SANS Digital Forensics and Incident Response Blog: Category - artifact analysis

Volume Shadow Copies and LogParser

Volume Shadow Copies (VSCs) can contain a treasure trove of information - so much information that if not treated correctly, they can become too cumbersome for many investigators. (Note: if you are unfamiliar with VSCs, Rob Lee has a great write-up about the subject.) One way to make the examination of VSCs a little less … Continue reading Volume Shadow Copies and LogParser


Malicious Code Analysis: Michael Murr Explains How and Why

Michael Murr authored the malicious code analysis section of SANS' FOR610: Reverse-Engineering Malware course. In his brief interview, he shares his perspective on the role that code analysis plays in the reverse-engineering process, and how one might get better at this aspect of malware forensics. Continue reading Malicious Code Analysis: Michael Murr Explains How and Why


How to Extract Flash Objects from Malicious PDF Files

Authors of malicious PDF documents have often relied on JavaScript embedded in the PDF file to produce more reliable Adobe Reader exploits. The attackers now also embed Flash programs, which incorporate ActionScript, in a similar manner. This note demonstrates several steps for extracting malicious Flash from PDF files, so you can analyze it for malware artifacts. We will take a brief look at using pdf-parser, PDF Stream Dumper and SWFDump for this purpose. Continue reading How to Extract Flash Objects from Malicious PDF Files


Data reduction redux and map-reduce

A few days ago I wrote a post about applying the principle of least frequent occurrence to string searches in forensics. This post will discuss how long that process may take and at the end, will show some significant ways to speed up the process. In the previous post I used the following compound command … Continue reading Data reduction redux and map-reduce


Michigan TrackerGate: ACLU Speaks

The row continutes between the Michigan ACLU and the Michigan law enforcement. The Michigan ACLU leveled the charge earlier this week that Michigan law enforement was asking for hundreds of thousands of dollars for records related to the possible forensic imaging of mobile devices using the well-known Cellebrite UFED. Michigan law enforcement has responded. In … Continue reading Michigan TrackerGate: ACLU Speaks