginia, and so far it's a very good time. For those who couldn't attend, or who may have chosen instead to attend that other conference that's going on right now, I thought I'd blog a few impressions and take aways both to solidify the day in my own mind and provide some food (and flavor) for thought. This won't be a comprehensive, presentation-by-presentation summary, but rather an overview with focus on what I consider to be some of the highlights. And if you weren't at MIRcon today, the single most important highlight you missed was Richard Bejtlich simultaneously coining a new phrase and inventing a new psychological diagnosis: "

Digital Forensics Case Leads: Stuxnet, Cyber Weapons and Incident Response

Our focus this week, albeit loosely, is on Incident Response. There has been much news of late regarding the Stuxnet malware, and a couple of the more interesting perspectives are linked in the "Good Reads" section below. As forensicators and incident responders, the advent of such "weapons-grade" malware raises the stakes significantly, and we have to step up our game to match. Memory forensics becomes far more crucial when dealing with advanced threats, and Mandiant offers some help in this area with an update to their Memoryze tool. But our ability to learn from the incidents we investigate and share that information also becomes vastly more important. To help us in this area, Verizon has provided their VERIS Framework, which is a tool for gathering metrics from incident investigations so that we can begin to share and learn from the breaches that inevitably occur. The VERIS Framework isn't all that new, but deserves more attention. So read on for these and other interesting

... Continue reading Digital Forensics Case Leads: Stuxnet, Cyber Weapons and Incident Response

Digital Forensics Case Leads: Reverse Engineer Malware, Analyze Timelines and Report Findings

This week, we have a wealth of information about REMnux, Lenny Zeltser's Linux distribution for analyzing malware, Kristinn Gudjonsson's paper on Super Timeline Analysis, and some interesting report-writing posts that I wanted to recall attention to. There's a lot of interesting reading ahead, so without further ado...

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to

Reverse Engineering Malware:

Since he released his REMnux distribution for analyzing malware, our friend Lenny Zeltser has gotten quite a bit of attention for his distribution and for his SANS class, Reverse Engineering Malware.


Getting Started in Digital Forensics: Do You Have What It Takes?

Those of you who have been following our weekly Case Leads articles may have noticed that we've made several mentions of the new issue (#4) of Digital Forensics Magazine.SANS has developed a relationship with the good people over at DFM that we hope will prove beneficial to the Forensics and Incident Response community, and we're trying to highlight some of the interesting elements that have arisen from that relationship.

As of Issue 4, our own forensicator-in-chief, Rob Lee, has become a Contributing Author for Digital Forensics Magazine. I have been in contact with the publisher, Tony Campbell, who has generously given us permission to re-print Rob's first article here. So, in a fairly egregious form of hijacking, I am also using Rob's article as a launch pad for a series of posts I've begun writing under the series name "Getting Started in Digital Forensics." Thanks to both Rob and


Digital Forensics Case Leads: Ann's Aurora Edition

We won! We won! We WON! Okay. Breathe. Now that I've gotten than out...

On behalf of all of the contributors to theSANS Computer Forensic Investigations and Incident Response Blog, I want to thank everyonewho voted for us asBest Digital Forensics Blog in this year's Forensic 4cast awards. We are all deeply grateful to know that our work is recognized and appreciated by our peers in the Security and Forensics professions. And we are also grateful for the community that continues to grow around this blog. The amount of feedback we've received from readers has increased in the past few months, and we thank you for helping to make this a lively and thought-provoking site to visit.

In keeping with that spirit,if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, please