SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Critiques of the DHS/FBI's GRIZZLY STEPPE Report

Author credit: FOR578 Threat Intelligence course Robert M. Lee Source: Blog originally posted 12/30/2016 Attend the Webcast:"Analyzing the DHS/FBI's GRIZZLY STEPPE Report" Jan 6 2017 at 1 pm ET On December 29th, 2016 the White House released a statement from the President of the United States (POTUS) that formally accused Russia of interfering with the … Continue reading Critiques of the DHS/FBI's GRIZZLY STEPPE Report


DFIR Summit 2017 - CALL FOR PRESENTATIONS

Call for Presentations Now Open! Submit your proposal here: http://dfir.to/DFIR-CFP-2017 Deadline: January 16th at 5pm CT The 10th Annual Digital Forensics and Incident Response Summit Call for Presentations is open through 5 pm EST on Monday, January 16, 2017. If you are interested in presenting or participating on a panel, we'd be … Continue reading DFIR Summit 2017 - CALL FOR PRESENTATIONS


Mass Triage: Retrieve Interesting Files Tool (FRAC and RIFT) Part 2

FRAC is a GPLv2 project that can run remote commands across a Windows enterprise network. It consists of a Perl script, basic configuration files, and an SMB share. It uses PAExec or Winexe to connect to the remote machines, and then runs the commands required. It doesn't require a powerful system to run from, but does require lots of disk space if it has been configured to collect files. FRAC can run on the Linux, *NIX, and OSX using Winexe to connect to the remote Windows machines. Continue reading Mass Triage: Retrieve Interesting Files Tool (FRAC and RIFT) Part 2


Malware Can Hide, But It Must Run

Article originally posted in forensicfocus.com Author: Alissa Torres It's October, haunting season. However, in the forensics world, the hunting of evil never ends. And with Windows 10 expected to be the new normal, digital forensics and incident response (DFIR) professionals who lack the necessary (memory) hunting skills will pay the price. Investigators who do not … Continue reading Malware Can Hide, But It Must Run


Mass Triage: Retrieve Interesting Files Tool (RIFT) Part 1

In the course of an incident incident responders will have to retrieve files from a machine in a forensically sound manner. RIFT copies files from a subject machine in a forensically sound manner using the Sleuthkit toolset. By simply running RIFT with a regex list of file names or directories, specific files and folders are targeted for extraction. For each match, icat is then used to copy the file or folder to a drive/share other than the C drive. Continue reading Mass Triage: Retrieve Interesting Files Tool (RIFT) Part 1