SANS Digital Forensics and Incident Response Blog: Author - Rob Lee

M-Trends: The Advanced Persistent Threat

M-Trends Cover

M-Trends Quote: #Most APT Malware is not packed, because packing is relatively easily detected. APT attackers that use packed malware are usually more advanced in their skills.# - APT Malware Trends and Statistics Section


M-Trends Quote: #Most organizations struggle to detect real incidents.# Organizations that that rely solely on automated security appliances are ripe targets for an APT intrusion. # #APT Victim Recommendations



Windows 7 Computer Forensics

Windows 7 was released this past week. A lot of work by the SANS community has been accomplished at uncovering digital forensic artifacts from it. First off, Windows 7 is really Windows VISTA release 2. Many of the features that are found in Windows Vista will be found in Windows 7. WIN7

First of all, all the SANS Digital Forensic Courses have already included up-to-date material fully covering Windows 7 and Vista unlike anyone has done before. In fact, our challenge for SEC408, Computer Forensic Essentials is strictly based off of a Windows Vista case. We have details in

Why Digital Forensic Certifications Are Needed

This post is intended to generate discussion related to the professional development of a digital forensic professional based off discussion as to whether certifications are evil.

Why certify at all?

Certifications are not intended to ensure that someone is awesome at their job, but that they pass the minimal qualifications for someone in the field. Much like basic training teaches you the basics to fight in combat, but hardly makes you an Army Ranger.

For the sake of the profession, something similar to the bar or medical exams has to ensure that a basic set of knowledge exists for an entry level individual. CPAs, doctors, lawyers, all need to pass a test. However, the best professionals in those fields have the most experience. However, in order to even begin the first day in those professions, they have to prove that they at least know enough not to make a


USB Device Parsing Logparser Scripts

By Guest Blogger Dave Kleiman:

Recently I had a need to check a network consisting of a few hundred systems in order to identify systems that had certain USB devices attached. There was not a need to check for "deleted" registry keys or unallocated space in the registry database. I needed to collect the standard USB keys, and compare them to a list of "Friendly Names" and "Serial Numbers" provided to me.

Standard keys I collected:


Additionally, I wanted to collect the times stamps for each respective registry entry. The challenge was to do this quickly without having to traverse a building to each office and collect them direct with a standard forensic tool.

My solution, Log Parser. That is right

USB Key Analysis vs. USB Drive Enclosure Analysis

Computer Forensic Guide To Profiling USB Drive Enclosures on Win7, Vista, and XP

There has been much talk about USB Device Forensic Analysis. Many assume that analyzing a USB Key will be the same as analyzing a USB Drive Enclosure (e.g. USB Key Analysis = USB Drive Enclosure analysis). This is inaccurate.

USB Drive Enclosure


USB Key/Thumbdrive